On Amazon.com, Bob discovers a shirt he wants for $20. He hits the Continue to check out tab, checks the description of the order, picks delivery for two days, and makes the payment. The confirmation receipt showing the shirt details, weight, shipping address, and planned delivery date is received. But Bob signs in to his Amazon account to see the delivery status when he doesn’t get the shirt within a couple of days. To his great surprise, there was no documentation of the exchange!

He quickly reviews his bank accounts and notices a fee of $2,000 instead of $20 for the purchase made on the same day and from the same e-commerce platform (Amazon) to know that something fishy is going on! Bob understands that a well-known e-commerce website like Amazon is unlikely to commit fraud. What really happened, then? It’s then that Bob discovers that a man-in-the-browser attack has made him the target!

What is a Man in the Browser Attack?

A man-in-the-browser (MitB) attack takes place when an attacker introduces a specific form of trojan horse by an attacker into the web browser of the users.

  • Browser Extension,
  • User script, or
  • Browser Helper Object (BHO).

This encourages an assailant to exploit the authentication flaw of the browser. It helps hackers to read the activities performed on the browser, capture, steal, and change them.

In one or more of the following ways, this MitB Trojan will control the browser:

  • Adding new website columns/fields or changing existing fields.
  • Modification of the transaction information that users enter. This details could be the sum of the transaction, bank account number, physical address, etc.
  • Hijacking the whole real-time transaction.
  • Changing the website’s look.
  • Changing the replies of the servers, such as acknowledgement messages and receipts.
  • Intercepting the data entered on the website by the customer.
  • Removing the specifics of the purchase as the customer revisits the page.

When it’s too late, the customer and the website’s server have no idea of those changes. Also the most cautious users may be defrauded by man-in-the-browser attacks and are resistant to certain well-known security protocols, such as stable SSL/TLS certificates and two-factor authentication.

In comparison to the phishing attacks in which users are fooled into entering their passwords on a bogus site, users execute all the actions on the real site in the MitB attacks. No authentication stage has been bypassed, thus. Until it becomes encrypted, MitB trojan modifies the info.

How Man-in-the-Browser Attacks Are Executed

Although man-in-the-browser attacks are performed in different ways, the most common of all is the following hacking method. In 10 stages, let’s understand the whole man-in-the-browser process.

Phase 1: Malware Insertion

  • In the operating system of the computer, the trojan horse is introduced when the user:
    Corrupt app downloads,
  • Every malicious site is accessed,
  • Open or download malicious or malicious email attachments
  • Plugs on their computers/tablets/mobile phones corrupt foreign devices such as USB drives/CDs.
  • In the web browser, the Trojan immediately downloads a malicious extension without the user’s knowledge.
  • The extension gets enabled once the user restarts the browser.
  • The malicious extension has a list of websites it can exploit that are targeted. Whenever a website from the list is accessed by the customer, the Trojan does some tricks to change the intended web pages. Changing form fields or adding JavaScript on buttons such as Submit, Completed, Mail, Move, Total, etc., for example.

Phase 2: Transaction Interruption

  • With their keys, the unsuspecting user logs in (their user ID, email address, password, one-time password [OTP], secret pins, etc). Then the daily transaction is finished, such as exchanging money, making transfers, ordering, or filling out confidential information such as SSN, health information, etc.
  • The malicious script modifies the transaction information when the user presses Send or some other authorization button. Adjust the transaction date, bank numbers, physical address, commodity, etc., for instance, and send the updated details to the server of the website. (Note: Before accessing the encrypted channel facilitated by SSL/TLS certificates, the information is modified.)
  • The receiver website does not presume anything about the changed transaction because, without bypassing any authentication stage, it comes directly from the customer. The website, thus, completes the transaction demanded.

Phase 3: Response Modification

  • The website gives the customer the receipt. The receipt includes the specifics of the purchase.
  • The corrupt browser modifies the receipts to fit the original account data of the users.
  • At this point, the user does not have anything to suspect in the validation receipt even if the two-factor authentication (2FA) is enabled. They then have the special secret code or OTP that they normally obtain to complete the transaction via mobile or email.

Both the customer and the website are behaving in good faith, as you can see. Only the directions he got from the customer were implemented by the website. The customer receives a smooth transaction where the receipt of confirmation represents the same specifics of the transaction as they would predict, so they are not likely to believe anything is wrong.

Where MitB Attacks Are Most Commonly Used

In general, man-in-the-browser attacks threaten websites where some kind of transaction is carried out by users. For instance,

  • Websites owned by the banking sector: insurers, insurance firms, credit cards, mortgage companies, etc.
  • Websites for Ecommerce
  • Web pages for utility providers that allow consumers to pay bills on their websites. Electricity, electricity, the telephone, television, for example, etc.
  • Websites which offer paid membership/subscriptions
  • Websites with fundraising services, grants or foundations
  • Wallets online
  • Websites for social media
  • Websites that enable tax and filing estimates

The spectrum, however, is not limited exclusively to purchases. In order to intercept info, man-in-the-browser attacks are also used. Here, the attacker robs data from the form or registration pages of the legit website. The forms can be forms of investigation or communication forms. They can also incorporate additional fields in the present forms, such as social security numbers, phone numbers, bank account numbers, etc. Needless to mention, all the information filled in by the user in such forms is collected immediately by the hackers.

Hackers often carry out man-in-the-browser attacks that staff use to store and exchange sensitive information against the company’s corporate website or project management websites.

Popular Trojans Used for Man-in-the-Browser Attacks

There are some well-known generic trojans used for MitB attacks:


Zeus is a widespread trojan used by man-in-the-browsers for keystroke logging and type grabbing (recording the keyboard operation of the user to track actions) (stealing login credentials from online forms). It gets installed through phishing emails or malicious software installs on the user’s computer.

Zeus is considered the most dangerous trojan, since well-known websites such as play.com, Amazon.com, Bank of America, the United States Department of Transportation (US DOT), Cisco, NASA, BusinessWeek, ABC and Monster.com have effectively compromised FTP accounts.

The Zeus trojan is used to snatch banking credentials and make illegal money transfers by scam artists. By installing a bogus pop-up page on the website the user is using, it even conducts technical support scams. The pop-up alerts a customer of the virus that their device is compromised and defrauds them by charging for removal of the virus.


In the following places, this Trojan is installed:

  • /ProgramFiles\NVIDIA Corporation\Updates
  • /ProgramFiles\NVIDIA Corporation\Update Center

It will connect to any remote locations, verify the connection to the internet, copy some internet malware and run files.

One of the most notable targets of the Carberp Trojan is Facebook. This has corrupted the Firefox and Internet Explorer browsers of several people. It replaced the sites that users viewed with bogus ones when users used one of these corrupt browsers to open Facebook. To defraud them, it asked for the cash equivalent e-cash voucher amount of the customers.


The aim of this trojan is to perform man-in-the-browser attacks on a banking website. It gets installed in Firefox or Internet Explorer and unlocks when a banking site is accessed by the customer. And after the user has signed out of their account, it leaves the banking session active. This enables an attacker to snatch the real-time session ID tokens of the rightful user to do banking transactions on their behalf.

The most risky thing about this trojan is that it is not stored on the disk of the computer. The anti-malware program, then, can’t spot it. It functions directly from the server of command-and-control. A new trojan gets installed every time the user opens the banking site and deletes itself after the transaction is complete.


Tatanga is a banking trojan that is so effective that the SMS authentication of the mobile is bypassed to complete the fraudulent financial transaction. Tatanga affects all of the main browsers, including IE, Firefox, Chrome, Opera, Safari, Maxthon, Netscape, and Konqueror, unlike the aforementioned Trojans that concern either Internet Explorer or Firefox.

Tips to Prevent Man-in-the-Browser Attacks

Although the Trojans used for man-in-the-browser attacks are evolving every day, by being vigilant and using some technological tools, you can prevent them. In order to deter MitB attacks, there are five technologies or processes that you can implement:

Out-of-Band Authentication

The browser is not used for two-factor or sometimes multi-factor authorization in this process (MFA). Instead, to deliver the one-time password (OTP) or the hidden pin, a cell phone’s SMS facility or an automatic phone call is used.

All the information about the transaction along with the OPT is contained in the SMS or phone call. But before sending the OTP to the browser, the user needs to be careful and review all the details received on the SMS/phone call. You can’t rely 100% on this process, however, because trojans such as Tatanga, Zeus and SpyEye can corrupt the cell phones and intercept all incoming SMS messages as well.

Manual Checking of Your Program Files

Some of the popular man trojans in the browser have a similar pattern of storage. Be sure to check the following folders regularly:


  • C:/Program File
  • C:/Program Files (x86)
  • C:/Windows/Temp

If you find any unwanted new applications, check it for more details with anti-malware software and do an internet search. Delete those mysterious apps if you find something unusual.

Use Security Software

Any man-in-the-browser Trojans can be found and deleted by antivirus apps. Scan your computers periodically with antivirus apps. Some of the antiviruses also show you the dialog box for security if anything suspicious is found to be downloaded from the internet. Antivirus apps does not block all the new Trojans, however. Some program for browser protection is available, too.

These five strategies say to stop attacks by MitB:

  • Mimecast: Detects and blocks email-distributed MitB trojans.
  • BullGuard: Without the user’s warning, no mod, extension, or BHO can be enabled, as BullGuard warns the user any time something new is added to the browser.
  • IBM Trusteer Rapport: Ransomware and phishing attacks are avoided by this endpoint security approach.
  • Entrust: It has two solutions that support multi-factor authentication like OOB to avoid man-in-the-browser attacks, Entrust TransactionGuard and Entrust IdentityGuard.
  • CodeSealers: It is a security app for the user interface (UI) that offers protection from man-in-the-browser and MitM attacks.

Be Vigilant While Surfing on an Unknown Website

Be vigilant when uploading any apps or media files from unknown places, such as music, images, and videos. Often search for a comprehensive antivirus application for the downloaded files.

If you suspect ties or buttons of some kind, right-click and press the Inspect button. You can see a window with a lot of codes in which you will see precisely where you are being routed to by the link/button.

Never click on links that look too good to be true or advertisements. Ads like winning the big lottery, casino prices, making thousands of dollars while working from home, etc., for instance.

If you are visiting an unfamiliar website that asks you to upgrade your browser, apps, or media player, never download from the website link given. If you’re using an old version, go to the official site of that browser/software and immediately download the latest version from there.

Beware Phishing Emails

Phishing emails are one of the most popular ways of distributing the man-in-the-browser Trojan. That is why the email headers and the email address of the sender are always checked to ensure that emails are sent from the domain name of the official company. For eg, if you get an email pretending to be from Amazon, instead of Gmail, Yahoo, or some other default email address, it must be from an email address that ends with ‘@amazon.com.’

Until getting them scanned by reputable antivirus apps, do not download any attachments from emails. Hover over the link cursor to check where it really leads to before clicking on a link from an email.

Detection Challenges Relating to Man in the Browser Attacks

One of the most difficult cyber threats to detect and avoid is thought to be a man in a browser attack. So, let’s explain why, precisely, such a poor name has been received.

Detection Challenges for Users

The attackers redirect users to a website that looks close to the original site during routine phishing attacks and trick users to upload their details. Here, since the domain name is going to be new, the users also have a chance to recognise the scam. In the man-in-the-browser attacks, though, users still visit the original website. There is no cause for them to be wary and to detect the threat.

Detection Challenges for Website Servers

Strong technology is used by all good websites, such as allowing two-factor authentication, requiring users to set strong passwords, restricting login attempts, allowing re-captcha, etc. If a suspected login attempt from a new computer or geographical location occurs, they also send mobile/email notifications to the customer. These measures allow the servers to recognise and avoid attacks by brute force and unauthorized access to the user account.

In the man in the browser attacks, though, users themselves log in with their original passwords and complete the authentication process. The server, then, has little to be suspicious about, and the intrusion cannot be identified.

Detection Challenges for SSL/TLS Certificate

In Layman’s words, the task of an SSL/TLS certificate is to safely exchange information between the browser and the server of the website. It uses public key infrastructure (PKI) technologies to encrypt the session key, up to 256-bit AES, RSA or ECC algorithm and up to 2048 bit powerful public and private key to safeguard data in transit. But the security of the SSL certificate is provided on the network side, while on the device side, man-in-the-browser attacks are performed. And before the data is transmitted through the encrypted SSL/TLS contact tube, the Trojan modifies the data at the window level.

Consider this scenario: The role of a food delivery person is to take food from the restaurant and bring it safely to the stated address. But what if a wrong food parcel or a wrong delivery address is handed over to him by the restaurant manager? Similarly, since the data is already updated until it is handed over to the encrypted tunnel of the SSL/TLS technology, the SSL/TLS can not stop man-in-the-browser assaults.

Final Words on MitB Attacks

Men are committed against individuals and organisations in browser attacks. Although medium to large corporations can afford to procure pricey security technologies, many small enterprises do not have substantial budgets for IT and security. In order to help them detect phishing scams, small corporations must provide their workers with cybersecurity instruction. For this reason, there are several free or cheap training guides, such as the DoD cyber security challenge, online.

The most troublesome part of the guy in the browser attacks is the time difference. Once the scam has taken place, most people don’t initially find anything unusual. When users review their bank accounts or contact the customer service of the website for non-receipt of the ordered goods, it normally takes a long time. This gives cybercriminals ample time to delete the signs of their MiB attacks to pass the funds to or cash the money into the international bank account and lock the bank account. Therefore, in order to detect such threats in their early phases, you must routinely review your bank balances or e-commerce accounts.


Tagged in: