Man-in-the-browser attacks target the enterprise

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

Cybercriminals are increasingly targeting the information assets of some of the world’s most well-known organizations, according to the findings of a recent global study by McAfee and Science Applications International Corp. (SAIC) entitled “Underground Economies: Intellectual Capital and Sensitive Corporate Data Now the Latest Cybercrime Currency.”

With firewalls, antivirus and other security mechanisms protecting corporate networks, how do attackers manage to penetrate enterprise computer systems? Simply by exploiting the weakest link in the security chain. One of the newest methods is tunnelling in via employees’ browsers using an attack known as “Man-in-the-Browser” (MitB).

REPORT: Hackers are defeating tough authentication, Gartner warns

An MitB attack starts with malicious software (usually a Trojan like Zeus or SpyEye) lurking on a seemingly innocuous website. When visitors arrive the malware takes control of their Web browser and modifies pages, content or transaction data presented to the user.

All of this is done without the user’s knowledge in a completely covert fashion. Depending on what the browser is being used for, MitB enables attackers to silently steal anything from login credentials to account numbers or financial information. With browser sessions often containing the logon details for email systems, VPNs and cloud services — such as cloud CRM — it’s critical to lock down these sessions without impacting performance. Making the situation worse is the explosion of mobile devices and the multitude of people who can access enterprise resources remotely.

It’s not difficult for employees to stumble upon infected sites and fall victim to drive-by infections, because fraudulent spoof sites are being created every day. Criminals even use search engine optimization techniques to raise these sites to the top of search engine listings. But many legitimate websites are also being infected. Engineered attacks, like the recent LinkedIn email phishing campaign, are increasingly being used to ambush individuals and install sophisticated malware such as Bugat and Clampi.

This modern malware is designed to slip under the radar of traditional antivirus solutions and bypass strong authentication technologies like tokens or network access control (NAC) systems. It then captures all data processed by that browser and transmits it back to the criminals. All this can be achieved without setting off alarms.

We recently decrypted an attack on the popular Citrix Access Gateway by the Zeus Trojan that illustrates how criminals are trying to stay one step ahead of security controls.

In an attempt to protect its SSL VPN product against key logging malware, Citrix allows companies to customize the logon page to include a virtual on-screen keyboard which replaces the physical keyboard. So instead of typing a password on the physical keyboard, mouse clicks are used to press the keys drawn on screen, theoretically bypassing keyloggers.

But one Zeus 2.0 configuration we recently decrypted includes the following code:

In English, the “@” means “capture a screenshot of the text within the mouse’s vicinity when the left button is clicked.” And the */citrix/* specifies that this screenshot should be captured when the text “/citrix/” appears in the browser address bar.

This Zeus snippet is specifically designed to defeat the virtual keyboard. By capturing screenshots within the vicinity of the pointer during mouse clicks, Zeus is able to read the user’s password which will show up as the sequence of keys the mouse was pointing at when the mouse was clicked.

If the industry is to make any headway in stemming the tide of cyberattacks, we need to tackle this threat head on — at the point of entry. The new point of attack has become the browser.

Current solutions do not address this threat effectively. NAC relies on antivirus tools which have been proven ineffective at detecting advanced Trojans like Zeus in up 77% of cases. And tokens and other authentication devices used by SSL VPN systems are easily bypassed since this malware operates in real time and springs into action after a connection has been authenticated.

One way to secure browser sessions is to create a “virtual firewall” inside a user’s device. This firewall, comprised of lightweight security software, would activate whenever the enterprise network or an enterprise application is accessed using a Web browser, and would otherwise be transparent. By isolating browser sessions from other activities on the computer, it could prevent malware from hijacking protected Web sessions within the enterprise.

The virtual firewall could also detect the presence of malware based on its behaviour relative to the browser. When a malware-infected machine tries to communicate with the enterprise, it would be identified as such by the virtual firewall, which would attempt to disinfect it. If unsuccessful, access to all enterprise systems would be denied until it is malware free.

In addition, this virtual firewall technology would provide strong keystroke encryption to prevent keyloggers from intercepting confidential data such as login credentials, account numbers and more. It would secure communication between the browser and the network or application to prevent unauthorized modifications and provide API blockage to prevent unauthorized access.

As great coaches say, the best defense is a good offense. To defeat MitB attacks, enterprises need to fight criminals at their new point of entry — the browser. This requires a layered approach to security that starts with keeping systems patched and up to date, reinforcing the need for safe online practices among end users through education, implementing strong authentication standards, and deploying new browser protection mechanisms like virtual firewalls.

Trusteer is a provider of secure Web access services.

Read more about wide area network in Network World’s Wide Area Network section.