Skip to main content
Springer Nature Link
Log in

Man-in-the-browser Attack: A Case Study on Malicious Browser Extensions

  • Conference paper
  • First Online:
Security in Computing and Communications (SSCC 2019)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1208))

Included in the following conference series:

  • 795 Accesses

Abstract

Man-in-the-browser (MitB) attacks, often implemented as malicious browser extensions, have the ability to alter the structure and contents of web pages, and stealthily change the data given by the user before it is sent to the server. This is done without the user or the online service (the server) noticing anything suspicious. In this study, we present a case study on the man-in-the-browser attack. Our proof-of-concept implementation demonstrates how easily this attack can be implemented as a malicious browser extension. The implementation is a UI-level, cross-browser implementation using JavaScript. We also successfully test the extension in a real online bank. By demonstrating a practical man-in-the-browser attack, our research highlights the need to better monitor and control malicious browser extensions.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Blom, A., de Koning Gans, G., Poll, E., de Ruiter, J., Verdult, R.: Designed to fail: a USB-connected reader for online banking. In: Jøsang, A., Carlsson, B. (eds.) NordSec 2012. LNCS, vol. 7617, pp. 1–16. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34210-3_1

    Chapter  Google Scholar 

  2. DeKoven, L.F., Savage, S., Voelker, G.M., Leontiadis, N.: Malicious browser extensions at scale: bridging the observability gap between web site and browser. In: 10th USENIX Workshop on Cyber Security Experimentation and Test (CSET 2017). USENIX Association, Vancouver, BC (2017), https://www.usenix.org/conference/cset17/workshop-program/presentation/dekoven

  3. Dmitrienko, A., Liebchen, C., Rossow, C., Sadeghi, A.R.: On the (in)security of mobile two-factor authentication. In: Christin, N., Safavi-Naini, R. (eds.) Financial Cryptography and Data Security, pp. 365–383. Springer, Berlin Heidelberg (2014). https://doi.org/10.1007/978-3-662-45472-5_24

    Chapter  Google Scholar 

  4. Dougan, T., Curran, K.: Man in the browser attacks. Int. J. Ambient Comput. Intell. (IJACI) 4(1), 29–39 (2012)

    Article  Google Scholar 

  5. Entrust: Defeating Man-in-the-Browser Malware - How to prevent the latest malware attacks against consumer and corporate banking. White paper (2014)

    Google Scholar 

  6. Gezer, A., Warner, G., Wilson, C., Shrestha, P.: A flow-based approach for trickbot banking trojan detection. Comput. Secur. 84, 179–192 (2019)

    Article  Google Scholar 

  7. Google: Content scripts (2019). https://developer.chrome.com/extensions/content_scripts

  8. Guha, A., Fredrikson, M., Livshits, B., Swamy, N.: Verified security for browser extensions. In: 2011 IEEE Symposium on Security and Privacy, pp. 115–130. IEEE (2011)

    Google Scholar 

  9. Gühring, P.: Concepts against man-in-the-browser attacks. Technical report (2006)

    Google Scholar 

  10. Konoth, R.K., van der Veen, V., Bos, H.: How anywhere computing just killed your phone-based two-factor authentication. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 405–421. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54970-4_24

    Chapter  Google Scholar 

  11. Liu, L., Zhang, X., Yan, G., Chen, S., et al.: Chrome extensions: threat analysis and countermeasures. In: NDSS (2012)

    Google Scholar 

  12. Marinho, R.: “Catch-All” Google Chrome Malicious Extension Steals All Posted Data (2017). https://morphuslabs.com/catch-all-google-chrome-malicious-extension-steals-all-posted-data-f2472e272101

  13. Marouf, S., Shehab, M.: Towards improving browser extension permission management and user awareness. In: 8th International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom), pp. 695–702. IEEE (2012)

    Google Scholar 

  14. Migdal, D., Johansen, C., Jøsang, A.: DEMO: OffPAD - offline personal authenticating device with applications in hospitals and e-banking. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security CCS 2016, pp. 1847–1849. ACM, New York, NY, USA (2016)

    Google Scholar 

  15. OWASP: Man-in-the-browser attack (2019). https://www.owasp.org/index.php/Man-in-the-browser_attack

  16. Protalinski, E.: Google updates Chrome Web Store review process and sets new extension code requirements (2018). https://venturebeat.com/2018/06/12/google-disables-inline-installation-for-chrome-extensions/

  17. Rauti, S., Leppänen, V.: Man-in-the-browser attacks in modern web browsers. In: Emerging Trends in ICT Security, pp. 469–480. Elsevier (2014)

    Google Scholar 

  18. Rautila, M., Suomalainen, J.: Secure inspection of web transactions. Int. J. Internet Technol. Secur. Trans. 4(4), 253–271 (2012)

    Article  Google Scholar 

  19. Ronchi, C., Zakhidov, S.: Hardened client platforms for secure internet banking. In: Pohlmann, N., Reimer, H., Schneider, W. (eds.) ISSE 2008 Securing Electronic Business Processes. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-8348-9283-6_39

    Chapter  Google Scholar 

  20. Ståhlberg, M.: The trojan money spinner. In: Virus Bulletin Conference, vol. 4 (2007)

    Google Scholar 

  21. Toreini, E., Shahandashti, S.F., Mehrnezhad, M., Hao, F.: Domtegrity: ensuring web page integrity against malicious browser extensions. Int. J. Inf. Secur. 1–14 (2019)

    Google Scholar 

  22. Utakrit, N.: Review of browser extensions, a man-in-the-browser phishing techniques targeting bank customers (2009)

    Google Scholar 

  23. Wang, L., Xiang, J., Jing, J., Zhang, L.: Towards fine-grained access control on browser extensions. In: Ryan, M.D., Smyth, B., Wang, G. (eds.) ISPEC 2012. LNCS, vol. 7232, pp. 158–169. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29101-2_11

    Chapter  Google Scholar 

  24. Zhang, P., He, Y., Chow, K.: Fraud track on secure electronic check system. Int. J. Digit. Crime Forensics 10(2), 137–144 (2018)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Turku, 20014, Turku, Finland

    Sampsa Rauti

Authors
  1. Sampsa Rauti
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sampsa Rauti .

Editor information

Editors and Affiliations

  1. Indian Institute of Information Technology and Management, Trivandrum, India

    Sabu M. Thampi

  2. University of Murcia, Espinardo, Murcia, Spain

    Gregorio Martinez Perez

  3. University of Queensland, Brisbane, QLD, Australia

    Ryan Ko

  4. Howard University, Washington, DC, USA

    Danda B. Rawat

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Rauti, S. (2020). Man-in-the-browser Attack: A Case Study on Malicious Browser Extensions. In: Thampi, S., Martinez Perez, G., Ko, R., Rawat, D. (eds) Security in Computing and Communications. SSCC 2019. Communications in Computer and Information Science, vol 1208. Springer, Singapore. https://doi.org/10.1007/978-981-15-4825-3_5

Download citation

  • DOI: https://doi.org/10.1007/978-981-15-4825-3_5

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-15-4824-6

  • Online ISBN: 978-981-15-4825-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics