Malicious MitB Email Attacks

Malicious MitB Email Attacks

Cybercriminals commonly use malicious emails to deliver malware, including pernicious code that performs MitB (Man-in-the-Browser) attacks.  

MitB Email Attacks

Although MitB threats are not new, cybercriminals are constantly developing new versions designed to defeat secure email gateways, the latest and most secure browsers, and other security controls. To effectively guard against MitB attacks delivered by malicious email, organizations need to understand how they work and what it takes to defeat them.

What is a MitB Attack?

A Man-in-the-Browser attack infects the victim’s internet browser with malware that can sniff, capture and modify information as it travels between the browser and the internet.  Because the malware sits between the user interface and the connected website or application, it can view everything that the end-user enters or sees.

Login credentials and other sensitive information are captured directly from the browser’s memory as entered by the user. To make matters worse, MitB malware can do everything that the end-user can do. By displaying what the user expects to see, it can manipulate the data actually sent to the connected website without the victim’s knowledge. Since the malware retains the original URL and SSL protections, it is difficult for the user to detect that anything is wrong.

Difference between MitB Email Attacks and Traditional Phishing Attacks

Traditional phishing attacks use links or email attachments to get users to a fake website where they input their secure data. However, a MitB attack catches the data as you input it, so you’re unaware that the malware has stolen your data. In a MitB attack, the victim is connecting to a legitimate site, but malware has infected their computer or device.

See For Cybercriminals, A Bad Day of Phishing is Still a Good Day to learn more about phishing attacks.

MitB is Frequently Delivered or Initiated via Email

Cybercriminals use a multitude of methods to deliver MitB malware, but the most common approach is through malicious emails. Although an attack may begin with social networking and engineering, in most cases it is through email that the assault begins in earnest.  Malware authors lure and deceive the email recipient into opening an infected attachment or clicking on a link to a malicious web page that installs the malware. The specific methods used in these attacks are constantly evolving and becoming more sophisticated. Without the right tools, even experienced security experts have difficulty detecting the breach.

How MitB Email Attacks Work

Once infected with MitB malware, the user’s browser or related software becomes a liability. The malware can capture the user’s logon credentials and transmit them back to the attacker. Alternatively, the malware may wait until the user completes authentication to their bank or other accounts, and then insert itself into the communication stream, modifying the account number to which funds are being transferred or changing the transaction amount while displaying to the victim the original amount they added, all of which benefits the attacker without the victim’s knowledge.

MitB malware can also inject additional, authentic looking fields in the login forms, requesting the victim to share other sensitive information such as answers to their secret questions, or their social security number.  Because malware retains the “https://” designation of the website, neither the victim nor the browser suspect that anything has compromised or altered the communication stream. The system presents a valid HTTPS certificate and all looks well.

MitB email attacks are often used to target banking transactions. However, with the increased number of online purchases, more attacks against e-tailers like Amazon, eBay, and Walmart are occurring. Since valid credentials are presented by the malware, unless the institution has implemented the correct safeguards, it will be unable to detect the fraudulent transactions, be they purchases, payments, money transfers, or whatever. Some MitB malware is so advanced that when the user returns at a later time, the fraudulent transaction is not displayed.

MitB malware is also used to penetrate organizations and steal sensitive records and intellectual property. Legitimate users are attacked and the malware infects their browsers. When they log into sensitive databanks, the malware captures their credentials and the attackers use them to exfiltrate data, install ransomware, or perform other criminal acts.

Defeating MitB Attacks

Modern MitB malware is very sophisticated and organizations must implement comprehensive security measures to defeat it. The organization must augment their secure email gateways with breach prevention technology that is designed to detect even the most evasive forms of MitB malware.

Organizations should also augment their web application security systems with solutions that are capable of rooting out and halting MitB attacks in real-time.

Advanced technologies like behavior analysis, artificial intelligence (AI), and machine learning are effective tools in combatting MitB email attacks and are suitable companions for secure email gateways and web security systems.  For example, financial institutions may use machine learning and behavior analysis to determine if a transaction under consideration fits a user’s history and profile, and then validate or block the transaction accordingly. For more information about the importance of machine learning, see How Machine Learning is Transforming Malware Detection.

Finally, it’s critical to educate all employees regarding fraudulent emails, attachments, and links—teaching them how to recognize and avoid being infected with MitB malware in the first place.

Brian Laing

Brian Laing

For more than 20 years, Brian Laing has shared his strategic business vision and technical leadership with a range of start-ups and established companies in various executive level roles. The author of “APT for Dummies,” he was previously vice president of AhnLab, where he directed the US operations of the internationally known security and software leader. Brian previously founded Hive Media where he served as CEO. He co-founded RedSeal Systems, where he conceived the overall design and features of the product and was granted two patents related to network security. He was also founder and CEO of self-funded Blade Software, who released the industry’s first commercial IPS/FW testing tool.
Brian Laing