Nowadays web technologies allow users to make a lot of their work online. Cloud services, social networks, online games etc. are gaining more and more popularity and are replaicing desktop applications and offline stuff. Web-browsers also offer special opportunities, that can be increased by the use of different extensions and plugins. This fact made web-browsers an extremely attractive target for cybercriminals and they found new ways of how to implement browser-based attacks, spread malware and get maximum benefits from the infection campaigns.

The story of browser based malware has begun from so called “Man-in-the-browser attacks” (MITB). The first mention of this technique was made in 2005 by Augusto Paes de Barros in his presentation “The future of backdoors – worst of all worlds”. Originally this approach was employed by popular banking trojans (Zeus, SpyEye etc.) to steal bank account credentials and to hijack transactions in e-banking systems. For using this approach malware patches browser’s processes to hijach data buffers before they will be sent through the network to web resource. After browser’s update cybercriminals have to reverse engineering changes and create update for malware. But now the world has changed and it’s much easier to develop basic browser’s extension, that injects javascript to every web page, that user surf. Such script could check URL in the browser tab and change behavior depending from it: in web search services it could insert additional advertising banners, in email services, it could insert additional text to user messages, in online banking it could make web-inject for hijacking transactions.

In the presentation we will cover new implementation and spreading techniques of “Man-in-the-browser” attack. We will highlight some interesting samples, their functions and monetization models, that we have found in the wild.