How banks can protect customers from “Man in the browser attacks”

Criminal groups use a wide range of methods to compromise users and siphon its bank accounts, for this reason, when a user’s computer is infected by a malware, depending on its main goal and its capabilities, it could use multiple methods to obtain sensitive information, such as changing the DNS resolution or proxy pollution to redirect the user to a malicious site, searching on the filesystem for stored passwords, inspecting the main memory, infecting the browsers and/or libraries they use (to perform the communication with the servers). This last technique is still on the rise nowadays. This technique which consists in compromising the browser stack is commonly known MITB meaning “man in the browser”.

When they infect the browser stack to take profit of the infection, MITB binaries can act in multiple ways. It can change the content displayed in the browser shown to the user by injecting an HTML/JavaScript code (commonly known as WebInjects). It can also, exfiltrate the communications between the user and the server to a remote server commonly known as exfiltration servers, or redirect the full communication between the customer and the bank through a malicious server which performs as a proxy, by taking control of the entire communication. This method is commonly used to manipulate the transaction parameters making them to point to the criminal bands controlled bank accounts.

The infection vectors of this kind of binaries usually follow the common patters that one can see in a kill chain: they rely on infection campaign (mainly executed via spam, spear phishing or exploit kits attacks), infection with a loader or directly with the Trojan banker, which is the one who is in charge to monitor user’s browsing in order to trigger itself once the user visits a target bank site.

Commonly, when these binaries are completely established in the victim’s computer, they request a server the configuration and/or the rules to properly perform its actions to manipulate the customer browsers. This configuration will depend on which campaign is currently active or which are the websites the cybercriminals can properly manipulate.

For example, one of the most popular active bankers that nowadays using this kind of methods is Trickbot. It is using a malicious server as a proxy, to dynamically manipulate the communication between the user and the bank entity. When the bot requests for the configuration, they receive an XML with the following structure:


<mm> {url} </mm>

<sm> {url} </sm>

<nh> {host} </nh>

<srv> {ip+port} </srv>


Where the attributes indicate which server should be used as a proxy for the specific domain, the attributes indicate:

  • sinj: rule enclosure indicating that is a static inject
  • mm: target host. Commonly the banks that could be specified with wildcards as well
  • sm: full target URL – also allows wildcards
  • nh: target ID to be sent to the server specified in ‘srv’, which identifies this bank
  • srv: the C&C server used to process and fetch the injects

As mentioned before, Trickbot has the capability of performing both static and dynamic injects. The latter is configured by an XML of the following format:







The attribute “lm” specifies the target URL to inject into, and the “hl” attribute specifies the C&C server that is responsible for handling the request. By diffing the original HTML of a page and the one received when the machine is infected, we can see the injected code:


In order to provide intelligence and monitoring about attacks to your customers, we developed a service which constantly monitors Trojan bankers’ Inject distribution servers, allowing you to be notified of the configurations, rules, and attacks referred to infrastructure and your customers.

The following figures show some examples of notifications that you could receive from the Malware Monitoring module, which will monitor a set of Trojan bankers and provide attack campaign information for you, showing information such as the following details:


Campaign tracking

Evolution of different distributed injects among time by a given target:




Detail of campaign

Per campaign, one could access to information related to crime servers, information about the injection technique and its configuration, related with the malware which is being used to execute such Man in the browser attack:




If you are a bank you are surely already facing this challenge. If you would like to know more about MITB and how Blueliv can help you, feel free to reach us out.

Dark Commerce

Exploring the cybercrime industry and its business models: part 1

Read free report
Demo Free Trial MSSP