Hackers fond of man-in-the-browser (MiTB) attacks have brought efficiency to their work. New strains of MiTB malware have been discovered that are able to parse logs for the sensitive information hackers are targeting, rather than send massive unstructured logs back to the attacker’s command and control server.
Researchers at Trusteer have been watching this development for a couple of months and said this is the first time they’ve seen real-time parsing of stolen data.
“Attackers are able to get that credit card information as fresh as possible, rather than having to wait for a log file,” said Trusteer senior security strategist George Tubin.
Traditional man-in-the-browser malware collects all the data entered onto a pre-specified website, such as a financial services site or online storefront, and periodically sends the attacker massive log files that require post-processing. The attacker would have to either manually scour the logs for personal or payment information, or use a log-parsing tool to do the job. Some attackers, instead, choose to sell these logs in bulk in the underground and let someone else worry about sorting through the data.
This new strain of MitB attack, dubbed universal man-in-the-browser by Trusteer, collects all of a user’s Web activity, and using pre-defined configurations, looks for particular data strings such as credit card or Social Security numbers and ships those back to the attacker in real time, eliminating the chance that a user would be alerted to the theft and have their card re-issued.
“The malware recognizes it for any site an individual goes to, rather than typical [MitB] malware going to a bank site specifically,” Tubin said. “Rather than parse log files, it actually universally looks for sensitive information, grabs it and feeds back to fraudster. It’s kind of like [in-database analytics] to make it faster doing analytics. This is able to do it in real time and efficiently.”
Infections still happen in many of the tried-and-true ways with uMitB attacks: drive-by downloads, phishing campaigns and more. Tubin expects to see attackers upload these configurations to machines they already own, or update existing malware in the wild. Some banking malware such as the prolific and dangerous Zeus family of crimeware, or more recently the Tatanga Trojan, rely on MitB techniques to spy on banking sessions, steal data or move money between accounts without the user’s knowledge.
Defining strings for credit card and Social Security numbers is easy, unlike doing so for fields that aren’t so structured such as usernames and passwords. Still, Tubin expects this type of malware to evolve and attackers to seek out almost any type of data using this method. This also opens up whole new avenues of fraud for attackers. For example, this type of malware can bring a new level of automation to card fraud if it is integrated into carder website, Tubin said.
“The impact of uMitB could be significant since information stolen in real-time is typically much more valuable than stale information, plus it eliminates the complexities associated with current post-processing approaches,” Trusteer said. “The thing to know is that these malware writers and cybercriminals are continuously coming up with new exploits.”