Most people use their browsers for everything from logging into their bank account to paying their utility bills. As a result, it’s one of the more obvious targets for hacking.

Taking control of a person's browser isn’t easy. And popular browsers are designed to prevent exactly that. But it can be achieved using what is known as a man-in-the-browser attack.

So what exactly is a man-in-the-browser attack? And more importantly, how can you prevent one occurring?

What Is a Man-in-the-Browser Attack?

hacked warning international

A man-in-the-browser (MitB) attack is when a Trojan is used to intercept and/or modify data as it is being sent between a browser and a web server.

This is typically achieved using either an insecure browser extension, a user script, or a Browser Helper Object.

A man-in-the-browser attack is a type of man-in-the-middle attack. It’s characterized by interception at the app level rather than the network level.

Unlike phishing attacks, the user isn’t required to visit a malicious website. Instead, the user visits a legitimate website but what they actually see is controlled by the attacker.

A man-in-the-browser attack can be used to:

  • Change the appearance of a website.
  • Add new columns/fields.
  • Modify the websites response to input.
  • Intercept the information being sent by a user.
  • Modify the information being sent by a user.
  • Hijack the entire session in real time.

When Do Man-in-the-Browser Attacks Occur?

Man-in-the-browser attacks are primarily carried out during financial transactions.

For example, when you make a bank transfer or pay for something online.

When successful, your payment details can be stolen and the payment can even go to a different person. They can also return a response that convinces you nothing has gone wrong.

This type of attack can also be used to steal personal information. For example, if you encounter an online form that asks for your social security number, an MitB attack could be used to obtain the number.

How Do Man-in-the-Browser Attacks Work?

hacker hood hidden

Man-in-the-browser attacks can be performed in a number of different ways. Here's how MitB attacks commonly work:

  1. You accidentally download a Trojan. This can happen if you visit the wrong website, download the wrong file, or open the wrong email attachment.
  2. The Trojan installs something that can manipulate your browser. Usually, this takes the form of a browser extension.
  3. You open your browser and the extension loads automatically. The extension will have a list of websites that it's compatible with. It won’t do anything until you visit one.
  4. You visit a targeted banking website and the extension turns on. It’s now recording everything you type.
  5. You log into your account and request a bank transfer of $100.
  6. The extension modifies the request so that it’s now asking for $1000 to be sent and the money should go to the attackers' bank account.
  7. Your bank receives the transfer request, transfers the money, and returns a response that the transfer was successful.
  8. The extension modifies the bank's response and your browser tells you that $100 has been transferred successfully.

In this example, neither you or your bank have any reason to suspect a problem.

How to Prevent a Man-in-the-Browser Attack

server privacy hacking

Man-in-the-browser attacks are difficult to detect. They only occur when you visit legitimate websites. And they are designed to provide seemingly legitimate feedback.

The good news is that they can be prevented.

Use Out-of-Band Authentication

Out-of-band authentication is a type of two-factor authentication that can prevent man-in-the-browser attacks.

Out-of-band authentication uses a secondary channel such as SMS to confirm the details of any transaction that you make.

For example, if you were making a bank transfer, you would first have to receive an SMS message from your bank. The message would include all of the transaction details and it wouldn’t go ahead until you respond with a confirmation.

The idea here is that if your browser is compromised, it’s highly unlikely that the same attacker has access to your SIM card.

Use Security Software

Any respectable piece of security software will make it virtually impossible for a Trojan to be installed on your computer.

Modern antivirus products are not only designed to prevent such programs being installed, they monitor your entire computer for Trojan like behavior too. This means that if a program gets past your AV, it will be caught when it starts manipulating your browser.

Recognize Trojan Behavior

If your computer is infected with a Trojan, it will usually start to behave erratically. Here are a few things to look out for.

  • Your browser is sending you to websites that you didn’t request.
  • Your browser is suddenly showing more advertising.
  • Your internet connection keeps being interrupted.
  • Your computer is connecting to the internet on its own.
  • Your computer is showing pop up messages.
  • Your computer is slower than normal.
  • Programs are running that you didn’t open.
  • Files are being moved and/or deleted without your knowledge.

Avoid Malicious Websites

Security software is useful but it should only be used as a last line of defense. What’s more important is the sites that you visit and the files that you download.

Try to avoid questionable websites such as those that offer anything pirated. Be careful what you download and where you download it from. If you want to download software, for example, try to do so direct from the developer.

Practice Email Security

Email is a popular method of Trojan distribution. Attackers send out millions of emails in the hope that only a few will open them. Emails can deliver Trojans both as attachments and via links to malicious websites.

Try to avoid opening emails from unknown senders and be very suspicious of any message that asks you to download something and/or click on a link.

You Probably Won’t Encounter One

A man-in-the-browser attack is one of the most effective ways to steal from people online. While some cyberattacks are more annoying than anything else, this attack can be used to empty your bank account.

The good news is that while difficult to detect, they are easy to prevent. A man-in-the-browser attack is impossible without first installing a Trojan. And with the right security software and browsing habits, this isn’t something that you need to worry about.