F5 SOC: Shutting Down Malicious Scripts in Real Time

Lori MacVittie Miniatur
Lori MacVittie
Published December 14, 2015

It’s only sort of true that people are the weakest link in the information security chain. The truly weakest link is the browser.


That’s because the browser is one of those apps that no one really pays much attention too, likely because in most cases, infosec professionals have absolutely no control over it. Customers can be (and often are) cajoled or even threatened with non-support of online apps if they don’t keep their browser up to date, but beyond that? There’s just no way to manage the various components of a browser that can – and do – lead to compromise.

But you can monitor it, at least while its operator is interacting with your site. It’s just that kind of monitoring that recently helped the F5 SOC detect – and shut down – a vicious little script.

The F5 SOC, which actively supports our WebSafe offering, spends a lot of its time researching a variety of malware and scripts that threaten financial institutions and their customers. One of the ways in which WebSafe protects customers and organizations alike is through actively (in real-time) keeping an eye on every aspect of the conversation between a customer and an app. Because of that active eye on real-time communications it’s able to detect and alert our security analysts when something looks fishy (pun intended). Which it did, recently (November 10, 2015 at 18:54 (UTC) if you want to be precise), when it noticed a script it deemed malicious being injected into a browser interacting with a financial app.

Script injection into browsers (often referred to as MItB or “Man in the Browser” attacks) is generally accomplished by existing malware such as a trojan downloaded and installed thanks to a successful phishing attempt (surprisingly, 45% still succeed) or through an infected browser add-on.

These malicious scripts are well-crafted and are easily able to trick users into providing more information than is actually necessary as well as snooping on communications and stealing credentials, financial account information, and anything else that might offer them the means to later successfully commit fraud. And they’re difficult to detect, unless you’re actively monitoring the browser in a way that isn’t easily circumvented by the attacker’s minion, malware.

That’s one of the benefits of a solution like WebSafe, as its able to monitor activity in real-time without requiring eventually identifiable agents or browser add-ons. And that’s what led to the discovery and subsequent shut down within hours of this latest script-injected attack.

You can learn more about WebSafe here and dive into the technical details of this malicious script in this report from the F5 SOC.

Stay safe out there!