What is an MITB Attack?
An MITB attack, short for "Man-In-The-Browser" attack, is an advanced form of the MITM (Man-In-The-Middle) attack. While MITM attacks involve an attacker intercepting communications between parties to eavesdrop or manipulate data, MITB focuses specifically on compromising the user’s web browser. By taking control of the browser, an attacker intercepts and manipulates communication between the web browser and the web server to steal data or make unauthorized requests. In Japan, reports of MITB attacks emerged around 2012, gaining widespread attention in May 2014 after being used in a high-profile online banking fraud incident.
MITB attacks are triggered by infection with Trojan malware that resides within the web browser. The malware first contacts the attacker's Command & Control (C&C) server to retrieve information, such as a list of target online banking sites. It then monitors the user’s activity and automatically detects access to a target site. A fake login interface is presented to the user, tricking them into entering their credentials. The attacker uses this information to carry out unauthorized actions, such as fraudulent money transfers, without the user's awareness.
Unlike MITM attacks, users in MITB scenarios are genuinely accessing the legitimate site, rendering server certificates and site identity verification ineffective. Additionally, since the unauthorized actions occur after the user logs in, even advanced authentication methods like one-time passwords are unable to prevent the attack. Tools for executing MITB attacks are readily available and their targets have expanded beyond online banking to include a wide variety of services.