Abstract
Man-in-the-browser (MitB) attacks can modify the contents of a web page or alter data in messages exchanged over the network without the communicating parties (the user and the web service) noticing anything out of ordinary. In this paper, we present a systematic survey of countermeasures against man-in-the-browser attacks. While no countermeasure seems to be completely foolproof (and still usable) against these attacks, combining a set of solutions and more effectively enforcing them in real-world systems should greatly mitigate this threat in the future.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Almeshekah, M.H., Atallah, M.J., Spafford, E.H.: Enhancing passwords security using deceptive covert communication. In: IFIP International Information Security and Privacy Conference, pp. 159–173. Springer, Cham (2015)
Biedermann, S., Ruppenthal, T., Katzenbeisser, S.: Data-centric phishing detection based on transparent virtualization technologies. In: 2014 Twelfth Annual International Conference on Privacy, Security and Trust, pp. 215–223. IEEE (2014)
Blom, A., de Koning Gans, G., Poll, E., De Ruiter, J., Verdult, R.: Designed to fail: a USB-connected reader for online banking. In: Nordic Conference on Secure IT Systems, pp. 1–16. Springer, Cham (2012)
Buescher, A., Leder, F., Siebert, T.: Banksafe information stealer detection inside the web browser. In: International Workshop on Recent Advances in Intrusion Detection, pp. 262–280. Springer, Cham (2011)
Chow, Y.W., Susilo, W., Yang, G., Au, M.H., Wang, C.: Authentication and transaction verification using QR codes with a mobile device. In: International Conference on Security, Privacy and Anonymity in Computation, Communication and Storage, pp. 437–451. Springer, Cham (2016)
Dmitrienko, A., Liebchen, C., Rossow, C., Sadeghi, A.R.: On the (in)security of mobile two-factor authentication. In: Christin, N., Safavi-Naini, R. (eds.) Financial Cryptography and Data Security, pp. 365–383. Springer, Heidelberg (2014)
Dougan, T., Curran, K.: Man in the browser attacks. Int. J. Ambient Comput. Intell. (IJACI) 4(1), 29–39 (2012)
Entrust: Defeating man-in-the-browser malware – how to prevent the latest malware attacks against consumer and corporate banking. White paper (2014)
Garcia-Cervigon, M., Llinà s, M.M.: Browser function calls modeling for banking malware detection. In: 2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS), pp. 1–7. IEEE (2012)
Gezer, A., Warner, G., Wilson, C., Shrestha, P.: A flow-based approach for trickbot banking trojan detection. Comput. Secur. 84, 179–192 (2019)
Goyal, P., Bansal, N., Gupta, N.: Averting man in the browser attack using user-specific personal images. In: 3rd IEEE International Advance Computing Conference (IACC), pp. 1283–1286. IEEE (2013)
Guha, A., Fredrikson, M., Livshits, B., Swamy, N.: Verified security for browser extensions. In: IEEE Symposium on Security and Privacy. IEEE 2011, pp. 115–130 (2011)
Gühring, P.: Concepts against man-in-the-browser attacks. Technical report (2006)
Jia, Y., Chen, Y., Dong, X., Saxena, P., Mao, J., Liang, Z.: Man-in-the-browser-cache: persisting https attacks via browser cache poisoning. Comput. Secur. 55, 62–80 (2015)
Konoth, R.K., van der Veen, V., Bos, H.: How anywhere computing just killed your phone-based two-factor authentication. In: International Conference on Financial Cryptography and Data Security, pp. 405–421. Springer, Cham (2016)
Liu, L., Zhang, X., Yan, G., Chen, S., et al.: Chrome extensions: threat analysis and countermeasures. In: NDSS (2012)
Marouf, S., Shehab, M.: Towards improving browser extension permission management and user awareness. In: 8th International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom), pp. 695–702. IEEE (2012)
Nor, F.B.M., Jalil, K.A., et al.: An enhanced remote authentication scheme to mitigate man-in-the-browser attacks. In: Proceedings Title: 2012 International Conference on Cyber Security, Cyber Warfare and Digital Forensic (CyberSec), pp. 271–276. IEEE (2012)
Rauti, S., Leppänen, V.: Man-in-the-browser attacks in modern web browsers. In: Emerging Trends in ICT Security, pp. 469–480. Elsevier (2014)
Rauti, S., Parisod, H., Aromaa, M., Salanterä, S., Hyrynsalmi, S., Lahtiranta, J., Smed, J., Leppänen, V.: A proxy-based security solution for web-based online ehealth services. In: International Conference on Well-Being in the Information Society, pp. 168–176. Springer, Cham (2014)
Rautila, M., Suomalainen, J.: Secure inspection of web transactions. Int. J. Internet Technol. Secur. Trans. 4(4), 253–271 (2012)
Ronchi, C., Zakhidov, S.: Hardened client platforms for secure internet banking. In: ISSE 2008 Securing Electronic Business Processes, pp. 367–379. Springer, Cham (2009)
SafeNet: Safenet etoken 3500 (2011). https://www.pronew.com.tw/download/doc/eToken3500_PB_(EN)_web.pdf
Saisudheer, A., Tech, M.: Smart phone as software token for generating digital signature code for signing in online banking transaction. Int. J. Comput. Eng. Sci. 3(12), 1–4 (2013)
Ståhlberg, M.: The trojan money spinner. In: Virus Bulletin Conference, vol. 4 (2007)
Ter Louw, M., Lim, J.S., Venkatakrishnan, V.N.: Enhancing web browser security against malware extensions. J. Comput. Virol. 4(3), 179–195 (2008)
Toreini, E., Shahandashti, S.F., Mehrnezhad, M., Hao, F.: Domtegrity: ensuring web page integrity against malicious browser extensions. Int. J. Inf. Secur. 18, 1–14 (2019)
Tsai, K.: Addressing new NIST authentication guidelines with symantec VIP (2016). https://www.symantec.com/connect/blogs/addressing-new-nist-authentication-guidelines-symantec-vip
Tsuchiya, T., Fujita, M., Takahashi, K., Kato, T., Magata, F., Teshigawara, Y., Sasaki, R., Nishigaki, M.: Secure communication protocol between a human and a bank server for preventing man-in-the-browser attacks. In: International Conference on Human Aspects of Information Security, Privacy, and Trust, pp. 77–88. Springer, Cham (2016)
Utakrit, N.: Review of browser extensions, a man-in-the-browser phishing techniques targeting bank customers (2009)
Van Acker, S., Nikiforakis, N., Desmet, L., Piessens, F., Joosen, W.: Monkey-in-the-browser: malware and vulnerabilities in augmented browsing script markets. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, pp. 525–530. ACM (2014)
Wang, L., Xiang, J., Jing, J., Zhang, L.: Towards fine-grained access control on browser extensions. In: International Conference on Information Security Practice and Experience, pp. 158–169. Springer, Cham (2012)
Weigold, T., Kramp, T., Hermann, R., Höring, F., Buhler, P., Baentsch, M.: The Zurich trusted information channel–an efficient defence against man-in-the-middle and malicious software attacks. In: International Conference on Trusted Computing, pp. 75–91. Springer, Cham (2008)
Zhang, P., He, Y., Chow, K.: Fraud track on secure electronic check system. Int. J. Digital Crime Forensics 10(2), 137–144 (2018)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Rauti, S. (2021). A Survey on Countermeasures Against Man-in-the-Browser Attacks. In: Abraham, A., Shandilya, S., Garcia-Hernandez, L., Varela, M. (eds) Hybrid Intelligent Systems. HIS 2019. Advances in Intelligent Systems and Computing, vol 1179. Springer, Cham. https://doi.org/10.1007/978-3-030-49336-3_40
Download citation
DOI: https://doi.org/10.1007/978-3-030-49336-3_40
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-49335-6
Online ISBN: 978-3-030-49336-3
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)