Web Security

Man in The Browser Attacks: A Comprehensive Guide

February 22nd, 2017 | By Shaumik Daityari | 5 min read

Man in the Browser attacks have gained widespread notoriety in recent times. With a rapidly growing user base on the Internet, potential attackers are finding new, innovative, and complex ways to serve their malicious purposes.

Conceptually, the MitB involves an attacker secretly tapping into a browser to gather data, modify websites, and manipulate requests without the user's knowledge.

Man in the Browser attacks: How does it work?

A MitB attack starts with a trojan infecting the OS or software. It may just be invisible to an antivirus software, and silently logs the activities of the user, with the potential of manipulating it. The most frequent modus operandi is email phishing.

When a user downloads and executes an infected file (say, from an email attachment), it typically hooks itself to a system library called wininet.dll, which is used by major browsers to connect to the internet - effectively taking over all information flow to and from a browser.

The malware can take full control over the user’s actions — it can detect anything a user types, read information that is displayed on the screen, and modify any response originating from the browser.

You may wonder if technology such as encryption keeps you safe from MiTB attacks.

Encryption is designed to protect you if someone intercepts your information. In a MitB attack, the malware has access to data that has already been decrypted in your browser, thereby making encryption ineffective against such attacks. Since the attack takes place locally, other security measures like firewalls are equally ineffective in detecting such attacks.

From the point of view of a server, a MitB attack cannot be detected, as all the activities as a part of this attack originate at the user's end and it is very difficult, if not impossible, for the server to differentiate any such activity.

What makes MitB so dangerous is that the process is automated without minimal and sometimes no human intervention.

There is no upper limit on the devices that can be affected by such malware at a time since each infection uses local resources, and the infection spreads exponentially.

What can a MitB attack potentially affect?

With the control of detecting inputs, reading the screen, and manipulating requests, there are no limits to the consequences of MitB, although two specific use cases are discussed here.

The easiest target of a MitB attack is social engineering. It can gather a user's data (including login data) by analyzing their actions for some time, and use that data to impersonate the user.

With user information, an attacker can obtain credit, a practice commonly known as identity theft. MitB attacks may also be orchestrated for the data leakage of sensitive, classified data.

Yet another malicious task that a MitB attack may be used for is to steal funds.

The malware remains inactive when a user logs into an account using two or three-factor authentication. Thereafter, the malware redirects funds by manipulating the details of the transaction and modifying any message to fool the user into believing that the transaction was successful, thereby leading to significant financial losses.

As MitB attacks are so difficult to detect, businesses must be aware of the potential losses these attacks can cause to their systems. Financial institutions, specifically, are at high risk as they form some of the biggest bounties for potential attackers.

How can you detect MiTB attacks?

Although this post has continuously mentioned that detecting MitB attacks is very difficult, it must be reiterated that it is not quite impossible.

There are a few emerging methods and tools to detect potential attacks and take steps to avoid transactions initiated on compromised end-user devices. The techniques that battle MitB attacks may be divided into two — client side and server side.

Server side measures

As a business, one may employ many server-side measures to prevent MitB attacks. A few popular methods are discussed in this post.

Out of Band (OOB) Verification

This process involves an extra step in the verification process by involving a separate device that is owned by the user. However, this step can also be bypassed by malware, if it has access to your phone as well, or the contact details are stored online in a platform that is accessible by the malware.

The malware can also wait for the user to authenticate the transaction on the infected device, but it can be avoided by clearly mentioning the details of the transaction in the secondary device to alert the user of suspicious activity, although there are difficulties in getting the transaction information on a small message and users may ignore such information to read only the verification code.

Using biometrics (fingerprint or a retina scan) to verify a transaction may also be used. Although theoretically, it is possible to avoid MitB attacks through this mode, it is generally accepted that MitB bypasses this.

Behavior Analysis

Behavior analysis is a process where unusual account activity is detected based on the past activity of the users. Financial institutions may use this technique to determine if a transaction under consideration fits a user profile, and accordingly validate the transaction.

Client Side Measures

On the client side, users can take extra precautions by only using browsers with stringent security measures.

Browsers may come with denied listed extensions and add-ons, which are blocked in routine security checks by the browser on startup.

A good browser also performs integrity checks on any extensions that are installed to make sure malicious code is not running on the browser.

Using anti-malware software may prevent attacks, but only if they are present in the database of this software. A developer may also include as a part of its code checks to detect client-side behavior of known infections.

Web Integrity Module

All the measures described so far require continuous monitoring and can be bypassed by attackers with relative ease.

Jscrambler now offers an agentless and cross-platform solution that tackles fraud in your website, which can make your application secure by preventing tampering with the DOM and removal of known threats on the client side.

Further security to your application is provided by easy and effective monitoring through real-time updates, which enables you to tackle an issue as soon as it develops. If something suspicious is spotted, the application backend is immediately notified, allowing near real-time reaction from the application to the possible fraud attempt.

Web Integrity Module emerged as a solution that is completely plug-and-play, and does not require installing anything locally.

The end-user doesn't have to cooperate with anything. It's completely transparent to the client device and supports all browsers and platforms. Also, contrary to anti-virus solutions, it does not look for malware signatures but for changes made to the untampered page, and by doing so, it can detect 0-day threats.


Attackers are working round the clock on improving existing threats to find new ways of gaining access to malicious data, and traditional ways of tackling them are turning out to be insufficient, although still necessary.

It is, therefore, the duty of companies to keep up with the latest threats that they may face by adopting the technology and securing their systems.


The leader in client-side Web security. With Jscrambler, JavaScript applications become self-defensive and capable of detecting and blocking client-side attacks like Magecart.

View All Articles

Must read next

Web Security

Browser-in-the-Browser: A New Wave of Picture-in-Picture Phishing Attacks?

In this blog post, we are going to talk about the browser in the browser (BitB) attack and the different approaches used in this deception technique.

April 22, 2022 | By Jscrambler | 5 min read

Web Security

How Secure is your Web Browser?

Pedro Fortuna points out that if companies continue to solely focus on protecting the server, they will leave their front door open to attacks.

January 20, 2017 | By Pedro Fortuna | 3 min read

Section Divider

Subscribe to Our Newsletter