Man-in-The-Browser (MiTB) attacks

The man-in-the-browser attack, or adversary-in-the-browser attack, is a cyberattack method that has been around since 2006. As the name suggests, it involves a malicious actor secretly tapping into a user's browser to access their private information. Furthermore, it allows them to tinker with their victim's website or engage in other devious exploits, such as financial fraud.

Examples of real-world Man-in-the-browser Trojans include Zeus, Carberp, SpyEye, and Clampi, to name but a few.

What are the methods of Man-in-the-browser attacks?

Malicious actors use various tactics to carry out Man-in-the-browser attacks. In the sections below, we explore each tactic in detail:

  • Man-in-the-browser through Trojans.

  • Man-in-the-browser through browser extensions

  • Man-in-the-browser through API hooking

  • Man-in-the-browser through SSL stripping

Man-in-the-browser through Trojans

In this approach, cybercriminals implant a Trojan horse in a would-be victim's PC operating system. In this case, they usually use email phishing as the primary vehicle to trick a user into installing the trojan, which, in turn, allows them to spy on users.

  1. A typical operation involves sending users emails with malicious attachments. Upon their clicking, these files attach themselves to a user's PC's system library, which is used by top browsers to access the Internet. In doing so, they enable a malicious actor to read a user's information or change anything on their browser.

    An excellent example of such malware is ZeuS, a sneaky Trojan that has led to massive losses since its inception in 2006.

    In particular, ZeuS has infected millions of computer systems worldwide, resulting in the loss of billions of dollars. Its other banking variants include the Citadel Trojan, which has affected 11 million companies, leading to a $500 million loss in damages. In comparison, its Emotet Trojan version has led to a loss of $1 million per attack since its introduction.

  2. Another way the malware has been passed around is through drive-by downloads and spam campaigns.

    In the first case, an attacker typically sends a malicious file in downloadable form to an unsuspecting user, who then accidentally clicks on the file to spread the malware. Similarly, the latter involves spamming a user's mailbox with unsolicited emails promising differing benefits, for instance, discounts upon clicking on a link leading to an infection.

  3. The third way the ZeuS Trojan is spread across the web is through JavaScript and AJAX.

    Most Zeus developers prefer this method since XML, asynchronous JavaScript, or AJAX code work alongside X-Frame option headers. And in so doing, cybercriminals can oversee and command servers to create new forms within banking sites, which allows them to access personal information and user passwords. Besides that, these languages make it difficult for an ordinary user to identify the malware. As such, they are a popular choice when configuring botnets.

    Other means through which the Zbot is spread include pay-per-install services, social media messaging services, and instant messengers. The awful thing about the malware is that it mutates an infected system into a bot in a botnet. This makes life easier for bad actors, as they can rent out hacked systems to their associates to continue playing the game.

Man-in-the-browser through browser extensions

In this approach, malicious actors use an insecure browser extension or a Browser Helper Object—a malicious user script.

An attacker usually maneuvers malware past a browser's security features to intercept communication between a website and a user. This allows them to alter a user's financial transactions or change their website's appearance, among other malicious actions.

When installing a browser extension, it is common for users to unintentionally accept the broad permissions that modify the browser, the web pages, and their behavior.

Naturally, this level of control and access by third parties can represent significant threats to the security and privacy of users and their organizations; they can inject malicious JavaScript directly into web pages and modify the DOM.

Man-in-the-browser through API hooking

The third way to attack is by using API Hooking.

In this setting, the man-in-the-browser performs the role of middleman between executable applications and their libraries. Notably, the MITB strategically hooks up the internet connect function in winnet.dll. This enables an attacker to change what pops up on a user's browser—the operation mimics HTML rewriting. Even worse, the fraudster can decide to change a user's website to make it appear authentic but with misleading information.

Man-in-the-browser through SSL stripping

Last but not least, we find Man-in-the-browser attacks that use SSL stripping.

Cybercriminals downgrade a website’s connection from HTTPS to HTTP, making it more vulnerable to attacks. The action makes all the communications unencrypted, setting the stage for Man-in-the-browser attacks.

How to detect and prevent Man-in-the-browser attacks

From an expert standpoint, detecting and preventing Man-in-the-browser attacks is an uphill task. How they spread and operate tells it all.

As an example, it is difficult to stop them by using standard antivirus software or firewalls meant for virus protection. Furthermore, attackers can use extensive resources to launch an attack, giving them an upper hand. They can also develop Man-in-the-browser attacks that spread exponentially, making them difficult to control.

Preventing Man-in-the-browser attacks: strategies for end-users

Given the vast array of tactics that cybercriminals can use to perform Man-in-the-browser attacks, there isn’t much that end-users can do to prevent them.

To protect against SSL stripping attacks, users can always check their browser's address bar. Doing so enables them to spot any connection via an unencrypted HTTP protocol. Alternatively, they can install the HTTPS Everywhere extension, ensuring HTTPS communication round the clock. On top of that, the extension can help prevent third parties from demoting their connections to HTTP.

Advanced users can also ensure that their local area network is free from unauthorized parties and secure. In essence, an SSL breakthrough heavily depends on local network accessibility.

Preventing Man-in-the-browser attacks: strategies for companies

Companies can use several strategies to bolster their defenses against Man-in-the-browser attacks.

First off, they can use Out-of-Band Verification. Here, a different device (such as a phone) can verify what is passed on to a PC. This is not foolproof, though, as the malware can wait to strike at prime time (after authentication), which makes it difficult to stop the infection in the first place. Therefore, companies can integrate a biometric identification system to make the method more effective.

Another way to monitor and intercept such attacks is through behavior analysis. This process involves an in-depth study of user behavior to help identify abnormal account activity. These can allow bank employees to validate transactions, for instance. It also allows for weeding out potential criminal activity or actions that don't match a user's profile.

Companies can also employ an additional line of defense on the client side. Monitoring the client side for malicious activity allows companies to detect and block Man-in-the-browser attacks. It will also help companies achieve a higher security level for their applications. Why? Websites use more and more scripts and third parties on their web pages to help them understand how their website operates and how the users operate their websites, which can increase the security risks for the company and their customers.

Read more about Man-in-The-Browser attacks with Jscrambler’s Case Study about Mitigating Browser Extension Attacks, where you can learn more about the dangers of browser extensions, their attack scenarios, common approaches, and how to mitigate them.

How Jcrambler can help you

Manage third-party risk with real-time visibility

Recommended to read next

Web Security


Client-side refers to operations performed on the user device rather than on a remote server or the company's side.

9 min read

Read More
Web Security

Data Exfiltration

Data exfiltration is the unauthorized movement of sensitive or confidential information from within an organization's network to an external location.

5 min read

Read More