Man in the Browser Attack vs. Two Factor Authentication

Irfan Shakeel
May 9, 2012 by
Irfan Shakeel

Authentication or E-authentication (Electronic authentication) is the way, technique, and method to establish a connection between two entities. This connection is based on confidence and confirmation that both parties are the legitimate parties to establish the connection (session). The password based authentication method is generally the most common authentication technique, and this technique is applicable on several platforms, like on bank accounts, social networking, and other website accounts. Since there are several ways to crack the password, and the weak password can easily be cracked via dictionary and brute force attack, the only way to prevent the password based attack from the hacker is to create security awareness among users. Other possible ways are to increase the security and make the process very complicated for authentication.

There are three main categories of authentication:

Earn two pentesting certifications at once!

Earn two pentesting certifications at once!

Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.

Earn two pentesting certifications at once!

Earn two pentesting certifications at once!

Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.

  • Something you are
  • Something you know
  • Something you have

A password is not the only way of authentication. We have several different methods that are applicable in a real world scenario.

Something you are or something a user is: This is the most secure way and cannot be easily broken. This is the biometric field and something a user is means fingerprint, voice recognition, retina scanning and other biometric techniques.

Something you know or something the user knows: This is the most common authentication technique as discussed earlier. Password and PIN codes are the most common techniques; however, something that you know can become something that you have forgotten or something that you have lost.

Something you have or something a user has: This is also a good technique of authentication and examples of this authentication are a mobile phone, ID card, or an Electronic card.

To ensure a maximum security system, combine these techniques or categories of authentication. The common example of combination is that: "An ATM machine requires your electronic card (something you have) and a PIN code (something you know) to establish the connection." So it is a good idea to use more than one authentication technique to ensure maximum security. The combination of two authentication techniques is called two factor authentication, and the combination of three authentication techniques is called three factor authentication. We can create multiple factors of authentication by using the combination of multiple techniques and their varieties.

The common authentication technique (something you know) is by using a password, but you can forget a password or you can lose a password -even the hacker can get your password by using several techniques, like guessing. Since a password is no longer the best way to authenticate the user and the common online attacks, like phishing and identity theft, can be used to steal confidential information of the user, several websites are now using two factor authentication. Facebook and Gmail, along with website banks and other financial institutions, are using the two factor authentication. There are so many advantages of two factor authentication. The importance of two factor authentication is not a hidden truth, but hackers have found the way to break into two factor authentication technique. Security researchers have discovered several attacking techniques that are able to break into two factor authentication, and the common technique among them is:

  • Man-in-the-browser attack

This attack is nothing but a variant of a man-in-the-middle attack. This variant of a man-in-the-middle (MITM) attack is using a Trojan horse to get the job done.

Man-in-the-Browser Attack


Man-in-the-browser attack uses Trojan horse to manipulate the communication between the user and the browser. It is unlike the common type of web application attack in which an attacker manipulates the communication between the user and the web server. The Trojan horse takes advantage of a browser vulnerability to launch the attack against the two factor authentication. In this case of attack, the two factor authentication wouldn't be able to protect the information of the user.

How the Man-in-the Browser Attack Works

The first weapon a hacker needs to accomplish the man-in-the-browser attack is a Trojan horse, and the second is the browser. The common browsers, like Internet Explorer, Firefox, Opera and Google Chrome, can easily be targeted on the various operating systems, like Windows, Linux and MAC. The Trojan horse takes advantage of the:

  • Browser Helper Objects

Browser Helper Object (BHO) is a DLL (dynamically-loaded libraries) module and a plugin similar to the Firefox plugin for Internet Explorer, the DLL loaded at the start of Explorer. According to Wikipedia "The Adobe Acrobat plug-in that allows Internet Explorer users to read PDF files within their browser is a BHO."

Since the BHO can access DOM (document object model), the Trojan horse can manipulate the communication. For example, the Download.ject , which is a malware that installs a BHO.

  • Extensions

Browser extensions or plugins play an important role in man-in-the-browser attack. Creating a plugin is a very easy task and spammers use it to create and spread the extensions to target a lot of browsers. Extensions may be designed for Firefox and Chrome; both are popular browsers so the chances are high to target a large group of people. These extensions are designed to perform malicious activities on the victims' browsers. These extensions are able to capture confidential information of the users; even an attacker designs an extension to modify the request and to modify the communication between the user and the browser.

  • Augmented browsing

Augmented browsing means to use the scripts that automatically improve the information or that automatically inject some information on the web page. Greasemonkey (a Firefox plugin) is a wonderful example of augmented browsing that allows users to install a script. So by using augmented browsing, an attack may design a script that has the ability to steal information or to modify information.

  • API – Hooking

Hooking is the technique that can change the behavior of the application by interception. From an attacker's point of view, it can be a little bit of a difficult task to create API- Hooks compared to the previous techniques. API – Hooking can take the advantages of man-in-the-middle attacks on man-in-the-browser attacks by intercepting the .EXE between DLL (dynamically-loaded libraries).

How the Man-in-the-Browser Attack Works in Action

The man-in-the-browser attack depends on the Trojan horse; so, the first step in launching the man-in-the-browser is to target the victim's computer. An attacker may use several ways, including social engineering techniques, to target the victim's computer. There is a difference between targeting the specific victim and creating a plan that can target a massive amount of computers (like creating a Trojan horse and spreading it via extension). An attacker might infect the computer by:

  • Exploiting the network vulnerability
  • Spam emails (that contain the malicious file)
  • Exploiting the web application vulnerability (iframe injection attack plays an important role)
  • Phishing email that suggests the user click on the malicious link
  • Link sharing on social network websites
  • More

The second step of this attack is the responsibility of Trojan horse; the Trojan horse has an ability to activate by itself. The Trojan horse silently monitors the activity of the user (victim) and the other functionalities of the Trojan horse depend on the way the attacker has created it. For example, the Trojan horse can give the control to its server. The Trojan horse has been designed to watch some specific websites (like a bank's website), and whenever a user visits the targeted website, the Trojan horse can detect it and perform the desired functions.

How the Trojan Horse bypasses the Two Factor Authentication

The Trojan horse has an ability to bypass the two factor authentication. Let's suppose the bank website provides an extra layer of security, and it sends OTP (one time password) via SMS to the user. Since the user is legitimate and can easily get the OTP via SMS, the bank website authenticates the user because the right credentials are entered. The Trojan horse is smart enough to wait for the transactions, and as I described earlier, the Trojan horse modifies the communication between user and the website. The Trojan horse can enter the data in the website form field. Let's suppose the user has written "HJ1234l&OP" but the Trojan horse has modified it. Look at the example below:


The User Window This is what the bank server received

Payee name:  Irfan Shakeel


Horse Payee name:  hacker

Payee Account no: 890066557 Payee Account no: 455663434

Amount:    $600 Amount:    $6000


So at the user/customer window everything is good, but the Trojan horse has modified it. The bank server has received the transaction from a legitimate and authenticated user so it performs the desired task; and at the end of the transaction, the web server releases a receipt. The Trojan horse can modify the receipt, too; and then it displays the receipt of the original transaction to the user. From the user and the bank server's point of view, everything is good; but the man-in-the-browser attack has been completed and the money successfully stolen.

So the man-in-the-browser attack is a very dangerous attack because neither the bank server nor the user can detect it. This is the point where the powerful authentication (two factor authentication) has failed. Below are the details of some Trojan horses that perform MitB (man-in-the-browser) attacks on various operating system and browser.


Carberp targets Facebook users redeeming e-cash vouchers Windows IE, Firefox

OddJob keeps bank session open Windows IE, Firefox

Zeus widespread, low detection Windows IE, Firefox

Sunspot widespread, low detection Windows IE, Firefox

* Source

How to Prevent a Man-in-the-Browser Attack

The man-in-the-browser attack is a very dangerous attack because the Trojan horse that has been designed to perform the attack has a very low detection ratio. Among these Trojan horses, Zeus seems to be the most dangerous Trojan horse. So what are the possible ways to protect your computer from a man-in-the-browser attack?

It is very clear that if your computer is vulnerable, then your transactions are vulnerable so the main step is to protect your computer. Since the detection ratio is very low, anti-virus cannot easily detect it. But if you know about the things that you are going to download, then you can protect your computer, so the first level of protection is through awareness.

If you really want an extra layer of security, then use live distribution for your transactions or any other important browsing. Various live distributions from the open source world are available:

  • Ubuntu (Linux)
  • BartPE (Windows)

The other possibility is by using a virtual machine. Use a virtual machine for surfing some specific websites and make sure that your virtual machine uses the NAT (network address translation), instead of bridge network.

The usage of a hardened browser or a hardened client is also an important way to prevent man-in-the-browser attacks. The hardened browser does not allow any extension to be added, and it does not allow user scripts to run on the secure channel (SSL) and there are many other ways of protection.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.


Your anti-virus and firewalls are not enough to protect your computer from the latest challenges, and hackers are always trying different and new techniques to hack into your computer. Security awareness and user education are important steps that really help to prevent most of the online attacks. Do not trust third party software and extensions, never believe spammer email, and use virtual machines and live distribution for your important transactions. Do not forget that the vulnerability on your network (wired / wireless) plays an important role in infecting your computer.

Irfan Shakeel
Irfan Shakeel

Irfan Shakeel is the founder & CEO of ehacking.net An engineer, penetration tester and a security researcher. He specializes in Network, VoIP Penetration testing and digital forensics. He is the author of the book title “Hacking from Scratch”. He loves to provide training and consultancy services, and working as an independent security researcher.