Do you expect the end user to log on to Cybercriminal’s computer, open a browser and enter your username and password? Hopefully that’s not the case! But that’s basically what happens when they become victims of a mid-browser (BITM) attack.
Like the man-in-the-middle (MITM) attack, BITM outlines in a paper in the International Journal of Information Security by researchers at Salento University Franco Tommasi, Christian Catalano and Ivan Taurino, which means that offenders are trying to control the flow of data between the victim’s computer and the target service. However, there are some important differences.
Man-in-the-middle vs Browser in the Middle
MITM attacks use a proxy server that places itself between the victim’s browser and the legitimate target service in the application layer. Some kind of malware is required to be placed and run on the victim’s computer.
However, BITM attacks are different. Instead, the victim thinks he is using his browser when he is actually running a transparent remote browser. For example, we are carrying out regular online banking.
As the paper points out, it’s as if the user was “sitting in front of the attacker’s computer using the attacker’s keyboard.” This means that an attacker can capture, record and modify the exchange of data between the victim and the service he is accessing.
Anatomy of BITM Attacks
So, how does it work? A typical BITM attack occurs in three phases.
Phishing: Victims are fooled to click on a malicious hyperlink pointing to the attacker’s server and authenticate the web application. Fake Browser: The victim is connected to an attacker’s server and a transparent web browser via malicious JavaScript insertion. The attack utilizes programs such as keyloggers to enable criminals to intercept and use the victim’s data. Web Application Targeting: Victims use all their usual services online without realizing that they are using a transparent browser. Their qualifications are now exposed to criminals.
Session token
The attack works by targeting session tokens. This allows attackers to destroy it even with Multifactor Authentication (MFA). Once the user completes MFA, the session token is normally saved in the browser. As researchers at Google’s subsidiary Mandiant have pointed out, MFA is no longer important if the token itself could be stolen.
“Stepping tokens for this session is equivalent to stealing an authenticated session. This means that the enemy no longer needs to perform an MFA challenge.” This makes the token a useful target for both Red Team operators testing the defense of the system, and, more worryingly, the real enemy.
By adopting the BITM framework when targeting authenticated session tokens, attackers will benefit from the fast targeting feature. When the application is targeted, legitimate sites are provided via attacker-controlled browsers, making it extremely difficult for the victim to communicate the difference between the actual site and its fake counterparts.
Cookies or Oauth tokens are snatched just before encryption, but with quick removal, the stolen token can be relayed to the attacker server in seconds.
Mitigation Strategy
These sophisticated attacks can cause significant damage, but there are ways to avoid or mitigate the outcome. At the widest level, users must always be very careful about the links they access. You probably need to preview your site before you actually click on the link. There are a few other options.
Password for the new era
The conclusion is depressingly clear. BITM attacks can circumvent traditional security approaches, even allowing criminals to intercept usernames and passwords. So does this make the password irrelevant?
The answer is overwhelming “no”. By enacting multifactor authentication (MFA) with robust passwords, it makes life difficult for cybercriminals, especially if session tokens cannot be captured immediately.
Even if the attacker is more refined, you need to be aware of the basics. The password remains an important component of the MFA. In fact, for most organizations, they probably remained the first line of defense. No matter how you attack your password, protecting your password will irritate cybercriminals.
The SPECOPS password policy ensures that active directory passwords are always scratched. A stronger password policy will also allow you to continuously scan Active Directory with over 4 billion compromised passwords. When combined with effective MFAs such as Specops Secure Access, it protects end users with both password and logon steps. Need MFA or password security assistance? Reach out for the chat.
Source link
