Would you expect an end user to log on to a cybercriminal’s computer, open their browser, and type in their usernames and passwords? Hopefully not! But that’s essentially what happens if they fall victim to a Browser-in-the-Middle (BitM) attack.
Like Man-in-the-Middle (MitM) attacks, BiTM sees criminals look to control the data flow between the victim’s computer and the target service, as University of Salento researchers Franco Tommasi, Christian Catalano, and Ivan Taurino have outlined in a paper for the International Journal of Information Security. However, there are several key differences.
Man-in-the-Middle vs Browser-in-the-Middle
A MiTM attack utilizes a proxy server that places itself between the victim’s browser and the legitimate target service at the application layer. It needs some kind of malware to be placed and run on the victim’s computer.
But a BiTM attack is different. Instead, the victim thinks they’re using their own browser – conducting their normal online banking, for instance – when instead they’re actually running a transparent remote browser.
As the paper notes, it’s as though the user were “sitting in front of the attacker’s computer, using the attacker’s keyboard”, meaning the attacker can capture, record, and alter the data exchange between the victim and the service they’re accessing.
Anatomy of a BiTM attack
So how does it work? A typical BitM attack occurs in three phases:
- Phishing: The victim is tricked into clicking on a malicious hyperlink that points to the attacker’s server and authenticates their web application.
- Fake browser: The victim is connected to the attacker’s server and to the transparent web browser via the insertion of malicious javascript. The attack will utilize programs such as keyloggers to empower the criminals to intercept and utilize the victim’s data.
- Targeting web applications: The victim uses all their usual services online, without realizing that they are utilizing a transparent browser. Their credentials are now exposed to the criminal.
Session tokens
The attack works by targeting session tokens. This enables the attackers to subvert even multi-factor authentication (MFA); once the user has finished their MFA, a session token is usually stored in their browser. As researchers from Google subsidiary Mandiant have noted, if the token itself can be stolen, then MFA no longer matters:
“Stealing this session token is the equivalent of stealing the authenticated session, meaning an adversary would no longer need to perform the MFA challenge.” This makes the tokens a useful target for both red team operators – who test a system’s defenses – and more worryingly, genuine adversaries.
By employing a BitM framework in targeting authenticated session tokens, attackers enjoy the benefits of a rapid targeting capability, as they can reach any website in just seconds with little need for configuration, notes Mandiant. When an application is targeted, the legitimate site is served through the attacker-controlled browser, making it extremely difficult for the victim to tell the difference between a real site and its fake counterpart.
Cookies or OAuth tokens are snatched just before encryption, while rapid exfiltration means the stolen tokens can be relayed to attacker servers in seconds.
Mitigation strategies
These sophisticated attacks can cause significant damage, but there are ways to avoid or mitigate the consequences. At the widest level, users must always take extreme care over the links they access, perhaps previewing the site before actually clicking on any links. Here are some other options:
Passwords in a New Era
The conclusion is depressingly clear: BiTM attacks can circumvent traditional security approaches, even enabling criminals to intercept usernames and passwords. So does this make passwords irrelevant?
The answer is a resounding ‘no’. By instituting multi-factor authentication (MFA) – including robust passwords – you still make life harder for cybercriminals, particularly if they fail to capture the session token right away.
Even as attackers become more sophisticated, you need to keep an eye on the basics. Passwords remain a vital component of MFA – in fact, for most organizations, they likely remain the first line of defense. Frustrate cybercriminals by protecting your passwords, no matter how they attack.
Specops Password Policy ensures your Active Directory passwords are up to scratch at all times. You can enforce stronger password policies while also continuously scanning your Active Directory for over 4 billion compromised passwords. Combined with effective MFA such as Specops Secure Access, you’ll protect your end users at both the password and logon steps. Need assistance with MFA or password security? Reach out for a chat.
