By Andrey Kovalev, Information Security Expert, Yandex
The web-enabled generation has become increasingly reliant on technology for everyday activities. Cloud services, social networks, web extensions, plug-ins and online games, are all growing in popularity and as such, are replacing desktop applications. This heightened use of mobile web-browsers has opened the back door to cybercriminals, who now have new channels to implement browser-based attacks, spread malware and maximise infection campaigns.
Traditional “Man in the Browser Attacks” (MITB) have been given a new lease of life as a result of the latest types of malware, distribution models and special features. Cybercriminals are becoming ever more sophisticated, injecting JavaScript code into web pages to steal user credentials or hijack data, such as those used for online banking.
The concern for the security of personal credentials and online profiles is growing, particularly when malicious browser extensions are becoming one of the most complex threats to detect and prevent.
The evolution of Man in the Browser attacks
When Internet Explorer was one of the most popular browsers, the dynamic libraries of Browser Helper Objects (BHOs) was the only way to add extra functionality to extensions. If cybercriminals wanted to set up a MITB attack, they had to either install malicious BHO or use web injection techniques. Fortunately, to prevent this vulnerability, BHOs now have to be digitally signed off by Microsoft.
Modern browsers now incorporate special JavaScript APIs for protection, however, with new methods of defence comes yet another stage in the evolution of browser-based malware with malicious intent. For example social engineering and ‘browlocking’ mechanisms are on the rise, forcing users to install malicious or imposter extensions or install updates for popular extensions that have been hijacked and infected with malware.
Malicious extensions in practice
Eko and Smartbrowse are recent examples of MITB attacks that made the headlines. Eko, discovered on Facebook Russia in early 2015, spread malware via Facebook direct messages and scam video postings. Victims were sent links to phishing websites replicating Facebook and YouTube and which prompted users to install video player extensions containing malicious code.
Once installed, the browser-based malware spreads and replicates the browser environment, a perfect combination for malicious web-injection. In 2016 we have seen the emergence of advertisement injections and Facebook payload spam. Worryingly, the same technique is imminent for online banking attacks.
Smartbrowse is a wrapper-based malware which gains entry into vulnerable machines through user payment downloads and leaves a trail of unwanted or malicious extensions. Appearing on Google Chrome, Yandex Browser, Opera and Firefox among others, Smartbrowse switches the browser to auto-run mode and installs JavaScript-based extensions which spread malicious code even when the browser has been closed.
The difficulty with protecting against MITB attacks
Detecting and preventing MITB attacks, malicious extensions and aggressive ads are complex for the following reasons:
- Location of malicious code, parts of malicious functionality are stored on remote servers and often an infected PC doesn’t contain any malicious code at all. The harmful payload can change dramatically depending on websites and URLs visited. It’s difficult to tell harmful scripts from legal ones.
- From the user’s perspective, a malicious extension can look legal and be useful for users. It can work like a normal extension for some time, and only start to behave harmfully a month or two after installation.
- Malicious extensions live only in the browser and don’t leave any traces in critical system areas, nor do they have any outstanding indicators of compromise. This makes them hard for anti-virus products to detect.
- A malicious extension can be harmful to the user and the web resource, by replacing ads and search responses with malicious content. For traditional anti-virus vendors these ad injections are difficult to detect.
How to detect and prevent against an attack
Whilst MITB and web extension attacks are difficult to detect and therefore defend against, users and web providers (or web-developers) can work together in the fight against cybercrime as it continues to evolve. Detection and protection policies from both the server-side (web services) and client-side (browser and AV vendors) can provide a belt and braces style protection against MITB attacks.
Server-side techniques which incorporate content security policies (CSP) and reporting capabilities can be implemented in all modern browsers and operate in two modes: reporting-only mode and blocking mode. In reporting mode, violations are reported but without blocking the browser. In blocking mode, all violations are blocked by the browser and reported back to the URL.
Of course this technology could also be bypassed by malware which could hijack or delete CSP headers. However this can be mitigated by embedding validation JavaScript that can monitor a page’s integrity and send a report to the server. Obfuscation techniques can be used to protect the script and make it extremely hard to remove without breaking the page functionality. Reports from these techniques collect malicious script sources to enrich a database of safe browsing. Essentially, this shows whether the user is infected and in need of anti-virus software.
On the client-side, users can bolster online security by using browsers with additional security mechanisms and by installing anti-virus software. The most secure browsers come with an in-built black list of malicious extensions which can be blocked once the user launches the browser. These browsers also perform extension integrity checks against trusted extension stores such as Chrome or Opera, which helps to protect users from having their credentials exposed when an extension ID is leaked.
To further support the detection and prevention methods in such a transforming landscape, advanced technology such as artificial intelligence (AI) and machine learning within browsers should become the norm. These technologies can learn which websites are distributing malicious extensions and prevent users from entering in the first instance.
Conclusion
Browser-based malware needs to be a critical area of focus in the evolving threat landscape, particularly with modern browsers. Although browsers have their own protection mechanisms, a combination of anti-virus software, server and client-side prevention methods and AI technology will help to fight against content hijacking and malicious web extensions. Although there is no silver bullet, browser and anti-virus vendors need to focus on monitoring the evolution of browser-based malware and improve the security level of the rapidly changing extension ecosystem. Additional validation mechanisms need to be in place for browsers and integrity checks should be conducted on web resource content. This combined approach will help smooth the path to a safer browser environment and will better protect users against inevitable cyber-attacks now and in the future.