New Universal Man-in-the-Browser (uMitB) Attack is Unnervingly Advanced

I am still reeling from the bipartisan idiocy of last night’s Presidential debate, so I thought I’d focus on something slightly less depressing: A major evolution of the Man-in-the-Browser attack. Trusteer, which discovered the enhanced attack, elegantly understated the problem, saying, “This development, which we are calling Universal Man-in-the-Browser (uMitB), is significant.”

There are three things that unfortunately make the uMitB much more effective than its predecessor attacks:

1. It is able to gather data from any website someone visits and not just a specific list of sites. Plain old MitBs use malware on someone’s computer to monitor a list of targeted websites and then gather information only when users visit them. The new beast collects data from all visited sites.
2. Not only does the new UMitB attack collect information from more places, it also parses that data to automatically find credit-card and social-security numbers and other sensitive data. Bad guys used to have to wade through massive data dumps to pull out the pertinent facts, which slowed the process down and gave victims more time to discover the theft.
3. The uMitB also sends the sensitive data to thieves as soon as it collects it, thereby making the process even more efficient. In the past, hackers received these massive unstructured logs only periodically, further increasing the amount of time it took for the data to be put to use.

The folks at Trusteer, who have reportedly been tracking the new attack for several months, say it is the first time they’ve seen the real-time parsing of stolen data.

uMitB’s ability to steal sensitive data without targeting a specific website and perform real-time post-processing removes much of the friction associated with traditional MitB attacks. For example, it could be used to automate card fraud by integrating with and feeding freshly-stolen information to card-selling websites. The impact of uMitBs could be significant since information stolen in real-time is typically much more valuable than “stale” information, and the attacks eliminate the complexities associated with current post-processing approaches.

So far Trusteer has only encountered uMitBs that target easily-defined strings, such as those for credit-card and Social-Security numbers. Trusteer Senior Security Strategist George Tubin told ThreatPost that he thinks the malware will evolve and eventually be able to find almost any type of data–including usernames and passwords. Ruh roh.