Kaspersky Lab has received a new patent, this time for a method of countering financial cybercrime. The technology enables detection of HTML code injection into a page opened by the client’s browser (a man-in-the-browser attack). The technology’s principle is based on using special Web pages that provoke malware to manifest itself.
Here’s how it works: The creators of financial malware often tune their code to specific banks such that when a client tries to open the bank’s site, the malware detects it and changes the page displayed in the browser as it loads. It modifies the appearance of various Web page elements (such as the input fields) and steals the entered login credentials or changes account numbers so that the user transfers money to other accounts.
Any attempt to inject HTML code into a Web page indicates that a user’s device is almost certainly infected. If it detects such an attempt, a bank can block the transaction in time and prevent the client’s money from being stolen. Given that the man-in-the-browser technology is implemented in almost every family of banking Trojans, its presence may serve as a true infection indicator for the online banking security solution.
Of course, it’s not quite that simple. What if a device is infected, but the malware is tuned to another bank? In that case, if you go to one bank’s site, the malware will not try to make changes to the page and manifest itself.
So: What then? Isn’t that the other bank’s problem? We don’t like that way of thinking. Most financial Trojans use several tools to steal banking credentials. The malware may not change the displayed page, but it can still log all of the victim’s keyboard input or take other malicious actions.
Given that the MitB is implemented in almost every family of banking Trojans, it may serve as an infection indicatorTweet
That is why we decided to create a kind of a honeypot — a banking page that features traits of the websites of many various financial institutions (fragments of HTML code specific to the pages of banks and payment systems). If an infected device reaches the site, the malware mistakes it for a real bank’s website and tries to exploit the man-in-the-browser method. It makes those changes and is immediately detected by our system.
The Kaspersky Clientless Engine uses this technology to protect customers’ accounts from attacks by infected devices. You can find more information about Kaspersky Clientless Engine and the Kaspersky Fraud Prevention platform here.