Kaspersky Lab has received a new patent, this time for a method of countering financial cybercrime. The technology enables detection of HTML code injection into a page opened by the client\u2019s browser (a man-in-the-browser attack). The technology\u2019s principle is based on using special Web pages that provoke malware to manifest itself.<\/p>\n
Here\u2019s how it works: The creators of financial malware often tune their code to specific banks such that when a client tries to open the bank\u2019s site, the malware detects it and changes the page displayed in the browser as it loads. It modifies the appearance of various Web page elements (such as the input fields) and steals the entered login credentials or changes account numbers so that the user transfers money to other accounts.<\/p>\n
Any attempt to inject HTML code into a Web page indicates that a user\u2019s device is almost certainly infected. If it detects such an attempt, a bank can block the transaction in time and prevent the client\u2019s money from being stolen. Given that the man-in-the-browser technology is implemented in almost every family of banking Trojans, its presence may serve as a true infection indicator for the online banking security solution.<\/p>\n
Of course, it\u2019s not quite that simple. What if a device is infected, but the malware is tuned to another bank? In that case, if you go to one bank\u2019s site, the malware will not try to make changes to the page and manifest itself.<\/p>\n
So: What then? Isn\u2019t that the other bank\u2019s problem? We don\u2019t like that way of thinking. Most financial Trojans use several tools to steal banking credentials. The malware may not change the displayed page, but it can still log all of the victim\u2019s keyboard input or take other malicious actions.<\/p>\n
Given that the MitB is implemented in almost every family of banking Trojans, it may serve as an infection indicator<\/p>Tweet<\/a><\/blockquote>\n
That is why we decided to create a kind of a honeypot \u2014 a banking page that features traits of the websites of many various financial institutions (fragments of HTML code specific to the pages of banks and payment systems). If an infected device reaches the site, the malware mistakes it for a real bank\u2019s website and tries to exploit the man-in-the-browser method. It makes those changes and is immediately detected by our system.<\/p>\n