Protecting financial institutions from banking malware's man-in-the-browser attacks

Wednesday 24 September 12:00 - 12:30, Red room.

Xinran Wang Shape Security
Yao Zhao Shape Security

Banking malware is one of the most serious threats to both end-users and financial institutions. It is reported that over 1,400 financial institutions have been targeted by attackers using financial trojans and the top 15 targeted financial institutions were targeted by more than 50 percent of the trojans in 2013. One major tactic of banking malware is the use of man-in-the-browser attacks (web injection attacks). In fact, almost all modern banking malware use this tactic.

In this paper, we first explain how banking malware conducts credential stealing and automatic transaction with man-in-the-browser attacks, and analyse several web injection scripts from prevalent banking malware families. Then we present our survey of existing techniques against these malware, as well as their limitations. Next, inspired by the observation that banking malware's injection is based on a certain context of the target web pages, we propose an application layer system to protect financial institutions from web injection attacks.

The system works as an HTTP reverse proxy in front of protected web servers, and injects a fake context into the target page, according to the malware's web injection configuration. The fake context traps the banking malware's web injection scripts in an invisible HTTP element. An alert is also triggered when injection happens, so the system detects the ongoing attacks. More importantly, it prevents credential stealing as the web injection scripts are injected into invisible decoy elements. Finally, we report the results of an experiment based on banking malware samples collected in the wild. The results shows that the system can detect and prevent web injection attacks from these samples.

Click here for more details about the conference.

Xinran Wang

Xinran Wang

Xinran is a research scientist at Shape security. He has over 10 years' extensive experience in security research. He has published many papers and spoken at the top security conferences, including Black Hat (2013), Virus Bulletin (2012, 2013), Usenix security, ACM Conference on Computer and Communications Security (CCS) and the Annual Computer Security Applications Conference (ACSAC). His papers have been cited more than 600 times. He has filed 18 patents in malware and botnet detection and cloud and mobile security. He earned his Ph.D. degree in comptuer science focused on system and software security from Penn State University.

Yao Zhao

Yao Zhao

Yao is a research scientist at Shape Security Inc. He received his Bachelor's and Master's degrees in computer science from Tsinghua University in 2001, and his Ph.D. in electrical engineering and computer science from Northwestern University in 2009. After graduation, he worked for Bell Labs and IPD of Alcatel-Lucent for three years, and then worked as a software engineer in the Ads infrastructure of Google for a year. His research interests include network measurement, monitoring and security, ad-hoc wireless and sensor networks.