Execution Flow
1) Explore
[Identify potential targets] The adversary identifies an application or service that the target is likely to use.
Technique
- The adversary stands up a server to host the transparent browser and entices victims to use it by using a domain name similar to the legitimate application. In addition to the transparent browser, the adversary could also install a web proxy, sniffer, keylogger, and other tools to assist in their goals.
2) Experiment
[Lure victims] The adversary crafts a phishing campaign to lure unsuspecting victims into using the transparent browser.
Technique
- An adversary can create a convincing email with a link to download the web client and interact with the transparent browser.
3) Exploit
[Monitor and Manipulate Data] When the victim establishes the connection to the transparent browser, the adversary can view victim activity and make alterations to what the victim sees when browsing the web.
Technique
- Once a victim has established a connection to the transparent browser, the adversary can use installed tools such as a web proxy, keylogger, or additional malicious browser extensions to gather and manipulate data or impersonate the victim.
Prerequisites
The adversary must create a convincing web client to establish the connection. The victim then needs to be lured onto the adversary's webpage. In addition, the victim's machine must not use local authentication APIs, a hardware token, or a Trusted Platform Module (TPM) to authenticate.
Skills Required
(Level : Medium)
Resources Required
A web application with a client is needed to enable the victim's browser to establish a remote desktop connection to the system of the adversary.
Mitigations
Implementation: Use strong, mutual authentication to fully authenticate with both ends of any communications channel
Related Weaknesses
CWE-ID |
Weakness Name |
CWE-294 |
Authentication Bypass by Capture-replay A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes). |
CWE-345 |
Insufficient Verification of Data Authenticity The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
References
REF-747
Browser-in-the-Middle (BitM) attack
Tommasi F., Catalano, C., Taurino I..
https://link.springer.com/article/10.1007/s10207-021-00548-5#citeas
Submission
Name |
Organization |
Date |
Date Release |
Jonas Tzschoppe |
Nuremberg Institute of Technology |
2023-01-24 +00:00 |