http://en.wikipedia.org/wiki/Man-in-the-browser
Man-in-the-browser (MITB, MitB), a form of Internet threat related to man-in-the-middle (MITM), is a proxy Trojan that infects a web browser and has the ability to modify web pages, modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host application.
A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or Two or Three Factor Authentication solutions are in place.
A MitB attack may be countered by utilising out-of-band transaction verification, although SMS verification can be defeated with mobile malware on the mobile phone.
Trojans may be detected and removed by antivirus software with a 23% success rate against Zeus in 2009, and still low rates in 2011.
The 2011 report concluded that additional measures on top of antivirus were needed.
The majority of financial service professionals in a survey considered MitB to be the greatest threat to online banking.
Description
The man-in-the-browser threat was demonstrated by Augusto Paes de Barros in his 2005 presentation about backdoor trends "O futuro dos backdoors - o pior dos mundos" ("The future of backdoors - worst of all worlds"). It was named as man-in-the-browser by Philipp Gühring in a white paper "Concepts against Man-in-the-Browser Attacks", 27 January 2007.
A MitB Trojan works by utilising common facilities provided to enhance browser capabilities such as Browser Helper Objects (a feature limited to Internet Explorer), Browser extensions and User scripts (for example in JavaScript) etc. Antivirus software can detect some of these methods.
In an example exchange between user and host, e.g. an Internet banking transaction such as a funds transfer, the customer will always be shown, via confirmation screens, the exact payment information as keyed into the browser. The bank, however, will receive a transaction with materially altered instructions, i.e. a different destination account number and possibly amount. The use of strong authentication tools simply creates an increased level of misplaced confidence on the part of both customer and bank that the transaction is secure. Authentication, by definition, is concerned with the validation of identity credentials. This should not be confused with transaction verification.
