Traditional MiTB attacks target specific websites, lurking “in the browser” to gather keystrokes entered into forms on financial websites to capture user credentials, sometimes for multiple sites at once. However, attempts to use MiTB to steal data across large numbers of websites result in the compilation of vast logs of information, meaning that hackers have to sort through the data in a post-processing activity that is time-consuming and not always fruitful given website time-outs, password changes and credit card refreshes. Nonetheless, Trusteer senior security strategist George Tubin points out that the attack style is common enough that parsers are easily available for purchase in underground markets, while some criminals simply sell off the logs in bulk for someone else to sort through.
Now, what Trusteer is calling Universal MiTB (UMiTB) uses generic real-time logic to analyze form submissions as they happen, to determine their relevance—so only sensitive information is retained. This greatly reduces the overhead for hackers looking to sell the freshest information they can.
Even worse, the attack can target victims of new infections as well as machines that were previously infected just by updating the existing malware with a new configuration. To explain the process, Trusteer has posted a video explaining the process.
uMitB’s ability to steal sensitive data without targeting a specific website obviously smooths the rails for hackers looking to sell credit-card information, which Tubin calls “significant.”
“For example, it could be used to automate card fraud by integrating with and feeding freshly stolen information to card selling websites,” he said. “The impact of uMitB could be significant since information stolen in real-time is typically much more valuable than stale information, plus it eliminates the complexities associated with current post-processing approaches.”