According to Tomer Bitton, a researcher with Imperva's reverse engineering division in Israel, Boy-in-the-Browser (BITB) attacks are gaining ground thanks to their evasive nature.
Although not as sophisticated as a Man-in-the-Browser attack, BITB attacks have evolved from their traditional keyloggers and browser session record origins.
"The recent spate of BITB trojans that targeted Chilean banks, and their customers, demonstrates that this type of attack is gaining force and continues to evade traditional anti-malware software", he explained.
Bitton says that it starts with a simple, innocent-looking phishing email that encourages the user to click a link to visit a website for more details.
However, he adds in his latest security blog, rather than asking the user to divulge personal details – which most internet users are now wise to – it instead tells the user that they need to download the latest version of Adobe Flash Player to view the page.
"Most users will be duped into believing this and will click the link", he says, adding that, rather than receiving the latest version of Flash, users are actually downloading malware.
Once installed, the trojan writes itself to the registry, then asks the user to 'run' the software, which allows it to survive a system reboot and infects the machine. To avoid detection, the trojan also creates a new hosts file in a read-only format.
Bitton notes that, the next time the user tries to connect to a banking application, or other frequently visited URL, the trojan redirects them to a fake site controlled by the criminals, and which mimics the real site.
"Often it is so cleverly done that the user would struggle to tell the difference. However it is here that the credentials are stolen, or the user is duped into completing a bogus transaction", he said.
Imperva has posted a YouTube video to show the latest MITB attacks in progress.