Wo(Man) in The Browser -MiTB

While conducting a penetration test of a web application for a financial services client recently, i came across a vulnerability that i wanted to briefly discuss. The vulnerability discovered was related to the now infamous "Banking Trojans" and the ability of its software to modify HTML pages on the fly.  This is an relatively sophisticated tactic utilized by various banking Trojans such as Zeus and SpyEye  to manipulate a users web browser's interactions with their banking web application. Specifically used as a phishing tactic in order to get users to enter extra sensitive data (for exp, during when they are logging into their on-line banking application).

Their can be various client-side attack vectors utilized to initially infect the user's system or mobile device with the banking Trojan, ranging from utilizing a lure in spear-phishing, or watering hole, to drive-by style delivery mechanisms.  After the user's system is infected, the trojan subsequently monitors the HTTP stream via Wininet.dll (or some other library) and modifies the content on the fly. The capabilities utilized for content modification for trojans like Zeus (in the tested instance), stem from the use of a file called "Webinjects.txt". When the victim fills in the additonal information, it is subsequently sent to its command and control host.
Mitigating this vulnerability can be a challenge as several remediation strategies have been set forth from various client hardening techniques, secure card readers (exp. Smartwipe), out of band verification and detection via web tripwire hooks used by various WAFs that can detect and identify these "in-flight" page manipulations in real-time. 

- MH "Madame Hack"