• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

AI for Cybersecurity: Building Trust in Your Workflows

 | 

Taiwan Web Infrastructure targeted by APT UAT-7237 with custom toolset

 | 

New NFC-Driven Android Trojan PhantomCard targets Brazilian bank customers

 | 

Cisco fixed maximum-severity security flaw in Secure Firewall Management Center

 | 

'Blue Locker' Ransomware Targeting Oil & Gas Sector in Pakistan

 | 

Hackers exploit Microsoft flaw to breach Canada ’s House of Commons

 | 

Norway confirms dam intrusion by Pro-Russian hackers

 | 

Zoom patches critical Windows flaw allowing privilege escalation

 | 

Manpower data breach impacted 144,180 individuals

 | 

U.S. CISA adds Microsoft Internet Explorer, Microsoft Office Excel, and WinRAR flaws to its Known Exploited Vulnerabilities catalog

 | 

Critical FortiSIEM flaw under active exploitation, Fortinet warns

 | 

Charon Ransomware targets Middle East with APT attack methods

 | 

Hackers leak 2.8M sensitive records from Allianz Life in Salesforce data breach

 | 

SAP fixed 26 flaws in August 2025 Update, including 4 Critical

 | 

August 2025 Patch Tuesday fixes a Windows Kerberos Zero-Day

 | 

Dutch NCSC: Citrix NetScaler zero-day breaches critical orgs

 | 

Chrome sandbox escape nets security researcher $250,000 reward

 | 

Smart Buses flaws expose vehicles to tracking, control, and spying

 | 

MedusaLocker ransomware group is looking for pentesters

 | 

Google confirms Salesforce CRM breach, faces extortion threat

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Browser User Interface Security Threats

Browser User Interface Security Threats

Pierluigi Paganini January 24, 2017

Google Chrome users beware, hackers are behind you.  Users may be tricked into downloading malware masquerading as a fix for corrupted fonts.

Google Chrome users beware.  Users may be tricked into downloading malware masquerading as a fix for corrupted fonts. Hackers have been breaking into insecure websites and inserting JavaScript that waits for Chrome browsers to be referred to the sites via search engines. The script then inserts unrecognized characters that break the font rendering on the webpage, which makes all text unreadable. This is according to research conducted by the security firm Proofpoint.

Following that, a fake Chrome dialogue will appear, warning users that they need to download a file that appears to be a font installer package. But the “font” in this case is actually click-fraud adware, which loads hidden ads and clicks on them automatically, lining the pockets of those responsible for that malware. This particular scheme isn’t  dangerous, in and of itself, but according to Bleeping Computer,  “the criminal crew behind this scheme have unleashed far worse things in the past, such as encrypting ransomware.”

So far it only impacts users of the Chrome browser on Windows in Australia, Canada, the UK and the US.

Online shoppers need to also take heed and avoid using browsers’ autofill option. Though it may be a hassle to pull out a credit card every time you want to make a purchase, a new discovery made by a Finnish developer demonstrates why the extra time you save per purchase may not be worth it. Hackers have found a way to access your stored credit card info.

According to Thrillist, “anyone can fall for the scam by submitting a couple basic pieces of information. Web users think they’re just entering their name and email address, but ‘hidden’ text boxes are automatically filled in with more sensitive data like address, phone number, and credit card number.”
Chrome

Disabling autofill is the best solution because saved credit card information can turn into a shopping spree for hackers, at your expense.

Then, there’s a class of attacks known as Man-in-the-Browser (MITB) attacks. They can be carried out using a variety of means, including malicious DLLs, rogue extensions, or more complicated malicious code injected into pages in the browser by spoofing proxy servers. The purpose of an MITB attack varies and can run the gamut from ad spoofing on social networks or popular websites to stealing money from user accounts.

A malicious app is camouflaged as a Kaspersky Lab product in an MITB attack

When banking is the target, web injection is typically used in MITB-class attacks. These attacks involve the use of malicious code that is injected into an online banking service webpage in order to intercept the one-time SMS message, harvest user information, spoof banking details, etc. For instance, there is a barcode spoofing attack used in instances in which users print out Boletos, which are popular banking documents issued by banks and all kind of businesses in Brazil. For the average cybercriminal, however, it’s much more appealing to use readily available tools than developing and implement web injection tools.

Android users need to understand that there are web injection attacks specifically tailored for Android.

SecureList reports:

“Despite the term ‘inject’ being used in connection with mobile banking Trojans (and sometimes used by cybercriminals to refer to their data-stealing technologies), Android malware is a whole different world. In order to achieve the same goals pursued by web injection tools on computers, the creators of mobile Trojans use two completely different technologies: overlaying other apps with a phishing window, and redirecting the user from a banking web page to a specially crafted phishing page.”

Overlaying apps with phishing windows

This is the most popular technology with cybercriminals and is used in practically all banking Trojans. 2013 was when we first encountered a piece of malware overlaying other apps with its phishing window – that was Trojan-Banker.AndroidOS.Svpeng.

Today’s mobile banking Trojans most often overlay the Google Play Store app with their phishing window – this is done in order to steal the user’s bank card details.”

Attacks can also be performed using root privileges. In the case of superuser privileges, Trojans are able to perform any attack, including malicious injections into browsers. Using superuser privileges, some modules of Backdoor.AndroidOS.Triada could substitute websites in certain browsers. Also using superuser privileges, passwords saved in browsers can be stolen–and this would include passwords to financial websites.

To add to browser security woes, the ‘line of death’ between safe content and untrustworthy content is receding, according to Google Chrome engineer Eric Lawrence. Lawrence has described the clash of browser barons against the ‘line of death’ as an ever-diminishing separation between trusted content and the dangerous territory where phishers operate.

“This line, Lawrence (@ericlaw) says, is a conceptual barrier between content that browser developers control, such as areas around the address bar, and untrusted content like browser windows where attackers can serve malicious material.”

“If a user trusts pixels above the line of death, the thinking goes, they’ll be safe, but if they can be convinced to trust the pixels below the line, they’re gonna die,” Lawrence says.

It is now at the point at which untrusted content now appears above the line in tabs where attackers can enter their chosen web page title and icon. Chevrons that open small windows can display extended information on usage of HTTPS, requests for location information, and so on extend below the line and send trusted data into untrusted territory.”

Chrome

Intrusions across the ‘line of death:’

  • Fake Chevron popups.
  • ‘Block’ and ‘allow’ buttons turned into malicious clickable links.
  • Abuse of favicons – in 2005, a remote code execution flaw affecting Firefox was discovered, which abused favicons. Certain versions of Mozilla Firefox were not properly implementing the favicon feature. As a result, a malicious web page could use a “<LINK rel=”icon”>” tag to execute Javascript in a privileged context and run arbitrary code.
  • Immaculate reproductions of browsers.
  • A significant increase in hits on phishing links on mobile devices because the line has all but disappeared now on mobile devices.
  • On mobile devices, “Expanding the URLs is more difficult and it is harder to get the information users need to make decisions, so security awareness can suffer,” says Sophos senior technology consultant Sean Richmond.
  • Similarly, email apps are breaching the line of death. Outlook’s newer versions place a trusted message of “this message is from a trusted sender” within the untrusted email contents window, which enables phishers to replicate the notice.

In 2012, when Lawrence was a program lead for Microsoft’s Internet Explorer, he opposed Microsoft’s move of Windows 8 IE to its full screen minimalistic immersive mode. Lawrence argued that it made the line of death indistinguishable from content, “… because it (Internet Explorer) was designed with a philosophy of ‘content over chrome’, there were no reliable trustworthy pixels,” Lawrence said. “I begged for a persistent trust badge to adorn the bottom-right of the screen – showing a security origin and a lock – but was overruled.”

The receding of the ‘line of death’ continues to present challenges to developers, but poses a serious threat to browser users. This crucial line is not clearly defined. Nor is it absolute.

Written by: CandiceLanier

candicelanierAuthor Bio:

Candice Lanier is Chief Operations Officer at Ghost Cyber Intelligence, a private intel agency specializing in counterterrorism, Darknet operations, black ops and cybersecurity. Candice also writes for RedState, The Christian Post and Medium.

 

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Google Chrome, hacking)


facebook linkedin twitter

Google Chrome Hacking MITB MITM privacy

you might also like

Pierluigi Paganini August 18, 2025
AI for Cybersecurity: Building Trust in Your Workflows
Read more
Pierluigi Paganini August 18, 2025
Human resources firm Workday disclosed a data breach
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    AI for Cybersecurity: Building Trust in Your Workflows

    Security / August 18, 2025

    Taiwan Web Infrastructure targeted by APT UAT-7237 with custom toolset

    APT / August 16, 2025

    New NFC-Driven Android Trojan PhantomCard targets Brazilian bank customers

    Malware / August 15, 2025

    Cisco fixed maximum-severity security flaw in Secure Firewall Management Center

    Security / August 15, 2025

    'Blue Locker' Ransomware Targeting Oil & Gas Sector in Pakistan

    Malware / August 15, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT