Browser User Interface Security Threats

Pierluigi Paganini January 24, 2017

Google Chrome users beware, hackers are behind you.  Users may be tricked into downloading malware masquerading as a fix for corrupted fonts.

Google Chrome users beware.  Users may be tricked into downloading malware masquerading as a fix for corrupted fonts. Hackers have been breaking into insecure websites and inserting JavaScript that waits for Chrome browsers to be referred to the sites via search engines. The script then inserts unrecognized characters that break the font rendering on the webpage, which makes all text unreadable. This is according to research conducted by the security firm Proofpoint.

Following that, a fake Chrome dialogue will appear, warning users that they need to download a file that appears to be a font installer package. But the “font” in this case is actually click-fraud adware, which loads hidden ads and clicks on them automatically, lining the pockets of those responsible for that malware. This particular scheme isn’t  dangerous, in and of itself, but according to Bleeping Computer,  “the criminal crew behind this scheme have unleashed far worse things in the past, such as encrypting ransomware.”

So far it only impacts users of the Chrome browser on Windows in Australia, Canada, the UK and the US.

Online shoppers need to also take heed and avoid using browsers’ autofill option. Though it may be a hassle to pull out a credit card every time you want to make a purchase, a new discovery made by a Finnish developer demonstrates why the extra time you save per purchase may not be worth it. Hackers have found a way to access your stored credit card info.

According to Thrillist, “anyone can fall for the scam by submitting a couple basic pieces of information. Web users think they’re just entering their name and email address, but ‘hidden’ text boxes are automatically filled in with more sensitive data like address, phone number, and credit card number.”

Disabling autofill is the best solution because saved credit card information can turn into a shopping spree for hackers, at your expense.

Then, there’s a class of attacks known as Man-in-the-Browser (MITB) attacks. They can be carried out using a variety of means, including malicious DLLs, rogue extensions, or more complicated malicious code injected into pages in the browser by spoofing proxy servers. The purpose of an MITB attack varies and can run the gamut from ad spoofing on social networks or popular websites to stealing money from user accounts.

A malicious app is camouflaged as a Kaspersky Lab product in an MITB attack

When banking is the target, web injection is typically used in MITB-class attacks. These attacks involve the use of malicious code that is injected into an online banking service webpage in order to intercept the one-time SMS message, harvest user information, spoof banking details, etc. For instance, there is a barcode spoofing attack used in instances in which users print out Boletos, which are popular banking documents issued by banks and all kind of businesses in Brazil. For the average cybercriminal, however, it’s much more appealing to use readily available tools than developing and implement web injection tools.

Android users need to understand that there are web injection attacks specifically tailored for Android.

SecureList reports:

“Despite the term ‘inject’ being used in connection with mobile banking Trojans (and sometimes used by cybercriminals to refer to their data-stealing technologies), Android malware is a whole different world. In order to achieve the same goals pursued by web injection tools on computers, the creators of mobile Trojans use two completely different technologies: overlaying other apps with a phishing window, and redirecting the user from a banking web page to a specially crafted phishing page.”

Overlaying apps with phishing windows

This is the most popular technology with cybercriminals and is used in practically all banking Trojans. 2013 was when we first encountered a piece of malware overlaying other apps with its phishing window – that was Trojan-Banker.AndroidOS.Svpeng.

Today’s mobile banking Trojans most often overlay the Google Play Store app with their phishing window – this is done in order to steal the user’s bank card details.”

Attacks can also be performed using root privileges. In the case of superuser privileges, Trojans are able to perform any attack, including malicious injections into browsers. Using superuser privileges, some modules of Backdoor.AndroidOS.Triada could substitute websites in certain browsers. Also using superuser privileges, passwords saved in browsers can be stolen–and this would include passwords to financial websites.

To add to browser security woes, the ‘line of death’ between safe content and untrustworthy content is receding, according to Google Chrome engineer Eric Lawrence. Lawrence has described the clash of browser barons against the ‘line of death’ as an ever-diminishing separation between trusted content and the dangerous territory where phishers operate.

“This line, Lawrence (@ericlaw) says, is a conceptual barrier between content that browser developers control, such as areas around the address bar, and untrusted content like browser windows where attackers can serve malicious material.”

“If a user trusts pixels above the line of death, the thinking goes, they’ll be safe, but if they can be convinced to trust the pixels below the line, they’re gonna die,” Lawrence says.

It is now at the point at which untrusted content now appears above the line in tabs where attackers can enter their chosen web page title and icon. Chevrons that open small windows can display extended information on usage of HTTPS, requests for location information, and so on extend below the line and send trusted data into untrusted territory.”


Intrusions across the ‘line of death:’

  • Fake Chevron popups.
  • ‘Block’ and ‘allow’ buttons turned into malicious clickable links.
  • Abuse of favicons – in 2005, a remote code execution flaw affecting Firefox was discovered, which abused favicons. Certain versions of Mozilla Firefox were not properly implementing the favicon feature. As a result, a malicious web page could use a “<LINK rel=”icon”>” tag to execute Javascript in a privileged context and run arbitrary code.
  • Immaculate reproductions of browsers.
  • A significant increase in hits on phishing links on mobile devices because the line has all but disappeared now on mobile devices.
  • On mobile devices, “Expanding the URLs is more difficult and it is harder to get the information users need to make decisions, so security awareness can suffer,” says Sophos senior technology consultant Sean Richmond.
  • Similarly, email apps are breaching the line of death. Outlook’s newer versions place a trusted message of “this message is from a trusted sender” within the untrusted email contents window, which enables phishers to replicate the notice.

In 2012, when Lawrence was a program lead for Microsoft’s Internet Explorer, he opposed Microsoft’s move of Windows 8 IE to its full screen minimalistic immersive mode. Lawrence argued that it made the line of death indistinguishable from content, “… because it (Internet Explorer) was designed with a philosophy of ‘content over chrome’, there were no reliable trustworthy pixels,” Lawrence said. “I begged for a persistent trust badge to adorn the bottom-right of the screen – showing a security origin and a lock – but was overruled.”

The receding of the ‘line of death’ continues to present challenges to developers, but poses a serious threat to browser users. This crucial line is not clearly defined. Nor is it absolute.

Written by: CandiceLanier

candicelanierAuthor Bio:

Candice Lanier is Chief Operations Officer at Ghost Cyber Intelligence, a private intel agency specializing in counterterrorism, Darknet operations, black ops and cybersecurity. Candice also writes for RedState, The Christian Post and Medium.


[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Google Chrome, hacking)

you might also like

leave a comment