Browser-in-the-Middle - Evaluation of a modern approach to phishing

Abstract

This paper examines the phishing technique Browser-in-the-Middle and its practical implications in the context of logins protected by multi-factor authentication. We implement and analyze Browser-in-the-Middle (BitM) attacks, evaluate them and discuss suitable measures for mitigation. To facilitate a thorough analysis, we implement two variants of BitM by using two different technology stacks and compare them to a conventional phishing system based on a proxy. To evaluate BitM attacks, we test our implementations on a number of popular websites. Our results show that in practice BitM attacks are currently highly capable of stealing login information protected by more than one factor, since the difficulty to detect such an attack appears to be greater when using BitM than comparable techniques. Therefore, we propose a new entry for BitM in the Common Attack Patterns Enumeration and Classification (CAPEC). The high effectiveness of the attack technique is limited by mitigation methods such as the use of resistant factors for two-sided authentication. We conclude that BitM attacks can potentially be used for highly effective targeted phishing, but they are unlikely to scale well enough for large-scale phishing attacks aiming at a broad variety of users.