Stopping Man-in-the-Browser -- Entrust, TowerGroup Explore Critical Threats, Solutions

Man-in-the-browser the malware of choice for today's online criminals

DALLAS, Feb. 19 (AllPayNews) -- Still struggling to understand online fraud and the threat of man-in-the-browser attacks? To help, Entrust, Inc. is providing security-conscious organizations an informative webcast. This complimentary 45-minute event explores the current state of online fraud and how the evolution of these malware threats can affect online transactions.
"Man-in-the-browser attacks are absolutely one of the most nefarious malware trends threatening today's online consumers and businesses," said Entrust President and CEO Bill Conner. "Entrust is pleased to provide organizations with a global perspective on malware, as well as solutions to help defend against advanced online fraud attacks, which include man-in-the-browser and social engineering schemes."

This essential webcast — "Battling Online Fraud: Getting in Front of Man-in-the-Browser Attacks and Other Evolving Threats" — features Entrust director of identity products Steve Neville and TowerGroup senior research director George Tubin. The presentation provides an overview of man-in-the-browser and other attacks, how they've grown in sophistication and popularity, as well as specific strains of real-world malware.

"Defending against man-in-the-browser attacks requires a persistent, multilayered security approach," said Tubin. "To effectively identify and limit this type of malware, organizations should deploy an interoperable combination of strong authentication, behavioral fraud detection and out-of-band transaction authentication."

One of the most advanced forms of malware used by criminals today, a man-in-the-browser attack typically takes the form of an invisible browser extension, installed unknowingly by the user as a result of social engineering (e.g., phishing). From the user's point of view, the Web transaction takes place normally, complete with expected interactions with the server.

The malware then modifies Web sessions at will and initiates fraudulent transactions — all while showing the session as normal to the user, making it next to impossible for an end-user to detect. The impact these attacks could potentially have on the adoption of the online channel, corporate brands and customers' financial livelihood may well be substantial.

This type of malware continues to help online criminals perpetuate fraud against unsuspecting consumers and financial institutions. In August 2009, the Anti-Phishing Working Group received a record 56,362 reports of phishing sites. For the same month, the number of hijacked brands rose to a record 341, up more than 10 percent from the previous record of 310 in March 2009.(1)

A proven approach to helping defend against man-in-the-browser attacks, Entrust's identity-based approach provides a true integrated consumer authentication and fraud detection solution for financial institutions. This is accomplished via a pair of trusted Entrust platforms — the Entrust IdentityGuard versatile authentication platform and the Entrust TransactionGuard fraud detection solution.

Entrust enables organizations to layer security — according to access requirements or the risk of a given transaction — across diverse users and applications. Entrust's authentication capabilities include username and password, IP-geolocation, device, questions and answers, out-of-band one-time passcode (delivered via voice, SMS or e-mail), grid and eGrid cards, digital certificates (in software or on smart cards/USB Tokens) and a range of one-time-passcode tokens. Entrust also provides multiple methods of supporting mutual authentication, including picture and caption replay as well as Extended Validation (EV) SSL certificates.

Entrust's zero-touch fraud detection solution, Entrust TransactionGuard, captures all the data in a session and does not require integration with back-end applications. It transparently monitors user behavior to identify anomalies, and then calculates the risk associated with a particular transaction — all seamlessly and in real time. Unlike competitive offerings, Entrust TransactionGuard analyzes all points of interaction with the user on the Web site, enabling organizations to gain a more comprehensive picture of potentially fraudulent behavior without ever changing sophisticated banking applications.
To view the Entrust webcast, “Battling Online Fraud: Getting in Front of Man-in-the-Browser Attacks and Other Evolving Threats,” please visit

About Entrust
Entrust provides trusted solutions that secure digital identities and information for enterprises and governments in 2,000 organizations spanning 60 countries. Offering trusted security for less, Entrust solutions represent the right balance between affordability, expertise and service. These include SSL, strong authentication, fraud detection, digital certificates and PKI. For information, call 888-690-2424, e-mail or visit

(1) "Phishing Activity Trends Report," Anti-Phishing Working Group, Q3 2009.

Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries. In Canada, Entrust is a registered trademark of Entrust Limited. All Entrust product names are trademarks or registered trademarks of Entrust, Inc. or Entrust Limited. All other company and product names are trademarks or registered trademarks of their respective owners.
SOURCE Entrust, Inc.