A man-in-the-browser attack is like having a hidden enemy inside your Web browser. This "middleman" malware injects itself into the browser process, intercepting and handling all the back and forth communication between you and the website(s) you try to visit.
A man-in-the-browser attack is very much like a virtual game of keep-away (also known as piggy in the middle in some countries). For example, you type in a Web address such as www.about.com. But instead of going directly out to the Web to fetch the address, the request instead gets handled by this process hijacker before it even leaves your computer.
This enables the malware to do things like sniff out usernames and passwords for sensitive sites. It can also enable the malware to forcibly redirect you to a completely different page. More insidiously, it can return what appears to be a valid page from the website you're trying to visit. But unbeknown to you, the malware has 'doctored' the page, inserting other information that can cause harm.
In mid-May 2011, the SpyEye trojan targeted Verizon customers that use online bill pay. When a user with a SpyEye infected computer logged into their Verizon account, the man-in-the-browser delivered a doctored page that requested they confirm their financial detals - such as social security number, mother's maiden name, credit card numbers, and other sensitive details.
Since the users were logged into the legitimate Verizon website, chances are many responded to this request for information. Those that did would have found themselves victims of credit card theft and other potential forms of finance fraud.
The Gumblar family of trojans are another example of malware that employs a man-in-the-browser attack. Gumblar intercepted Google search requests and modified the search results pages in the user's browser so the top returned links all pointed to malicious websites.
Man-in-the-browser attacks can also be used to deliver pop-up advertising or to inject iframes to deliver malware and exploits via drive-by download. The advantage for the attackers is that you believe the malware, pop-ups, or malicious search results are coming from legitimate websites, when it's all actually coming directly from within your browser.