How to Bridge Business, Product, and InfoSec with Cyber Execs from Live Oak Bank, Toyota Financial Services, and BlackbaudDownload Now
Now Available On-Demand
👉 Watch Now

Protect Your Customers Against

Man-in-the-Browser Attacks
Malicious Browser Extensions
Cross-site Scripting
Credential Stuffing
Chainloading
Formjacking
Click-jacking
Redirect attacks
On-path browser attacks
Directory Traversal
JavaScript Injection
Broken Link Hijacking
Server-side Request Forgery
Cross-site Request Forgery

Risk-Based Protection Against Automated Threats and Fraud.

We remove the browser as an attack surface for web platforms and consumers, preventing hacking, fraud, malware, and automated threats that mimic human behavior.

Watch our 5-minute OverviewInitiate Protected App Session
A paradigm shift in web security
Introducing

We protect web-based platforms from the long tail of cyber attacks leveraging browsers.

Bad actors can manipulate what customers see and do in their web browsers. By converting your web application content into pixels instead of plain text and concealing elements, we eliminate the browser attack surface.

We defend your web apps against the most evasive cyber threats.

MirrorTab's proprietary isolation technology eliminates the browser attack surface, blocking evasive threats, harmful extensions, middleware, and malware from accessing APIs, infrastructure, data, and code on any web platform.

Agent Tesla

Agent Tesla is an infostealer and Remote Access Trojan (RAT) known for keylogging and screen capturing, distributed through phishing campaigns and employing evasion techniques to bypass security measures.

LokiBot

LokiBot is a long-standing infostealer targeting Windows systems, capable of injecting malicious code into browsers and other applications to steal credentials, often spread through phishing emails.

Mars Stealer

Mars Stealer is an infostealer that specializes in stealing browser credentials, cryptocurrency wallets, and two-factor authentication tokens, using advanced evasion techniques to avoid detection.

Mekotio

Mekotio is a banking trojan turned infostealer that primarily targets users in Latin America, stealing banking credentials by injecting malicious code into browser sessions and intercepting transactions.

Vidar

Vidar is an infostealer that focuses on stealing credentials, cryptocurrency wallets, and system information by injecting malicious code into browsers and taking screenshots of user activity.

Raccoon Stealer

Raccoon Stealer targets browser data, including passwords and cookies, and is known for its advanced evasion techniques, making it difficult to detect. It is primarily distributed through phishing campaigns.

RedLine Stealer

RedLine Stealer is an infostealer focused on capturing login credentials, browser data, and cryptocurrency wallets by injecting malicious code into the browser and intercepting auto-fill data.

SilentBanker

SilentBanker is a trojan on stealing banking credentials and intercepting online transactions by injecting malicious code into the communication between the user's browser and the targeted online banking site.

DarkTequila

DarkTequila is known for targeting users in Latin America. It is capable of stealing sensitive information, including banking credentials and personal data, and it utilizes advanced evasion techniques to avoid detection.

Betabot

Betabot is a banking trojan that has features for stealing credentials, including the ability to inject malicious code into browsers. It has evolved over time and is capable of various malicious activities.

Emotet

Emotet is a modular trojan that can act as a delivery mechanism for other malware. It is known for its polymorphic capabilities and is often involved in distributing banking trojans and other malicious payloads.

Shifu

Shifu is a banking trojan that targets financial institutions. It is known for its advanced capabilities, including the injection of malicious code into browsers to conduct man-in-the-browser attacks.

Zloader

Zloader (aka Terdot) is a banking trojan that shares similarities with ZeuS. It is designed to steal banking credentials and personal information by injecting malicious code into web browsers during online banking sessions.

URLZone

URLZone (aka (Bebloh) is a banking trojan that injects malicious code into web pages to modify online banking content. It is designed to steal sensitive financial information and login credentials.

QakBot

QakBot (aka Qbot) is a banking trojan that focuses on stealing financial information. It often uses sophisticated techniques, including the injection of malicious code into web browsers to intercept and manipulate online banking transactions.

Pony

Pony (aka Fareit) is a versatile trojan that often serves as an information stealer. It is known for its capabilities in stealing various types of credentials, including usernames and passwords from applications and websites.

Nigelthorn

Nigelthorn is a cryptojacking campaign to inject malicious code for cryptocurrency mining purposes to hijack the users' CPU power to mine without the knowledge or consent of users.

DataSpii

DataSpii is a privacy and security issue related to browser extensions collecting and exposing sensitive user data with seemingly legitimate extensions that users voluntarily install with hidden features.

Trickbot

Trickbot is a trojan that has a modular structure, allowing attackers to add or update functionalities dynamically making it a persistent and challenging multifaceted threat with various capabilities.

Dridex

Dridex (aka Cridex, Bugat, or Geodo) operates as part of a botnet infrastructure to conduct man-in-the-browser attacks where it injects malicious code into the victim's web browser.

Dyre

Dyre (aka Dyreza) is a trojan with advanced features to conduct man-in-the-browser attacks to steal usernames, passwords, and other authentication details.

Neverquest

Neverquest (aka Vawtrak) is a trojan that injects malicious code into browsers, allowing it to modify and manipulate online banking pages to capture login credentials and account details.

Tinba

Tinba (aka Tiny Banker or Zusy) is a trojan known for its small size, making it difficult to detect, and is able to inject malicious code into the web browsers of infected systems to capture sensitive data.

Ramnit

Ramnit is a trojan with advanced features to stealthily capture login credentials, harvest credit card details, and collect data to compromise the privacy and security of individuals.

Carberp

Carberp is a banking trojan with advanced features to capture login credentials, credit card information, and other sensitive data entered by users during online banking sessions.

Torpig

Torpig is a trojan and botnet designed to steal sensitive information, such as login credentials, credit card numbers, and email account details from Windows-based systems.

Gozi

Gozi is a trojan known for its advanced web injection techniques for multiple attack vectors, including banking fraud, eCommerce fraud, ransomware, and compromising POS devices.

Citadel

Citadel (aka KINS) is a trojan that targets password managers and is equipped with additional features, such as the ability to record video of the victim’s screen and an advanced keylogger.

SpyEye

SpyEye is a banking trojan with advanced features, like auto-fill credit card tools and the ability to spoof HTTPS access and grab information across FTP and POP3 protocols targeting browsers.

ZeuS

ZeuS (aka Zbot) is a highly customizable banking trojan that targets Windows-based systems, designed to steal sensitive data, it includes tools like keystroke loggers and form grabbers.

We protect web-based applications against:

Man-in-the-Browser (MitB) Attacks

Session Token Theft

Cookie Manipulation

JavaScript Injection

Credential stuffing

HTML smuggling

Cross-site Scripting (XSS)

Sideloading

Stealing passwords

Cross-site Request Forgery (CSRF)

Malicious Browser Extensions

Formjacking

Malvertising

Click-jacking

Evasive Malware

Why MirrorTab is the Best Solution

To eliminate the browser attack surface, we stream pixels instead of rendering DOM (Document Object Model) elements for your web apps. This allows your customers to interact with secure virtual representations of web-based apps without security risks.

How it Works

Client-side Isolation

We enhance web security by creating a virtual air gap between web applications and the customers accessing them.

Pixel Streaming

We stream pixels instead of DOM elements, eliminating the attack surface for browser attacks.

Deployed Server-side

We ensure a seamless user experience without requiring any changes to client-side behavior.

Web apps behave like normal and content is presented accurately.

We render web content interactively to navigate without impacting the end-user experience or performance.

Improves performance over low bandwith connections.

*Example using a web content heavy site.

*Example using a web content heavy site.

Speed Test on:
Download: 11.1 Mbps
Upload: 744 Kbps

Our Mission at MirrorTab

Founded by the founders of Honey (acquired by PayPal).

This isn’t our first rodeo. We were the brains behind Honey, the world’s most valuable browser extension, which leveraged the browser's DOM to automatically apply coupon codes at checkout.

Now, we’re flipping the script: our mission is to protect customers from hacking and malware by removing the browser's DOM as an attack surface for web-based applications and systems.

Introducing Trusty - Your Secure Browsing Companion

Man-in-the-Browser Attack Explained and Mitigated

In order to perform MitB attacks, a hacker must progress through the following steps in the attack chain:

01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18

The Trojan infects the computer’s software, either OS or Application.

The Trojan installs an extension into the browser configuration, so that it will be loaded next time the browser starts.

At some later time, the user restarts the browser.

The browser loads the extension.

The extension registers a handler for every page-load.

The Trojan infects the computer’s software, either OS or Application.

The user logs in securely on to for example 
https://secure.original.site/

When the handler detects a page-load for a specific pattern in its targeted list (for example https://secure.original.site/account/do_transaction) it registers a button event handler.

When the submit button is pressed, the extension extracts all data from all form fields through the DOM interface in the browser, and remembers the values.

MirrorTab prevents the extension from knowing the field was submitted or extracting the data.

The extension modifies the values through the DOM interface.

MirrorTab stops DOM modification.

The extension tells the browser to continue to submit the form to the server.

Extension cannot view/modify network or API traffic.

The browser sends the form, including the modified values, to the server.

Extension cannot view/modify network or API traffic.

The server receives the modified values in the form as a normal request. The server cannot differentiate between the original values and the modified values, or detect the changes.

Extension cannot view/modify network or API traffic.

The server performs the transaction and generates a receipt.

Would only accept true form, due to immutable DOM.

The browser receives the receipt for the modified transaction.

The browser cannot modify receipt for modified transaction due to MirrorTab.

The extension detects the https://secure.original.site/account/receipt URL, scans the HTML for the receipt fields, and replaces the modified data in the receipt with the original data that it remembered in the HTML.

Extension cannot modify receipt fields due to MirrorTab.

The browser displays the modified receipt with the original details.

MirrorTab breaks attack chain.

The user thinks that the original transaction was received by the server intact and authorized correctly.

MirrorTab breaks attack chain.

What is the man-in-the-browser attack?

The Man-in-the-Browser attack is the same approach as Manipulator-in-the-middle attack, but in this case a Trojan Horse is used to intercept and manipulate calls between the main application's executable (ex: the browser) and its security mechanisms or libraries on-the-fly.