I'm surprised that most of the MitB attacks are still just stealing credentials instead of changing transaction contents on the fly. I can see that credentials have an intrinsic value on the "black market", but the attack model of stealing credentials and then using them to log into the victim account to perform transactions seems too complex for me. Once in the browser, the malware can just change the transaction being performed by the victim, in a way that all the traces (such as IP addresses) would point to his/her computer and not the attacker's. There's also no need to transfer the stolen data from one place to another, so it reduces even more the places where the attacker leaves his tracks.I can see two reasons why they are still not doing that:

• The malware developers are not closely related to the "money criminals" - They are building software to be used by different "clients", and the best way to implement that portability is to sell credentials only.

• Stealing credentials just work and can be used multiple times, and people just understand the model.

If any of those conditions change, more sophisticated versions of the attack will probably start to detected too. By now, it is important to note that fighting the "stolen credentials" threat doesn't necessarily mean you are also solving the MitB threat. For that, transaction authentication is necessary.