1 / 57

E-Banking Fraud Schemes: Attack Trends and Defenses

E-Banking Fraud Schemes: Attack Trends and Defenses. Andrew Showstead, VASCO Data Security. Agenda. Attack trends Phishing attacks Spyware attacks Man-in-the-middle (MITM) attacks The cybercrime black market Defense mechanisms One-time passwords Electronic signatures User education

von
Download Presentation

E-Banking Fraud Schemes: Attack Trends and Defenses

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. E-Banking Fraud Schemes: Attack Trends and Defenses Andrew Showstead, VASCO Data Security E-Banking Fraud Schemes

  2. Agenda • Attack trends • Phishing attacks • Spyware attacks • Man-in-the-middle (MITM) attacks • The cybercrime black market • Defense mechanisms • One-time passwords • Electronic signatures • User education • Conclusion E-Banking Fraud Schemes

  3. Phishing Computer Malware & Countermeasures

  4. Phishing attacks: introduction (2/2) E-Banking Fraud Schemes

  5. Why phishing works • Technologies for server authentication exist • E.g. SSL/TLS with X.509v3 certificates • Study by Harvard University & UC Berkeley (4/2006) • Security indicators are not noticed or understood • Security indicators can be spoofed E-Banking Fraud Schemes

  6. Context-aware phishing (1/4) • Also called “spear phishing” • Phishing attack against: • Employees of certain company, agency, organization, ... • People using a certain product or service • Spear phishing e-mails are more convincing: • Include personal information • Appear to come from known person (e.g. IT, head of HR, head of Sales and Marketing) • Information sources: • Compromised databases • monster.com (1.3M job seekers, 8/2007), USAJobs.com (146K job seekers, 8/2007), Salesforce.com (11/2007) • Social networking sites (e.g. LinkedIn, FaceBook, MySpace) E-Banking Fraud Schemes

  7. Context-aware phishing (2/4) E-Banking Fraud Schemes

  8. Context-aware phishing (3/4) E-Banking Fraud Schemes

  9. Context-aware phishing (4/4) E-Banking Fraud Schemes

  10. Context-aware phishing (5/6) E-Banking Fraud Schemes

  11. Context-aware phishing (6/6) • Reported case: (9/2006) • Step 1: information gathering • Attackers broke into computer systems of <a large company> • Attackers stole information of 19,000 customers • Step 2: information usage • Attackers sent e-mail to customers, including personal information and a claim about recent order requiring the customer’s attention • Customers were led to website and asked for more information E-Banking Fraud Schemes

  12. Effectiveness of Spear Phishing • Gartner: non-targeted phishing • 19% clicks on link in e-mail • 3% gives away personal information • Indiana University (US): targeted phishing • E-mail from friend: 72% gives away personal information • E-mail from unknown student: 16% gives away personal information • West Point Military Academy (US): targeted phishing • E-mail from colonel to cadets: 80% gives away personal information E-Banking Fraud Schemes

  13. Whaling (1/4) • Definition • Spear phishing attack against high-level executives in a single organization, or executives common to different organizations (e.g. CEO, CIO, PM) • May involve e-mail, postal mail, ... E-Banking Fraud Schemes

  14. Whaling (2/4) E-Banking Fraud Schemes

  15. Whaling (3/4) • Reported case: MessageLabs (6/2007) • MessageLabs intercepted 500 highly targeted e-mail messages with Word-document • Name and job title in subject line • Family and friends were targeted as well in order to access home computers E-Banking Fraud Schemes

  16. Whaling (4/4) BBB (SecureWorks, 5/2007 and MessageLabs, 11/2007) Federal Trade Commission (11/2007) United States Department of Justice (Websense, 11/2007) E-Banking Fraud Schemes

  17. Optimizing delivery of phishing e-mails • Common phishing protection mechanisms: • Spam filter: detect phishing e-mails before end-user’s inbox • Browser: warn end-user when visiting phishing server • Based on blacklisting URLs of known phishing servers • Report phishing website at http://www.PhishTank.com E-Banking Fraud Schemes

  18. Preventing Blacklisting • URL variations • http://www.secure-bank.com:80 • Randomized subdomains • Unique URL per user / number of users • http://www.barclays.co.uk.X.lot80.info/ (X: random number) • Allows tracking end-user responses E-Banking Fraud Schemes

  19. Voice (phone) phishing Two types: Fraudster calls end-user and asks for credentials End-user is tricked to call fraudster (via e-mail, voice mail) Strengths: Telephone systems have longer record of trust A greater percentage of people can be reached (e.g. elderly) People are used to automatic answering services Making or receiving calls is cheap Caller ID can be spoofed Alternative channels (1/2) - vishing E-Banking Fraud Schemes

  20. SMS phishing – phishing with text messages Process: End-user receives SMS telling him that he has successfully subscribed to a service, he will be charged for the service, he can visit a website to unsubscribe from a service End-user visits website and provides sensitive information Alternative channels (2/2) - smishing

  21. Pharming

  22. Pharming (1/7) • Interfere with the resolution of a domain name to an IP-address so that domain name of genuine website is mapped onto IP-address of rogue website www.google.co.uk www.barclays.co.uk 64.233.183.99 213.219.1.141 E-Banking Fraud Schemes

  23. Pharming (2/7) – hosts file poisoning E-Banking Fraud Schemes

  24. Pharming (3/7) – hosts file poisoning • Adding {domain name, IP-address} pairs to hosts file • Method: • Hosts-file contains {domain name, IP-address} pairs • Windows XP/Vista: %SystemRoot%\system32\drivers\etc • DNS resolver looks up hosts file on end-user’s PC prior to contacting DNS-server E-Banking Fraud Schemes

  25. Pharming (5/7) – DNS cache poisoning • Unsolicited information in replies is accepted • Example: a DNS-server can provide an IP-address for www.real-bank.com although the address of www.mock-bank.com was asked E-Banking Fraud Schemes

  26. Drive By Attacks – Samy is My Hero • MySpace Worm • Added users to Samy’s Friends list without authorization by user • Added text “but most of all, Samy is My Hero” to user pages • Propogation: • Author originally had 73 “friends” • 7 hours later, 221 new friend requests • 13 hours: 2,503 friends and 6,373 friend requests • After about 18 hours, over 1,005,831 new friend requests • Response • MySpace – complete service shutdown • “Samy” sentenced to 3 years probabtion and community service – Internet ban E-Banking Fraud Schemes

  27. Drive By Attacks – Samy is My Hero E-Banking Fraud Schemes

  28. Pharming (6/7) – drive-by pharming • Technique to alter DNS settings of (wireless) home router • Method: • User downloads web page containing Java applet and JavaScript • Java applet detects IP-address of host and addressing scheme • JavaScript pings other hosts and discovers brand of router • JavaScript accesses configuration screens using default passwords • Reported case: Mexican bank (1/2008) • Attack on 2wire router • Victim receives e-mail saying e-card waiting at www.gusanito.com • E-mail contains HTML IMG tag resulting in HTTP GET to home router; no HTTP-authentication required • HTTP GET changes DNS settings of router (XSRF attack) E-Banking Fraud Schemes

  29. Fast-flux service networks (1/2) • Basic components of phishing infrastructure • One or more web-servers to host rogue website • One or more domain names, e.g. www.my-bank.info • Popular top-level domains: .hk, .cc and .info • One or more DNS-servers, which are configured to be authoritative for the registered domain names • Phishing infrastructure requirements: • High availability • Website should not be taken down too soon by bank or ISP • Easily manageable • Webpages should not be dispersed among too many web servers • Can be realized using fast-flux approach E-Banking Fraud Schemes

  30. Fast-flux service networks (2/2) • Simple fast-flux E-Banking Fraud Schemes

  31. Spyware

  32. Spyware • Definition of spyware attack • Attempt to fraudulently obtain sensitive information such as usernames, passwords and credit-card details, by covertly intercepting information exchanged during an electronic communication E-Banking Fraud Schemes

  33. Bank Trojans • Designed to obtain bank credentials (since mid-2004) • 4 main functions: • Monitoring • Harvest data when user visits banking website  efficiency • Filter list: www.citibank.com , /TAN/ , “Welcome to Citi” • Spying • Capture user’s banking credentials • Hiding • Ensure Trojan cannot be detected by security software • Updating • Regular update of filter list from control server E-Banking Fraud Schemes

  34. Monitoring techniques (1/3) • Browser Helper Objects (BHOs) • Lightweight DLL extension adding custom functionality to IE • Confirm to Common Object Model (COM) • Loading of BHO into IE • At start-up IE loads COM objects whose CLSID is present in certain Windows registry key • Allows eavesdropping on browser events and user input • InfoStealer Trojan • MITM Attacks E-Banking Fraud Schemes

  35. IExplore.exe WinInet.dll Trojan.dll Call HTTPSendRequestA 12345 45789 HTTPSendRequestA HTTPSendRequestA … Get payload Call 12345 Import Address Table HTTPSendRequestA is at address 12345 Monitoring techniques (2/3) • Hooking WinInet API functions • WinInet.dll: Windows implementation of HTTP(S),FTP • Hooking: • Call to function in WinInet.dll passes via Trojan (redirection) • Trojan has read/write access to payload of function HTTPSendRequestA is at address 45789 E-Banking Fraud Schemes

  36. Monitoring techniques (3/3) • Winsock’s Layered Service Providers (LSP) architecture • WinSock.dll: Windows implementation of TCP/IP • Applications performing network operations load WinSock • Additional libraries can be loaded into WinSock • Benign applications: • Parental control: content filtering • Application-transparent encryption • Malign applications: • Eavesdropping on network communication • Altering financial transaction data E-Banking Fraud Schemes

  37. Spying techniques • Form grabbing • Trojan captures only data that is entered into web form • Common techniques: BHOs, API hooking • Injection of fraudulent pages or fields • Trojan modifies HTML-pages coming from bank on-the-fly • Inserts additional fields or modifies destination of “Log on” button • Trojan receives HTML-pages from control server • Screenshots and video captures • Keylogging • Trojan is triggered when user visits certain URL • Only data entered into webpage is logged • Note: techniques defeat SSL, virtual keyboards, ... E-Banking Fraud Schemes

  38. Example: Infostealer.Banker (1/2) • Installation • Registration of BHO in Windows registry • Generation of random number as ID for infected PC • Registration of ID at server via PHP-script • Operation • BHO contacts server for updated “help.txt” • BHO listens for connections to URLs in “help.txt” • When BHO detects connection to certain URL • BHO looks in “help.txt” for HTML-code to be injected • BHO injects HTML code • Browser displays modified webpage • When user enters credentials into modified webpage, BHO calls PHP-script to upload credentials to server E-Banking Fraud Schemes

  39. Example: Infostealer.Banker (2/2) E-Banking Fraud Schemes

  40. Man-in-the-middle Attacks

  41. Man-in-the-middle attack • Real-time interception and modification of information interchanged between two entities without either entity noticing • Uses phishing and/or spyware techniques • Man-in-the-middle can be: • Local: spyware on end-user’s PC • Remote: phishing website E-Banking Fraud Schemes

  42. 1: “John” 1: “John” 2: OTP 2: OTP 3: “$500 to Bob” 3: “$500 to Bob” Local man-in-the-middle attack • “Man-in-the-browser”, “Local session riding” • General procedure • Infect system with Banking Trojan • Hijack successfully authenticated session • Insert or modify fraudulent transactions End-user’s computer 1: “John” E-banking server Banking Trojan Browser End-user “John” 2: OTP 3: “$5000 to Bill” E-Banking Fraud Schemes

  43. Remote man-in-the-middle attack • General procedure: • Redirect traffic to rogue website • Using common phishing techniques: e-mail, pharming, … • Act as proxy between end-user and real banking website • Keep authenticated session alive and modify transaction data • Reported cases: • Dutch and Swedish retail banks (March 2007): • Infostealer.Banker.C and phishing website • Damage: 4 customers, unknown amount • Belgian retail bank (May/June 2007) • Damage: 3 customers, ~ 10 000 euro E-Banking Fraud Schemes

  44. The Cybercrime Black Market

  45. Organization (1/2) Money mule recruiter Coder Money mule On-line forum (IRC, web) Card skimmer Spammer Exploiter Website designer Botnet Herder E-Banking Fraud Schemes

  46. Organization (2/2) – money mules • Problem of phisher: • E-banking system may not allow money transfers to foreign accounts • Solution: • Phisher recruits “money mules” with bank account in country of targeted bank • Phisher transfers money to bank account of mule • Mule transfers money to phisher (e.g. Western Union, Moneygram) • Money mule recruitment • Regular job adversitement channels • “Financial service manager”, “shipping manager”, “private financial retreiver”, etc. • More information: http://bobbear.co.uk/ E-Banking Fraud Schemes

  47. Fraud Accounting • Cost of phishing attack: • Phishing e-mail + phishing website: $5 • Spam list: $8 • Botnet for sending out spam during 6 hours: $30 • Hacked server to host phishing website: $10 • Valid DNS-name: $10 • Total cost: $63 • Profit from phishing attack • Option 1: selling stolen banking credentials • 20 accounts: $200 - $2000 • Profit: $137 - $1,937 • Option 2: cashing money via money mule • $10,000 on account; 50% for money mule; 50% rip-off rate • Income: $2500 E-Banking Fraud Schemes

  48. Defense Mechanisms Computer Malware & Countermeasures

  49. One-time passwords (1/3) • Strengths • Render compromised end-user credentials less valuable for adversary (only valid once and during limited amount of time) • Limit amount of time between collection and exploitation steps of phishing attack • Break down the traditional economic model of phishing attacks • Phishing economy: specialization means trading • Trading credentials takes time • One-time passwords are invalid before used E-Banking Fraud Schemes

  50. One Time Passwords (Response Only) Encryption DP Secret

More Related