580 likes | 737 Views
E-Banking Fraud Schemes: Attack Trends and Defenses. Andrew Showstead, VASCO Data Security. Agenda. Attack trends Phishing attacks Spyware attacks Man-in-the-middle (MITM) attacks The cybercrime black market Defense mechanisms One-time passwords Electronic signatures User education
E N D
E-Banking Fraud Schemes: Attack Trends and Defenses Andrew Showstead, VASCO Data Security E-Banking Fraud Schemes
Agenda • Attack trends • Phishing attacks • Spyware attacks • Man-in-the-middle (MITM) attacks • The cybercrime black market • Defense mechanisms • One-time passwords • Electronic signatures • User education • Conclusion E-Banking Fraud Schemes
Phishing Computer Malware & Countermeasures
Phishing attacks: introduction (2/2) E-Banking Fraud Schemes
Why phishing works • Technologies for server authentication exist • E.g. SSL/TLS with X.509v3 certificates • Study by Harvard University & UC Berkeley (4/2006) • Security indicators are not noticed or understood • Security indicators can be spoofed E-Banking Fraud Schemes
Context-aware phishing (1/4) • Also called “spear phishing” • Phishing attack against: • Employees of certain company, agency, organization, ... • People using a certain product or service • Spear phishing e-mails are more convincing: • Include personal information • Appear to come from known person (e.g. IT, head of HR, head of Sales and Marketing) • Information sources: • Compromised databases • monster.com (1.3M job seekers, 8/2007), USAJobs.com (146K job seekers, 8/2007), Salesforce.com (11/2007) • Social networking sites (e.g. LinkedIn, FaceBook, MySpace) E-Banking Fraud Schemes
Context-aware phishing (2/4) E-Banking Fraud Schemes
Context-aware phishing (3/4) E-Banking Fraud Schemes
Context-aware phishing (4/4) E-Banking Fraud Schemes
Context-aware phishing (5/6) E-Banking Fraud Schemes
Context-aware phishing (6/6) • Reported case: (9/2006) • Step 1: information gathering • Attackers broke into computer systems of <a large company> • Attackers stole information of 19,000 customers • Step 2: information usage • Attackers sent e-mail to customers, including personal information and a claim about recent order requiring the customer’s attention • Customers were led to website and asked for more information E-Banking Fraud Schemes
Effectiveness of Spear Phishing • Gartner: non-targeted phishing • 19% clicks on link in e-mail • 3% gives away personal information • Indiana University (US): targeted phishing • E-mail from friend: 72% gives away personal information • E-mail from unknown student: 16% gives away personal information • West Point Military Academy (US): targeted phishing • E-mail from colonel to cadets: 80% gives away personal information E-Banking Fraud Schemes
Whaling (1/4) • Definition • Spear phishing attack against high-level executives in a single organization, or executives common to different organizations (e.g. CEO, CIO, PM) • May involve e-mail, postal mail, ... E-Banking Fraud Schemes
Whaling (2/4) E-Banking Fraud Schemes
Whaling (3/4) • Reported case: MessageLabs (6/2007) • MessageLabs intercepted 500 highly targeted e-mail messages with Word-document • Name and job title in subject line • Family and friends were targeted as well in order to access home computers E-Banking Fraud Schemes
Whaling (4/4) BBB (SecureWorks, 5/2007 and MessageLabs, 11/2007) Federal Trade Commission (11/2007) United States Department of Justice (Websense, 11/2007) E-Banking Fraud Schemes
Optimizing delivery of phishing e-mails • Common phishing protection mechanisms: • Spam filter: detect phishing e-mails before end-user’s inbox • Browser: warn end-user when visiting phishing server • Based on blacklisting URLs of known phishing servers • Report phishing website at http://www.PhishTank.com E-Banking Fraud Schemes
Preventing Blacklisting • URL variations • http://www.secure-bank.com:80 • Randomized subdomains • Unique URL per user / number of users • http://www.barclays.co.uk.X.lot80.info/ (X: random number) • Allows tracking end-user responses E-Banking Fraud Schemes
Voice (phone) phishing Two types: Fraudster calls end-user and asks for credentials End-user is tricked to call fraudster (via e-mail, voice mail) Strengths: Telephone systems have longer record of trust A greater percentage of people can be reached (e.g. elderly) People are used to automatic answering services Making or receiving calls is cheap Caller ID can be spoofed Alternative channels (1/2) - vishing E-Banking Fraud Schemes
SMS phishing – phishing with text messages Process: End-user receives SMS telling him that he has successfully subscribed to a service, he will be charged for the service, he can visit a website to unsubscribe from a service End-user visits website and provides sensitive information Alternative channels (2/2) - smishing
Pharming (1/7) • Interfere with the resolution of a domain name to an IP-address so that domain name of genuine website is mapped onto IP-address of rogue website www.google.co.uk www.barclays.co.uk 64.233.183.99 213.219.1.141 E-Banking Fraud Schemes
Pharming (2/7) – hosts file poisoning E-Banking Fraud Schemes
Pharming (3/7) – hosts file poisoning • Adding {domain name, IP-address} pairs to hosts file • Method: • Hosts-file contains {domain name, IP-address} pairs • Windows XP/Vista: %SystemRoot%\system32\drivers\etc • DNS resolver looks up hosts file on end-user’s PC prior to contacting DNS-server E-Banking Fraud Schemes
Pharming (5/7) – DNS cache poisoning • Unsolicited information in replies is accepted • Example: a DNS-server can provide an IP-address for www.real-bank.com although the address of www.mock-bank.com was asked E-Banking Fraud Schemes
Drive By Attacks – Samy is My Hero • MySpace Worm • Added users to Samy’s Friends list without authorization by user • Added text “but most of all, Samy is My Hero” to user pages • Propogation: • Author originally had 73 “friends” • 7 hours later, 221 new friend requests • 13 hours: 2,503 friends and 6,373 friend requests • After about 18 hours, over 1,005,831 new friend requests • Response • MySpace – complete service shutdown • “Samy” sentenced to 3 years probabtion and community service – Internet ban E-Banking Fraud Schemes
Drive By Attacks – Samy is My Hero E-Banking Fraud Schemes
Pharming (6/7) – drive-by pharming • Technique to alter DNS settings of (wireless) home router • Method: • User downloads web page containing Java applet and JavaScript • Java applet detects IP-address of host and addressing scheme • JavaScript pings other hosts and discovers brand of router • JavaScript accesses configuration screens using default passwords • Reported case: Mexican bank (1/2008) • Attack on 2wire router • Victim receives e-mail saying e-card waiting at www.gusanito.com • E-mail contains HTML IMG tag resulting in HTTP GET to home router; no HTTP-authentication required • HTTP GET changes DNS settings of router (XSRF attack) E-Banking Fraud Schemes
Fast-flux service networks (1/2) • Basic components of phishing infrastructure • One or more web-servers to host rogue website • One or more domain names, e.g. www.my-bank.info • Popular top-level domains: .hk, .cc and .info • One or more DNS-servers, which are configured to be authoritative for the registered domain names • Phishing infrastructure requirements: • High availability • Website should not be taken down too soon by bank or ISP • Easily manageable • Webpages should not be dispersed among too many web servers • Can be realized using fast-flux approach E-Banking Fraud Schemes
Fast-flux service networks (2/2) • Simple fast-flux E-Banking Fraud Schemes
Spyware • Definition of spyware attack • Attempt to fraudulently obtain sensitive information such as usernames, passwords and credit-card details, by covertly intercepting information exchanged during an electronic communication E-Banking Fraud Schemes
Bank Trojans • Designed to obtain bank credentials (since mid-2004) • 4 main functions: • Monitoring • Harvest data when user visits banking website efficiency • Filter list: www.citibank.com , /TAN/ , “Welcome to Citi” • Spying • Capture user’s banking credentials • Hiding • Ensure Trojan cannot be detected by security software • Updating • Regular update of filter list from control server E-Banking Fraud Schemes
Monitoring techniques (1/3) • Browser Helper Objects (BHOs) • Lightweight DLL extension adding custom functionality to IE • Confirm to Common Object Model (COM) • Loading of BHO into IE • At start-up IE loads COM objects whose CLSID is present in certain Windows registry key • Allows eavesdropping on browser events and user input • InfoStealer Trojan • MITM Attacks E-Banking Fraud Schemes
IExplore.exe WinInet.dll Trojan.dll Call HTTPSendRequestA 12345 45789 HTTPSendRequestA HTTPSendRequestA … Get payload Call 12345 Import Address Table HTTPSendRequestA is at address 12345 Monitoring techniques (2/3) • Hooking WinInet API functions • WinInet.dll: Windows implementation of HTTP(S),FTP • Hooking: • Call to function in WinInet.dll passes via Trojan (redirection) • Trojan has read/write access to payload of function HTTPSendRequestA is at address 45789 E-Banking Fraud Schemes
Monitoring techniques (3/3) • Winsock’s Layered Service Providers (LSP) architecture • WinSock.dll: Windows implementation of TCP/IP • Applications performing network operations load WinSock • Additional libraries can be loaded into WinSock • Benign applications: • Parental control: content filtering • Application-transparent encryption • Malign applications: • Eavesdropping on network communication • Altering financial transaction data E-Banking Fraud Schemes
Spying techniques • Form grabbing • Trojan captures only data that is entered into web form • Common techniques: BHOs, API hooking • Injection of fraudulent pages or fields • Trojan modifies HTML-pages coming from bank on-the-fly • Inserts additional fields or modifies destination of “Log on” button • Trojan receives HTML-pages from control server • Screenshots and video captures • Keylogging • Trojan is triggered when user visits certain URL • Only data entered into webpage is logged • Note: techniques defeat SSL, virtual keyboards, ... E-Banking Fraud Schemes
Example: Infostealer.Banker (1/2) • Installation • Registration of BHO in Windows registry • Generation of random number as ID for infected PC • Registration of ID at server via PHP-script • Operation • BHO contacts server for updated “help.txt” • BHO listens for connections to URLs in “help.txt” • When BHO detects connection to certain URL • BHO looks in “help.txt” for HTML-code to be injected • BHO injects HTML code • Browser displays modified webpage • When user enters credentials into modified webpage, BHO calls PHP-script to upload credentials to server E-Banking Fraud Schemes
Example: Infostealer.Banker (2/2) E-Banking Fraud Schemes
Man-in-the-middle attack • Real-time interception and modification of information interchanged between two entities without either entity noticing • Uses phishing and/or spyware techniques • Man-in-the-middle can be: • Local: spyware on end-user’s PC • Remote: phishing website E-Banking Fraud Schemes
1: “John” 1: “John” 2: OTP 2: OTP 3: “$500 to Bob” 3: “$500 to Bob” Local man-in-the-middle attack • “Man-in-the-browser”, “Local session riding” • General procedure • Infect system with Banking Trojan • Hijack successfully authenticated session • Insert or modify fraudulent transactions End-user’s computer 1: “John” E-banking server Banking Trojan Browser End-user “John” 2: OTP 3: “$5000 to Bill” E-Banking Fraud Schemes
Remote man-in-the-middle attack • General procedure: • Redirect traffic to rogue website • Using common phishing techniques: e-mail, pharming, … • Act as proxy between end-user and real banking website • Keep authenticated session alive and modify transaction data • Reported cases: • Dutch and Swedish retail banks (March 2007): • Infostealer.Banker.C and phishing website • Damage: 4 customers, unknown amount • Belgian retail bank (May/June 2007) • Damage: 3 customers, ~ 10 000 euro E-Banking Fraud Schemes
Organization (1/2) Money mule recruiter Coder Money mule On-line forum (IRC, web) Card skimmer Spammer Exploiter Website designer Botnet Herder E-Banking Fraud Schemes
Organization (2/2) – money mules • Problem of phisher: • E-banking system may not allow money transfers to foreign accounts • Solution: • Phisher recruits “money mules” with bank account in country of targeted bank • Phisher transfers money to bank account of mule • Mule transfers money to phisher (e.g. Western Union, Moneygram) • Money mule recruitment • Regular job adversitement channels • “Financial service manager”, “shipping manager”, “private financial retreiver”, etc. • More information: http://bobbear.co.uk/ E-Banking Fraud Schemes
Fraud Accounting • Cost of phishing attack: • Phishing e-mail + phishing website: $5 • Spam list: $8 • Botnet for sending out spam during 6 hours: $30 • Hacked server to host phishing website: $10 • Valid DNS-name: $10 • Total cost: $63 • Profit from phishing attack • Option 1: selling stolen banking credentials • 20 accounts: $200 - $2000 • Profit: $137 - $1,937 • Option 2: cashing money via money mule • $10,000 on account; 50% for money mule; 50% rip-off rate • Income: $2500 E-Banking Fraud Schemes
Defense Mechanisms Computer Malware & Countermeasures
One-time passwords (1/3) • Strengths • Render compromised end-user credentials less valuable for adversary (only valid once and during limited amount of time) • Limit amount of time between collection and exploitation steps of phishing attack • Break down the traditional economic model of phishing attacks • Phishing economy: specialization means trading • Trading credentials takes time • One-time passwords are invalid before used E-Banking Fraud Schemes
One Time Passwords (Response Only) Encryption DP Secret