Presentation on theme: "Ziv Cohen – Director, EMEA"— Presentation transcript:
1Ziv Cohen – Director, EMEA No Silver Bullet How Malware Defeats Security Measures and What You Can Do About itZiv Cohen – Director, EMEAApril 2012
2Malware Attacks Are on the Rise Malware incidents increased more than 30% between 2008 and 2011, causing significant damage54 million U.S. adults said they had incidents of malware on their desktops in 2011Research - Use a Layered Security Approach to Combat Phishing and Malware-Based AttacksPublished: 26 March 2012
3Online Banking Fraud is Happening Online Banking Fraud Losses Estimated at 1B$ in US and Europe
4New Online Banking Services Adoption Hindered by Security Concerns What are the main reasons you have decided not to use mobile banking?My banking needs are being met without mobile bankingI’m concerned about the security of mobile bankingI don't trust the technology to properly process my banking transactionThe cost of data access on my wireless plan is too highIt is too difficult to see on my mobile phone’s screenOtherIt’s difficult or time consuming to set up mobile bankingI don’t have a banking account with which to use mobile bankingIt is not offered by my bank or credit unionMy bank charges a fee for using mobile bankingRefuse to answerFederal Survey - Consumers and Mobile Financial Services March 2012
5The Cost of Advanced Malware Attack of CIOs report malware related internal breaches40%2010 Deloitte-NASCIO Cyber Security Studyof data breaches incorporated malware49%Verizon 2010 Data Breach Reportcompanies attacked with the same resources as RSA760Almost 20% of the Fortune 100 are on this list.Krebsonsecuirty.com, “Who else was hit by RSA Attackers”?”RSA is not alone (click).Malware plays a key role in a large number of data breaches. And security analyst Brian Krebs found that 760 companies suffered similar attacks including 20% of the fortune 100.
6The end point is the weak link Perimeter Security Firewall End Point Security Intrusion Prevention SystemAnti VirusEnd Point UserAnti-Virus GatewayEncryptionEasySensitive Data and AppsEasyWhat makes malware such a compelling threat?Ultimately, the target of the attack is sensitive business and financial data. Enterprises invest in many layers of security around their data. Directly attacking these backend systems is harder than targeting key employees and using their computers and mobile devices to get into the data.Cyber CriminalsDifficult
7Anatomy of Malware attack Execute Fraud / Information TheftAttackLaunchHuman and AutomatedMalware InfectionCredentials theft, Web injection, Social engineeringUser TargetSystem exploit, Malicious Code installPhishing, Drive-by-Download
8Attack Setup, Execute Fraud: Man-in-the-Browser, Web Injection PII TheftLogin:Password:****Credentials TheftSocial EngineeringNow the malware is in position and can execute the fraud scheme.Here are few examples.[Click] After the user logs-in they feel rather secure. The malware then injects a page asking the user for personal information. This page looks genuine: same branding, same URL and the padlock is engaged. Nevertheless, it came from the user’s machine and NOT from the bank web site. The information entered into this page is sent to the fraudster to execute fraud.[click] However, malware doesn’t have to inject a full page. It can also slightly alter an existing page – for example to capture token values to enable real time fraud.[click] Malware can also use social engineering to get the user to approve a fraudulent transaction. In this example, the malware asks the user to use a transaction signing device to approve a dummy transaction for training purposes. The user is, in fact, approving a real money transfer.Note these are the attack stepsUser logs inMalware presents ‘re-calibration’ screensUser asked to enter the following into the calibration device:“1st calibration number” ( = destination account)“2nd calibration number” (= amount)Trx signing device return auth codeUser enters data into website User just authorized money transferWhat is common to all of these scenarios? the malware controls all interaction between the user and the online banking application and can seamlessly alter it to bypass security controls and execute successful fraud schemes.
9Keeping Banks In the Dark - Change Phone User Access site1Malware Update user’s phone number1800TrueNum1800ToFraud2Malware Inform user that the bank has issued a FREE SIM CARD for security reasons, user enters code to accept offer`4Bank Sends a confirmation SMS to previous phone, with code and new phone numberConfirmationCode: 1234For number1800ToFraud3Fraudster “Enters conformation code and redirects all future bank SMS/Calls to 1800ToFraud5
11Keeping Banks In the Dark - DDoS FBI warning about Banking Trojan “GAMEOVER”“After the accounts are compromised, the perpetrators conduct a Distributed Denial of Service (DDoS) attack on the financial institution”
12Facebook/Ukash – Cross Channel Attack To confirm verification you have to enter 20 euro UKash voucher. Ukash vouchers are sold by UKash.com website and Ukash.com is not affiliated with Facebook company. 20 euro will be added to your Facebook main account balance. This verification is used to confirm your age and country of origin.The UKash Voucher consists of 19 numbers and face value (sum), begins on “633”. For example
13MITMO/ZITMO Legitimate Website 8 1 4 5 7 2 5 3 6 Malware Command & ControlTransaction approved using stolen SMS8SMS with link to Mobile malware(“install new certificate”)3Malware forwards approval SMS7Download Malware45Legitimate WebsiteUser Accesses Site1“Please provide your mobile phone number”2TransactionApproval SMS6Malware transfers funds (PC is proxy)5
14FFIEC Recognizes Malware as the Root Cause of Most Cybercrime Activities “Controls implemented in conformance with the Guidance several years ago have become less effective..”The FFIEC in its latest 2011 guidance has also recognized that virtually no security control is immune to malware attacks.“Malware can compromise some of the most robust online authentication techniques”
15The Challenge: No Silver Bullet Device Identification Challenge QuestionsMalwareOTP DevicesMan in the Browser, Real Time PhishingTransaction VerificationMan in the MobilexBypassedVirtual Browser on StickMemory Injection MalwareTransaction SigningSocial Engineering MalwareClickstream DetectionMalware adopts Human-like behavior
16Intelligent, Adaptive, Automated Threat IntelligenceAdaptive ProtectionSustainable Cybercrime PreventionWhy is our customer base growing so rapidly? Because we have perfected the process for sustainable cybercrime prevention.As threats evolve we adapt to maintain optimal defense. We build on two core capabilities:First, Threat Intelligence - understanding how fraudsters change their attack tactics to bypass security controls.Second, Adaptive Protection – quickly creating and deploying countermeasures.Together, these capabilities create a dynamic security control that can maintain its effectiveness over the long haul.Let’s look into Threat Intelligence and Adaptive Protection in more detail.16
17Crime Logic vs. Files and Signatures Threat IntelligenceAdaptive ProtectionTrusteer: What it does?Crime Logic (100s)ExploitInfectHookInjectAccessTheftAnti-VirusLegacy: What it is?Files and Signatures ( s)?How is Trusteer threat intelligence different?[click] AV and other solutions like firewalls and intrusion prevention systems focus on what the malware IS. They use signatures to detect malware. They are ineffective against new malware because they don’t have tis signature. Almost 60% of malware evades these systems and signatures are created after the damage is done.[Click]: Trusteer on the other hand focuses on what the malware DOES. We call this: Crime Logic.Crime Logic is the attack tactics used to execute fraud. Including: how malware exploits vulnerabilities on the endpoints and the specific process it uses to install itself. Trusteer also maps the ways malware hooks into critical browser services and the way it injects data into the browser. Finally, Trusteer tracks how malware distributes and process data to enable automated or human initiated fraud.more detailsExploit: how malicious code on web sites can exploit a vulnerability in the browser or the operating system to initiate a download of malwareInfect: how malware installs itself on the endpoint.Hook: how malware hooks into browser APIs or Add-Ons to achieve visibility and control of end user activity (key logging, web session)Inject: the pages the malware targets and the content that is being injected (additional fields, net new pages)Access: how cybercriminals achieve access to target systems (human or automated)Theft: how the theft actually occurs (credentials sent to drop servers, on-the-fly transactions, cross-channel fraud with PII)
18First to Discover New Forms of Malware Threat IntelligenceAdaptive ProtectionTens of Millions of EndpointsEndpoints Detect and stop Crime LogicOddJobShylockSunspotThis unique focus on Crime Logic and the massive network of tens of millions endpoints enabled Trusteer to identify 6 new malware flavors in the past year alone. For example, in Australia, trusteer was first to detect SpitMO, a Spyeye variant tampering with transaction verification SMSs on Android devices. Another discovery in South Africa was the transformation of Ramnit, a benign worm, into financial malware. Apparently, Ramnit incorporated code from another malware, Zeus, and now attacks online banking. More then 25% of all financial malware we are seening in the wild is Ramnit based.Torpig v2SpitMo for AndroidRamnit goes financial
19Ready, Before the Threat Reaches You Threat IntelligenceAdaptive ProtectionTens of Millions of EndpointsEndpoints Detect and stop Crime LogicOddJobSunspotShylockTrusteer has adapted to stop these threats. The specific countermeasures where deployed to all of our users worldwide – so by the time threats migrated to attack new territories, users were protected against the new attack vectors. This combination of very early detection and rapid response is what separates trusteer from other fraud prevention solutions – our customers state that they have witnessed dramatic reduction in fraud attempts as you can see in public case studies on our web sites.Torpig v2SpitMo for AndroidRamint goes financial
20Process, People, Products Threat IntelligenceAdaptive ProtectionCybercrime IntelligenceAnalytics &ManagementCrime LogicRisk AssessmentFraud AlertTrusteer Intelligence CenterCorpOnline ThreatsAdaptive ProtectionKnown crime logicUnknown crime logicLet’s take a look at the full Cybercrime Prevention process.Trusteer provides 2 protection layers: Rapport that executes on PC, Mac and mobile devices, and Pinpoint that is integrated with the online banking application. When an online threat enters a Trusteer protected endpoint, a 4 step process is executed.[click] First, Trusteer secures the endpoint by detecting and stopping any attempt to tamper with web pages, the browser or other operating system services that are required to initiate an attack.[click] Next, all new Crime Logic indicators are reported to the Trusteer Cybercrime intelligence cloud. Trusteer Intelligence Center experts use specialized tools and techniques to perform risk assessment and determine the appropriate response.[click] Trusteer develops 2 types of countermeasures: specific instructions on how to remove the threat from the endpoint and how to block future attacks on any protected endpoint.This process is repeated to ensure users remain protected against new and emerging threats.
21Less Cost, Less Complexity Trusteer Cybercrime Prevention Architecture: Industry leading solution for Online Cybercrime ActivitiesIntelligence- based risk assessmentMulti-layer protection against malwareNo malware = Transaction anomaly preventionLayer 2: Fraudulent Activity DetectionDetect malware- infected users, devicesDetect and Stop real-time phishingTrusteer Pinpoint for Malware DetectionTrusteer Pinpoint for Phishing DetectionLayer 1: Endpoint-Threat ProtectionStop and remove financial malware, phishingProtect against mobile malware, high risk devicesTrusteer Cybercrime Prevention Architecture is the technology foundation of our service. It tackles online fraud both on the end point and the web application tiers and is built upon real-time intelligence and threat research.[click] The first layer provides endpoint threat protection. Trusteer Rapport clients protect PC, Mac and Mobile devices. By preventing endpoint compromise and browser-based attacks, fraud attempts are drastically reduced.[click] The second layer provides fraudulent activity detection. Trusteer Pinpoint modules detect malware and phishing activity that enable our customers to focus on high risk users, devices and transactions and streamline fraud prevention processes.[click] both layers are sustained by an intelligence platform and cybercrime experts that ensure maximum protection.Overall this architecture addresses the core requirements of the FFIEC guidance:Continuous risk assessment based on intelligence gathered from Trusteer Protected endpoints andMulti-layer protection at the client and web application layers.[click] By disabling malware impact on the client and the application, anomalous transactions are reduced across all channels. At the same time, less malware means less cost and complexity in fraud prevention operations.Trusteer Rapport for PC/MacTrusteer Rapport for MobileLess Cost, Less Complexity