Presentation on theme: "Evolution of Remote Banking fraud Richard Martin Security Unit UK Payments Royal Holloway, 10 September 2011."— Presentation transcript:
Evolution of Remote Banking fraud Richard Martin Security Unit UK Payments Royal Holloway, 10 September 2011
UK Payments Voice of the payments industry Payment scheme management – we run the Payments Council, BACS, CHAPS, Faster Payments, cheques, cash… Our schemes processed nearly 7 billion payments in 2009, with a value of £69 trillion (for comparison, UK GDP is around £2 trillion) Protecting the integrity of UK payments systems We are increasingly central to the UK anti-fraud effort
Payments Council members
The world we live in Internet is a major channel for banks and payments Challenges Internet is not secure Customer PCs are not secure But customers love it, and banks love it So we need to address the challenges Source: UK Payments, 2011
What is being attacked? Not the bank directly (so much) The customer Static authentication credentials & card details “data that never changes” And can therefore be stolen or given away The customer’s equipment Malware!
Part 1: Phishing Phishing attacks are becoming more sophisticated:
Phishing incidents – UK banks Source: UK Payments 2011 Total for 2010: 61,873 incidents
Phishing – looking closer Source: UK Payments 2011
Standard Phishing life cycle SpamBot Phishing hosts (bots) Various DNS Tools – fast-flux etc. Credential recovery/ storage Attacker
Developments in Phishing ADAPTIVE PHISHING Sites designed to evade / confuse analysis Phishing host serves up different sites depending on localisation and other factors One site can: Firefox with German language – redirect to German PayPal phishing site IE with English language – redirects to English bank phish Seamonkey – tries to install malware Text browsers (often used by analysts) – Error 404 Browser run within a VM (ditto) – Error 404
Developments in Phishing LIVE PHISHING Customer enticed to visit fake bank site as usual All communications relayed by phishing site to bank site in real time Payment / authentication requests injected / amended by attacker Target: two-factor authentication
Click to edit the outline text format Second Outline Level Third Outline Level Fourth Outline Level Fifth Outline Level Sixth Outline Level Seventh Outline Level Eighth Outline Level Ninth Outline LevelClick to edit Master text styles Second level Third level Fourth level Fifth level Phishing still here because… It still works! Source: UK Payments Would ignore / delete a phishing 65%50%57%59% Would ask bank for advice 28%39%31% “Would act on it” 4%3.8%4%6% Under 24 year-olds who “would act on it” 12% 13%
Some further reading Dhamija (Harvard)& Tygar and Hearst (UC Berkley) Wu, Miller, Grafinkel (MIT Computer Science and Artificial Intelligence Lab) Jagatic, Johnson, Jakobsson, and Menczer (School of Informatics Indiana University, Bloomington) preprint.pdf Other good sources of research on people’s perception and acceptance of risk: Prof. A. John Maule (Leeds), Dr Angela Sasse (UCL), Hazel Lacohee (BT)
Part 2: Malware Some names to remember: Torpig, Zeus (aka z-Bot, Sinowall),SpyEye, PSP2-BBB, Silent Banker, Yaludle, Bugat, Carberp, Silon… Two factor authentication is now a target Man In The Browser is the new Man In The Middle Scripting: Automated payment injection Controlled distribution: targeted, low infection numbers, quiet operation They work but: Difficult to industrialise Their effect can be detected (odd GET and POST data, old/nonexistent fieldnames, unusual browser headers etc…) They can be “broken”
Click to edit the outline text format Second Outline Level Third Outline Level Fourth Outline Level Fifth Outline Level Sixth Outline Level Seventh Outline Level Eighth Outline Level Ninth Outline LevelClick to edit Master text styles Second level Third level Fourth level Fifth level Part 3: Money Mules Bad guys use phishing and malware to gain access to accounts But they need one more thing to get hold of the money: Mules Mule = a friendly account, to which funds from a victim’s account can be transferred Adverts in job websites, banner ads, printed newspapers… We typically see new fake companies set up each month Fire and forget. They usually last for one transaction before the bank shuts down their account Job offer We have found your resume at Monster.com and would like to suggest you a "Transfer manager"vacancy. We have thoroughly studied your resume and are happy to inform you that your skills completely meet our requirements for this position. Our company buy, sell, and exchange digital currencies, like E-gold and E-bullion.
Put it all together – Online Banking Fraud Workflow CollectTestMarketDefraudLaunder Credentials valid? Available funds? ID theft opportunities? Professionals in place Recruit “mules” Check validity (no cops please! Trade Credentials Build attack profile Build attack profile Transfer funds Funds out of system Money Transfer Intermediate destinations Proceeds distributed Research & Development
Loss trends Net loss to banks from online banking fraud,
Tactics and countermeasures Strength in depth – the multi-layered approach Identifying & protecting point of risk Banks can also put a stronger lock on the front door (two-factor authentication) Back-end detection Service controls Transaction authentication Log-on authentication Increasing customer visibility
A stronger front door Millions of customers Millions with several accounts Cheap Easy to use Secure Simples! Multifactor authentication - what banks need to consider:
Attacking two-factor Two factor remains technically very secure Attackers circumvent by exploiting user uncertainty, because… Customers remain vulnerable to social engineering – assumption of authority: “We have changed the process – you must do it this way now…” Attacks seen elsewhere in the world for years (TANs, iTANs, OTP)
Socially Engineering EMV CAP 1. In order to make payment ….. 2. Beneficiary Acct = Amount = £ “Enter Ref” 5. “Enter Amount” 6. Passcode = A further security check ….. 2. Security Code 1 = Security Code 2 = “Enter Ref” 5. “Enter Amount” 6. Passcode = Becomes
What does the customer see?
Malware features - Carberp Persistent storage in browser Get account balance Replace login button with a malicious version Hide fraudulent transactions on statement display from user Hide fraudulent logins from user Amend transaction requests on the fly and hide from user Installs a rogue Anti Virus app
Zeus Probably the most significant identity theft malware in existence (but may be about to go into decline) Nicely written, regularly updated, full technical support for customers Targets two-factor authentication Man in the browser, html injection, etc etc Some banks using out of band authentication with mobile phones as a means of combating MITB. Customers are sent a one-time passcode or a challenge via SMS or voice SMS intercept
Mobile phones for two-factor Out of band authentication Good in principle Increases challenge of interception Practical challenges: Ensuring all customers have a phone That it is switched on & in range SMS delivery is not guaranteed or SLAd Bringing other parties into the authentication loop - don’t ignore the risks Attacks in Turkey, South Africa, Australia, Spain and UK Account takeover, redirection of replacement SIMs Phone call redirection Malware on phones is now a reality
Click to edit the outline text format Second Outline Level Third Outline Level Fourth Outline Level Fifth Outline Level Sixth Outline Level Seventh Outline Level Eighth Outline Level Ninth Outline LevelClick to edit Master text styles Second level Third level Fourth level Fifth level Zeus SMS “Zitmo” Zeus-infected victim as asked to provide their mobile model and number SMS containing link to “a new security certificate” sent to phone Victim clicks on link and malware installs For Symbian devices, the bad guys obtained a genuine developer certificate, since revoked (but no OCSP!!). Malware includes a cracked version of SMS Monitor. SMS traffic from known bank SMS numbers is intercepted and redirected to C&C Incoming SMS from C&C number used to issue commands Malware can create/delete entries in the phonebook C&C was a UK number registered to Cable & Wireless Guernsey Ltd (Sure Telecom) Calling MyBank Support
Zeus arrests 11 Arrests in UK in September 2010 (mainly mules) 38 in USA (ditto) 5 in Ukraine (aha!) Consequences: Zeus the subject of a “takeover” by SpyEye coder, with functionality to be migrated to SpyEye UK arrestsUSA arrestsUkraine arrests
Malware – what next? Zeus/SpyEye merger probably a sign that the “Tier 1” bad guys have recognised that Zeus’ usefulness is nearing its end. Dump and move on Malware as a service emerging Point and click malware kits
Further malware reading Zeus tracker: https://zeustracker.abuse.ch/https://zeustracker.abuse.ch/ Spyeye tracker: https://spyeyetracker.abuse.ch/https://spyeyetracker.abuse.ch/ InfoWar Monitor: Malware Intelligence Blog: malwareint.blogspot.com Contagio malware dump: contagiodump.blogspot.com TrustDefender Labs blog: F-Secure blog: Brian Krebs : Gary Warner blog: garwarner.blogspot.com
Where are the real vulnerabilities? OS 95% of customers use Windows – it’s the way it is 90% of Windows installs ARE up to date Ubiquitous 3rd Party Software 80% of Adobe Flash installs are NOT up to date 84% of Adobe Acrobat installs are NOT up to date “Trusted” software does not always act in the users’ best interests: some of the most popular iPhone games contain spyware
Banks are not the only fruit As banks harden their defences, the attackers are turning to weaker targets ALL online businesses are at risk Facebook, Twitter, Myspace, LinkedIn etc. being raided for ID theft and card data Retailer customer accounts raided for payment details, backend databases Businesses being attacked via their web front ends or by “spear phishing” to gain access to corporate networks. Industrial & state espionage, intellectual property theft, sabotage, financial fraud, etc.
Things to come Living in a digital world, expect the unexpected