Download presentation
Presentation is loading. Please wait.
Published byGarey Copeland Modified over 9 years ago
1
E-Banking Fraud Schemes E-Banking Fraud Schemes: Attack Trends and Defenses Andrew Showstead, VASCO Data Security
2
E-Banking Fraud Schemes Agenda ›Attack trends ›Phishing attacks ›Spyware attacks ›Man-in-the-middle (MITM) attacks ›The cybercrime black market ›Defense mechanisms ›One-time passwords ›Electronic signatures ›User education ›Conclusion
3
Computer Malware & Countermeasures Phishing
4
E-Banking Fraud Schemes Phishing attacks: introduction (2/2)
5
E-Banking Fraud Schemes Why phishing works ›Technologies for server authentication exist ›E.g. SSL/TLS with X.509v3 certificates ›Study by Harvard University & UC Berkeley (4/2006) ›Security indicators are not noticed or understood ›Security indicators can be spoofed ParticipantsSuccess rate Website content only23%40% Also address bar36%61% Also “https”9%63% Also padlock icon23%79% Also certificates9%76%
6
E-Banking Fraud Schemes Context-aware phishing (1/4) ›Also called “spear phishing” ›Phishing attack against: ›Employees of certain company, agency, organization,... ›People using a certain product or service ›Spear phishing e-mails are more convincing: ›Include personal information ›Appear to come from known person (e.g. IT, head of HR, head of Sales and Marketing) ›Information sources: ›Compromised databases ›monster.com (1.3M job seekers, 8/2007), USAJobs.com (146K job seekers, 8/2007), Salesforce.com (11/2007) ›Social networking sites (e.g. LinkedIn, FaceBook, MySpace)
7
E-Banking Fraud Schemes Context-aware phishing (2/4)
8
E-Banking Fraud Schemes Context-aware phishing (3/4)
9
E-Banking Fraud Schemes Context-aware phishing (4/4)
10
E-Banking Fraud Schemes Context-aware phishing (5/6)
11
E-Banking Fraud Schemes Context-aware phishing (6/6) ›Reported case: (9/2006) ›Step 1: information gathering ›Attackers broke into computer systems of ›Attackers stole information of 19,000 customers ›Step 2: information usage ›Attackers sent e-mail to customers, including personal information and a claim about recent order requiring the customer’s attention ›Customers were led to website and asked for more information
12
E-Banking Fraud Schemes Effectiveness of Spear Phishing ›Gartner: non-targeted phishing ›19% clicks on link in e-mail ›3% gives away personal information ›Indiana University (US): targeted phishing ›E-mail from friend: 72% gives away personal information ›E-mail from unknown student: 16% gives away personal information ›West Point Military Academy (US): targeted phishing ›E-mail from colonel to cadets: 80% gives away personal information
13
E-Banking Fraud Schemes Whaling (1/4) ›Definition ›Spear phishing attack against high-level executives in a single organization, or executives common to different organizations (e.g. CEO, CIO, PM) ›May involve e-mail, postal mail,...
14
E-Banking Fraud Schemes Whaling (2/4)
15
E-Banking Fraud Schemes Whaling (3/4) ›Reported case: MessageLabs (6/2007) ›MessageLabs intercepted 500 highly targeted e-mail messages with Word-document ›Name and job title in subject line ›Family and friends were targeted as well in order to access home computers
16
E-Banking Fraud Schemes Whaling (4/4) BBB (SecureWorks, 5/2007 and MessageLabs, 11/2007) Federal Trade Commission (11/2007) United States Department of Justice (Websense, 11/2007)
17
E-Banking Fraud Schemes Optimizing delivery of phishing e-mails ›Common phishing protection mechanisms: ›Spam filter: detect phishing e-mails before end-user’s inbox ›Browser: warn end-user when visiting phishing server ›Based on blacklisting URLs of known phishing servers ›Report phishing website at http://www.PhishTank.comhttp://www.PhishTank.com
18
Preventing Blacklisting ›URL variations ›http://www.secure-bank.com:80http://www.secure-bank.com:80 ›Randomized subdomains ›Unique URL per user / number of users ›http://www.barclays.co.uk.X.lot80.info/ (X: random number)http://www.barclays.co.uk.X.lot80.info/ ›Allows tracking end-user responses E-Banking Fraud Schemes
19
Alternative channels (1/2) - vishing ›Voice (phone) phishing ›Two types: 1.Fraudster calls end-user and asks for credentials 2.End-user is tricked to call fraudster (via e-mail, voice mail) ›Strengths: ›Telephone systems have longer record of trust ›A greater percentage of people can be reached (e.g. elderly) ›People are used to automatic answering services ›Making or receiving calls is cheap ›Caller ID can be spoofed
20
Alternative channels (2/2) - smishing ›SMS phishing – phishing with text messages ›Process: 1.End-user receives SMS telling him that ›he has successfully subscribed to a service, ›he will be charged for the service, ›he can visit a website to unsubscribe from a service 2.End-user visits website and provides sensitive information
21
Pharming
22
E-Banking Fraud Schemes Pharming (1/7) ›Interfere with the resolution of a domain name to an IP-address so that domain name of genuine website is mapped onto IP- address of rogue website www.barclays.co.uk www.google.co.uk 213.219.1.141 64.233.183.99
23
E-Banking Fraud Schemes Pharming (2/7) – hosts file poisoning
24
E-Banking Fraud Schemes Pharming (3/7) – hosts file poisoning ›Adding {domain name, IP-address} pairs to hosts file ›Method: ›Hosts-file contains {domain name, IP-address} pairs ›Windows XP/Vista: %SystemRoot%\system32\drivers\etc ›DNS resolver looks up hosts file on end-user’s PC prior to contacting DNS-server
25
E-Banking Fraud Schemes ›Unsolicited information in replies is accepted ›Example: a DNS-server can provide an IP-address for www.real-bank.com although the address of www.mock- bank.com was asked www.real-bank.comwww.mock- bank.com Pharming (5/7) – DNS cache poisoning
26
Drive By Attacks – Samy is My Hero E-Banking Fraud Schemes › MySpace Worm › Added users to Samy’s Friends list without authorization by user › Added text “but most of all, Samy is My Hero” to user pages › Propogation: › Author originally had 73 “friends” › 7 hours later, 221 new friend requests ›13 hours: 2,503 friends and 6,373 friend requests ›After about 18 hours, over 1,005,831 new friend requests › Response ›MySpace – complete service shutdown ›“Samy” sentenced to 3 years probabtion and community service – Internet ban
27
E-Banking Fraud Schemes Drive By Attacks – Samy is My Hero
28
E-Banking Fraud Schemes Pharming (6/7) – drive-by pharming ›Technique to alter DNS settings of (wireless) home router ›Method: 1.User downloads web page containing Java applet and JavaScript 2.Java applet detects IP-address of host and addressing scheme 3.JavaScript pings other hosts and discovers brand of router 4.JavaScript accesses configuration screens using default passwords ›Reported case: Mexican bank (1/2008) ›Attack on 2wire router ›Victim receives e-mail saying e-card waiting at www.gusanito.com www.gusanito.com ›E-mail contains HTML IMG tag resulting in HTTP GET to home router; no HTTP-authentication required ›HTTP GET changes DNS settings of router (XSRF attack)
29
E-Banking Fraud Schemes Fast-flux service networks (1/2) ›Basic components of phishing infrastructure ›One or more web-servers to host rogue website ›One or more domain names, e.g. www.my-bank.infowww.my-bank.info ›Popular top-level domains:.hk,.cc and.info ›One or more DNS-servers, which are configured to be authoritative for the registered domain names ›Phishing infrastructure requirements: ›High availability ›Website should not be taken down too soon by bank or ISP ›Easily manageable ›Webpages should not be dispersed among too many web servers ›Can be realized using fast-flux approach
30
E-Banking Fraud Schemes Fast-flux service networks (2/2) ›Simple fast-flux
31
Spyware
32
E-Banking Fraud Schemes Spyware ›Definition of spyware attack ›Attempt to fraudulently obtain sensitive information such as usernames, passwords and credit-card details, by covertly intercepting information exchanged during an electronic communication
33
E-Banking Fraud Schemes Bank Trojans ›Designed to obtain bank credentials (since mid-2004) ›4 main functions: ›Monitoring ›Harvest data when user visits banking website efficiency ›Filter list: www.citibank.com, /TAN/, “Welcome to Citi”www.citibank.com ›Spying ›Capture user’s banking credentials ›Hiding ›Ensure Trojan cannot be detected by security software ›Updating ›Regular update of filter list from control server
34
E-Banking Fraud Schemes Monitoring techniques (1/3) ›Browser Helper Objects (BHOs) ›Lightweight DLL extension adding custom functionality to IE ›Confirm to Common Object Model (COM) ›Loading of BHO into IE ›At start-up IE loads COM objects whose CLSID is present in certain Windows registry key ›Allows eavesdropping on browser events and user input ›InfoStealer Trojan ›MITM Attacks
35
E-Banking Fraud Schemes Monitoring techniques (2/3) ›Hooking WinInet API functions ›WinInet.dll: Windows implementation of HTTP(S),FTP ›Hooking: ›Call to function in WinInet.dll passes via Trojan (redirection) ›Trojan has read/write access to payload of function IExplore.exe Call HTTPSendRequestA Import Address Table HTTPSendRequestA is at address 12345 WinInet.dll HTTPSendRequestA 12345 Trojan.dll HTTPSendRequestA … Get payload Call 12345 45789 HTTPSendRequestA is at address 45789
36
E-Banking Fraud Schemes Monitoring techniques (3/3) ›Winsock’s Layered Service Providers (LSP) architecture ›WinSock.dll: Windows implementation of TCP/IP ›Applications performing network operations load WinSock ›Additional libraries can be loaded into WinSock ›Benign applications: ›Parental control: content filtering ›Application-transparent encryption ›Malign applications: ›Eavesdropping on network communication ›Altering financial transaction data
37
E-Banking Fraud Schemes Spying techniques ›Form grabbing ›Trojan captures only data that is entered into web form ›Common techniques: BHOs, API hooking ›Injection of fraudulent pages or fields ›Trojan modifies HTML-pages coming from bank on-the-fly ›Inserts additional fields or modifies destination of “Log on” button ›Trojan receives HTML-pages from control server ›Screenshots and video captures ›Keylogging ›Trojan is triggered when user visits certain URL ›Only data entered into webpage is logged ›Note: techniques defeat SSL, virtual keyboards,...
38
E-Banking Fraud Schemes Example: Infostealer.Banker (1/2) ›Installation ›Registration of BHO in Windows registry ›Generation of random number as ID for infected PC ›Registration of ID at server via PHP-script ›Operation ›BHO contacts server for updated “help.txt” ›BHO listens for connections to URLs in “help.txt” ›When BHO detects connection to certain URL ›BHO looks in “help.txt” for HTML-code to be injected ›BHO injects HTML code ›Browser displays modified webpage ›When user enters credentials into modified webpage, BHO calls PHP-script to upload credentials to server
39
E-Banking Fraud Schemes Example: Infostealer.Banker (2/2)
40
Man-in-the-middle Attacks
41
E-Banking Fraud Schemes Man-in-the-middle attack ›Real-time interception and modification of information interchanged between two entities without either entity noticing ›Uses phishing and/or spyware techniques ›Man-in-the-middle can be: ›Local: spyware on end-user’s PC ›Remote: phishing website
42
E-Banking Fraud Schemes Local man-in-the-middle attack ›“Man-in-the-browser”, “Local session riding” ›General procedure › Infect system with Banking Trojan › Hijack successfully authenticated session › Insert or modify fraudulent transactions End-user’s computer 2: OTP E-banking server Banking Trojan 1: “John” Browser 1: “John” 2: OTP 3: “$500 to Bob” 3: “$5000 to Bill” End-user “John”
43
E-Banking Fraud Schemes Remote man-in-the-middle attack ›General procedure: ›Redirect traffic to rogue website ›Using common phishing techniques: e-mail, pharming, … ›Act as proxy between end-user and real banking website ›Keep authenticated session alive and modify transaction data ›Reported cases: ›Dutch and Swedish retail banks (March 2007): ›Infostealer.Banker.C and phishing website ›Damage: 4 customers, unknown amount ›Belgian retail bank (May/June 2007) ›Damage: 3 customers, ~ 10 000 euro
44
The Cybercrime Black Market
45
E-Banking Fraud Schemes Organization (1/2) On-line forum (IRC, web) Spammer Exploiter Card skimmer Money mule recruiter Website designer Coder Botnet Herder
46
E-Banking Fraud Schemes Organization (2/2) – money mules ›Problem of phisher: ›E-banking system may not allow money transfers to foreign accounts ›Solution: ›Phisher recruits “money mules” with bank account in country of targeted bank ›Phisher transfers money to bank account of mule ›Mule transfers money to phisher (e.g. Western Union, Moneygram) ›Money mule recruitment ›Regular job adversitement channels ›“Financial service manager”, “shipping manager”, “private financial retreiver”, etc. ›More information: http://bobbear.co.uk/http://bobbear.co.uk/
47
E-Banking Fraud Schemes Fraud Accounting ›Cost of phishing attack: ›Phishing e-mail + phishing website: $5 ›Spam list: $8 ›Botnet for sending out spam during 6 hours: $30 ›Hacked server to host phishing website: $10 ›Valid DNS-name: $10 ›Total cost: $63 ›Profit from phishing attack ›Option 1: selling stolen banking credentials ›20 accounts: $200 - $2000 ›Profit: $137 - $1,937 ›Option 2: cashing money via money mule ›$10,000 on account; 50% for money mule; 50% rip-off rate ›Income: $2500
48
Computer Malware & Countermeasures Defense Mechanisms
49
E-Banking Fraud Schemes One-time passwords (1/3) ›Strengths ›Render compromised end-user credentials less valuable for adversary (only valid once and during limited amount of time) ›Limit amount of time between collection and exploitation steps of phishing attack ›Break down the traditional economic model of phishing attacks ›Phishing economy: specialization means trading ›Trading credentials takes time ›One-time passwords are invalid before used
50
One Time Passwords (Response Only) Encryption DP Secret
51
Application Time-Based Response Userid = A Password = OTP 3DES 342601 Internet A – SN – DP Secret B – SN’ – DP Secret’ “.dpx file” 3DES DP Secret Digipass Serial Number = SN ?=?=
52
E-Banking Fraud Schemes Electronic signatures (1/6) ›One-time passwords provide only end-user authentication ›Server only knows that genuine end-user is present at log-on ›Server cannot detect modifications or injections after log-on ›Electronic signatures provide transaction authentication ›Server can detect and reject unauthenticated transactions or changes to transactions 3: OTP End-user “John” E-banking server MITM 1: “John” 2: “John” 5: “OK” 6: “Error” 7: “$5000 to Bill” 4: OTP
53
Data Signature (Electronic Signature, MAC) 3DES MAC DP Secret Field A Field B Field C + ›Electronic signatures provide transaction authentication ›Server can detect and reject unauthenticated transactions or changes to transactions
54
Application Data Signature (Electronic Signature, MAC) Userid = A Field A Field B Field C Password = MAC 3DES MAC Internet Digipass Serial Number = SN 3DES MAC DP Secret Field A Field B Field C Field A Field B Field C A – SN – DP Secret B – SN’ – DP Secret’ “.dpx file” + + ?=?=
55
E-Banking Fraud Schemes Electronic signatures ›Conflict: security vs. user-friendliness ›Solution: security policies ›Policies determine when / what has to be signed ›Implemented at server-side flexible ›Possible criteria ›Amount of money (how large?) ›Beneficiary bank account number (used previously?) ›Determine risk of transaction ›Result ›Electronic signature only required in case of high-risk transactions ›Paying tax or bills (e.g. electricity, water, phone,...): no signature ›Transferring to other accounts of end-user (e.g. savings account): no signature ›Facilitates envelope transactions (many-in-one) ›“Risk-based Transaction Authentication”
56
E-Banking Fraud Schemes End-user education ›The end-user remains the weakest link in the security chain ›Train end-users in “street smarts”: ›Do NOT respond to emails asking to log-on ›Install software from a trustworthy source only ›DO type URLs or use bookmarks ›DO motivate end-users to install a firewall and anti-virus scanner ›E.g. Barclays UK & F-Secure ›E.g. Firstrade Securities US & Trend Micro ›Follow your own guidelines! ›For example, many organizations fail to renew SSL-certificates before they expire!
57
E-Banking Fraud Schemes Conclusion ›Sophistication of e-banking fraud schemes is increasing ›Phishing ›Alternative delivery channels: not only e-mail ›Targeted phishing ›Spyware ›Better hiding techniques; rootkit technology likely to be used more ›Better stealing techniques ›Need for strong authentication mechanisms is increasing ›Safe solutions are possible ›Combine end-user authentication and transaction authentication ›Usability must be taken into account to prevent social engineering
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.