E-Banking Fraud Schemes E-Banking Fraud Schemes: Attack Trends and Defenses Andrew Showstead, VASCO Data Security

E-Banking Fraud Schemes Agenda ›Attack trends ›Phishing attacks ›Spyware attacks ›Man-in-the-middle (MITM) attacks ›The cybercrime black market ›Defense mechanisms ›One-time passwords ›Electronic signatures ›User education ›Conclusion

Computer Malware & Countermeasures Phishing

E-Banking Fraud Schemes Phishing attacks: introduction (2/2)

E-Banking Fraud Schemes Why phishing works ›Technologies for server authentication exist ›E.g. SSL/TLS with X.509v3 certificates ›Study by Harvard University & UC Berkeley (4/2006) ›Security indicators are not noticed or understood ›Security indicators can be spoofed ParticipantsSuccess rate Website content only23%40% Also address bar36%61% Also “https”9%63% Also padlock icon23%79% Also certificates9%76%

E-Banking Fraud Schemes Context-aware phishing (1/4) ›Also called “spear phishing” ›Phishing attack against: ›Employees of certain company, agency, organization,... ›People using a certain product or service ›Spear phishing s are more convincing: ›Include personal information ›Appear to come from known person (e.g. IT, head of HR, head of Sales and Marketing) ›Information sources: ›Compromised databases ›monster.com (1.3M job seekers, 8/2007), USAJobs.com (146K job seekers, 8/2007), Salesforce.com (11/2007) ›Social networking sites (e.g. LinkedIn, FaceBook, MySpace)

E-Banking Fraud Schemes Context-aware phishing (2/4)

E-Banking Fraud Schemes Context-aware phishing (3/4)

E-Banking Fraud Schemes Context-aware phishing (4/4)

E-Banking Fraud Schemes Context-aware phishing (5/6)

E-Banking Fraud Schemes Context-aware phishing (6/6) ›Reported case: (9/2006) ›Step 1: information gathering ›Attackers broke into computer systems of ›Attackers stole information of 19,000 customers ›Step 2: information usage ›Attackers sent to customers, including personal information and a claim about recent order requiring the customer’s attention ›Customers were led to website and asked for more information

E-Banking Fraud Schemes Effectiveness of Spear Phishing ›Gartner: non-targeted phishing ›19% clicks on link in ›3% gives away personal information ›Indiana University (US): targeted phishing › from friend: 72% gives away personal information › from unknown student: 16% gives away personal information ›West Point Military Academy (US): targeted phishing › from colonel to cadets: 80% gives away personal information

E-Banking Fraud Schemes Whaling (1/4) ›Definition ›Spear phishing attack against high-level executives in a single organization, or executives common to different organizations (e.g. CEO, CIO, PM) ›May involve , postal mail,...

E-Banking Fraud Schemes Whaling (2/4)

E-Banking Fraud Schemes Whaling (3/4) ›Reported case: MessageLabs (6/2007) ›MessageLabs intercepted 500 highly targeted messages with Word-document ›Name and job title in subject line ›Family and friends were targeted as well in order to access home computers

E-Banking Fraud Schemes Whaling (4/4) BBB (SecureWorks, 5/2007 and MessageLabs, 11/2007) Federal Trade Commission (11/2007) United States Department of Justice (Websense, 11/2007)

E-Banking Fraud Schemes Optimizing delivery of phishing s ›Common phishing protection mechanisms: ›Spam filter: detect phishing s before end-user’s inbox ›Browser: warn end-user when visiting phishing server ›Based on blacklisting URLs of known phishing servers ›Report phishing website at

Preventing Blacklisting ›URL variations › ›Randomized subdomains ›Unique URL per user / number of users › (X: random number) ›Allows tracking end-user responses E-Banking Fraud Schemes

Alternative channels (1/2) - vishing ›Voice (phone) phishing ›Two types: 1.Fraudster calls end-user and asks for credentials 2.End-user is tricked to call fraudster (via , voice mail) ›Strengths: ›Telephone systems have longer record of trust ›A greater percentage of people can be reached (e.g. elderly) ›People are used to automatic answering services ›Making or receiving calls is cheap ›Caller ID can be spoofed

Alternative channels (2/2) - smishing ›SMS phishing – phishing with text messages ›Process: 1.End-user receives SMS telling him that ›he has successfully subscribed to a service, ›he will be charged for the service, ›he can visit a website to unsubscribe from a service 2.End-user visits website and provides sensitive information

Pharming

E-Banking Fraud Schemes Pharming (1/7) ›Interfere with the resolution of a domain name to an IP-address so that domain name of genuine website is mapped onto IP- address of rogue website

E-Banking Fraud Schemes Pharming (2/7) – hosts file poisoning

E-Banking Fraud Schemes Pharming (3/7) – hosts file poisoning ›Adding {domain name, IP-address} pairs to hosts file ›Method: ›Hosts-file contains {domain name, IP-address} pairs ›Windows XP/Vista: %SystemRoot%\system32\drivers\etc ›DNS resolver looks up hosts file on end-user’s PC prior to contacting DNS-server

E-Banking Fraud Schemes ›Unsolicited information in replies is accepted ›Example: a DNS-server can provide an IP-address for although the address of bank.com was asked bank.com Pharming (5/7) – DNS cache poisoning

Drive By Attacks – Samy is My Hero E-Banking Fraud Schemes › MySpace Worm › Added users to Samy’s Friends list without authorization by user › Added text “but most of all, Samy is My Hero” to user pages › Propogation: › Author originally had 73 “friends” › 7 hours later, 221 new friend requests ›13 hours: 2,503 friends and 6,373 friend requests ›After about 18 hours, over 1,005,831 new friend requests › Response ›MySpace – complete service shutdown ›“Samy” sentenced to 3 years probabtion and community service – Internet ban

E-Banking Fraud Schemes Drive By Attacks – Samy is My Hero

E-Banking Fraud Schemes Pharming (6/7) – drive-by pharming ›Technique to alter DNS settings of (wireless) home router ›Method: 1.User downloads web page containing Java applet and JavaScript 2.Java applet detects IP-address of host and addressing scheme 3.JavaScript pings other hosts and discovers brand of router 4.JavaScript accesses configuration screens using default passwords ›Reported case: Mexican bank (1/2008) ›Attack on 2wire router ›Victim receives saying e-card waiting at › contains HTML IMG tag resulting in HTTP GET to home router; no HTTP-authentication required ›HTTP GET changes DNS settings of router (XSRF attack)

E-Banking Fraud Schemes Fast-flux service networks (1/2) ›Basic components of phishing infrastructure ›One or more web-servers to host rogue website ›One or more domain names, e.g. ›Popular top-level domains:.hk,.cc and.info ›One or more DNS-servers, which are configured to be authoritative for the registered domain names ›Phishing infrastructure requirements: ›High availability ›Website should not be taken down too soon by bank or ISP ›Easily manageable ›Webpages should not be dispersed among too many web servers ›Can be realized using fast-flux approach

E-Banking Fraud Schemes Fast-flux service networks (2/2) ›Simple fast-flux

Spyware

E-Banking Fraud Schemes Spyware ›Definition of spyware attack ›Attempt to fraudulently obtain sensitive information such as usernames, passwords and credit-card details, by covertly intercepting information exchanged during an electronic communication

E-Banking Fraud Schemes Bank Trojans ›Designed to obtain bank credentials (since mid-2004) ›4 main functions: ›Monitoring ›Harvest data when user visits banking website  efficiency ›Filter list: /TAN/, “Welcome to Citi” ›Spying ›Capture user’s banking credentials ›Hiding ›Ensure Trojan cannot be detected by security software ›Updating ›Regular update of filter list from control server

E-Banking Fraud Schemes Monitoring techniques (1/3) ›Browser Helper Objects (BHOs) ›Lightweight DLL extension adding custom functionality to IE ›Confirm to Common Object Model (COM) ›Loading of BHO into IE ›At start-up IE loads COM objects whose CLSID is present in certain Windows registry key ›Allows eavesdropping on browser events and user input ›InfoStealer Trojan ›MITM Attacks

E-Banking Fraud Schemes Monitoring techniques (2/3) ›Hooking WinInet API functions ›WinInet.dll: Windows implementation of HTTP(S),FTP ›Hooking: ›Call to function in WinInet.dll passes via Trojan (redirection) ›Trojan has read/write access to payload of function IExplore.exe Call HTTPSendRequestA Import Address Table HTTPSendRequestA is at address WinInet.dll HTTPSendRequestA Trojan.dll HTTPSendRequestA … Get payload Call HTTPSendRequestA is at address 45789

E-Banking Fraud Schemes Monitoring techniques (3/3) ›Winsock’s Layered Service Providers (LSP) architecture ›WinSock.dll: Windows implementation of TCP/IP ›Applications performing network operations load WinSock ›Additional libraries can be loaded into WinSock ›Benign applications: ›Parental control: content filtering ›Application-transparent encryption ›Malign applications: ›Eavesdropping on network communication ›Altering financial transaction data

E-Banking Fraud Schemes Spying techniques ›Form grabbing ›Trojan captures only data that is entered into web form ›Common techniques: BHOs, API hooking ›Injection of fraudulent pages or fields ›Trojan modifies HTML-pages coming from bank on-the-fly ›Inserts additional fields or modifies destination of “Log on” button ›Trojan receives HTML-pages from control server ›Screenshots and video captures ›Keylogging ›Trojan is triggered when user visits certain URL ›Only data entered into webpage is logged ›Note: techniques defeat SSL, virtual keyboards,...

E-Banking Fraud Schemes Example: Infostealer.Banker (1/2) ›Installation ›Registration of BHO in Windows registry ›Generation of random number as ID for infected PC ›Registration of ID at server via PHP-script ›Operation ›BHO contacts server for updated “help.txt” ›BHO listens for connections to URLs in “help.txt” ›When BHO detects connection to certain URL ›BHO looks in “help.txt” for HTML-code to be injected ›BHO injects HTML code ›Browser displays modified webpage ›When user enters credentials into modified webpage, BHO calls PHP-script to upload credentials to server

E-Banking Fraud Schemes Example: Infostealer.Banker (2/2)

Man-in-the-middle Attacks

E-Banking Fraud Schemes Man-in-the-middle attack ›Real-time interception and modification of information interchanged between two entities without either entity noticing ›Uses phishing and/or spyware techniques ›Man-in-the-middle can be: ›Local: spyware on end-user’s PC ›Remote: phishing website

E-Banking Fraud Schemes Local man-in-the-middle attack ›“Man-in-the-browser”, “Local session riding” ›General procedure › Infect system with Banking Trojan › Hijack successfully authenticated session › Insert or modify fraudulent transactions End-user’s computer 2: OTP E-banking server Banking Trojan 1: “John” Browser 1: “John” 2: OTP 3: “$500 to Bob” 3: “$5000 to Bill” End-user “John”

E-Banking Fraud Schemes Remote man-in-the-middle attack ›General procedure: ›Redirect traffic to rogue website ›Using common phishing techniques: , pharming, … ›Act as proxy between end-user and real banking website ›Keep authenticated session alive and modify transaction data ›Reported cases: ›Dutch and Swedish retail banks (March 2007): ›Infostealer.Banker.C and phishing website ›Damage: 4 customers, unknown amount ›Belgian retail bank (May/June 2007) ›Damage: 3 customers, ~ euro

The Cybercrime Black Market

E-Banking Fraud Schemes Organization (1/2) On-line forum (IRC, web) Spammer Exploiter Card skimmer Money mule recruiter Website designer Coder Botnet Herder

E-Banking Fraud Schemes Organization (2/2) – money mules ›Problem of phisher: ›E-banking system may not allow money transfers to foreign accounts ›Solution: ›Phisher recruits “money mules” with bank account in country of targeted bank ›Phisher transfers money to bank account of mule ›Mule transfers money to phisher (e.g. Western Union, Moneygram) ›Money mule recruitment ›Regular job adversitement channels ›“Financial service manager”, “shipping manager”, “private financial retreiver”, etc. ›More information:

E-Banking Fraud Schemes Fraud Accounting ›Cost of phishing attack: ›Phishing + phishing website: $5 ›Spam list: $8 ›Botnet for sending out spam during 6 hours: $30 ›Hacked server to host phishing website: $10 ›Valid DNS-name: $10 ›Total cost: $63 ›Profit from phishing attack ›Option 1: selling stolen banking credentials ›20 accounts: $200 - $2000 ›Profit: $137 - $1,937 ›Option 2: cashing money via money mule ›$10,000 on account; 50% for money mule; 50% rip-off rate ›Income: $2500

Computer Malware & Countermeasures Defense Mechanisms

E-Banking Fraud Schemes One-time passwords (1/3) ›Strengths ›Render compromised end-user credentials less valuable for adversary (only valid once and during limited amount of time) ›Limit amount of time between collection and exploitation steps of phishing attack ›Break down the traditional economic model of phishing attacks ›Phishing economy: specialization means trading ›Trading credentials takes time ›One-time passwords are invalid before used

One Time Passwords (Response Only) Encryption DP Secret

Application Time-Based Response Userid = A Password = OTP 3DES Internet A – SN – DP Secret B – SN’ – DP Secret’ “.dpx file” 3DES DP Secret Digipass Serial Number = SN ?=?=

E-Banking Fraud Schemes Electronic signatures (1/6) ›One-time passwords provide only end-user authentication ›Server only knows that genuine end-user is present at log-on ›Server cannot detect modifications or injections after log-on ›Electronic signatures provide transaction authentication ›Server can detect and reject unauthenticated transactions or changes to transactions 3: OTP End-user “John” E-banking server MITM 1: “John” 2: “John” 5: “OK” 6: “Error” 7: “$5000 to Bill” 4: OTP

Data Signature (Electronic Signature, MAC) 3DES MAC DP Secret Field A Field B Field C + ›Electronic signatures provide transaction authentication ›Server can detect and reject unauthenticated transactions or changes to transactions

Application Data Signature (Electronic Signature, MAC) Userid = A Field A Field B Field C Password = MAC 3DES MAC Internet Digipass Serial Number = SN 3DES MAC DP Secret Field A Field B Field C Field A Field B Field C A – SN – DP Secret B – SN’ – DP Secret’ “.dpx file” + + ?=?=

E-Banking Fraud Schemes Electronic signatures ›Conflict: security vs. user-friendliness ›Solution: security policies ›Policies determine when / what has to be signed ›Implemented at server-side  flexible ›Possible criteria ›Amount of money (how large?) ›Beneficiary bank account number (used previously?) ›Determine risk of transaction ›Result ›Electronic signature only required in case of high-risk transactions ›Paying tax or bills (e.g. electricity, water, phone,...): no signature ›Transferring to other accounts of end-user (e.g. savings account): no signature ›Facilitates envelope transactions (many-in-one) ›“Risk-based Transaction Authentication”

E-Banking Fraud Schemes End-user education ›The end-user remains the weakest link in the security chain ›Train end-users in “street smarts”: ›Do NOT respond to s asking to log-on ›Install software from a trustworthy source only ›DO type URLs or use bookmarks ›DO motivate end-users to install a firewall and anti-virus scanner ›E.g. Barclays UK & F-Secure ›E.g. Firstrade Securities US & Trend Micro ›Follow your own guidelines! ›For example, many organizations fail to renew SSL-certificates before they expire!

E-Banking Fraud Schemes Conclusion ›Sophistication of e-banking fraud schemes is increasing ›Phishing ›Alternative delivery channels: not only ›Targeted phishing ›Spyware ›Better hiding techniques; rootkit technology likely to be used more ›Better stealing techniques ›Need for strong authentication mechanisms is increasing ›Safe solutions are possible ›Combine end-user authentication and transaction authentication ›Usability must be taken into account to prevent social engineering