Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ziv Cohen – Director, EMEA

Similar presentations


Presentation on theme: "Ziv Cohen – Director, EMEA"— Presentation transcript:

1 Ziv Cohen – Director, EMEA
No Silver Bullet How Malware Defeats Security Measures and What You Can Do About it Ziv Cohen – Director, EMEA April 2012

2 Malware Attacks Are on the Rise
Malware incidents increased more than 30% between 2008 and 2011, causing significant damage 54 million U.S. adults said they had incidents of malware on their desktops in 2011 Research - Use a Layered Security Approach to Combat Phishing and Malware-Based Attacks Published: 26 March 2012

3 Online Banking Fraud is Happening
Online Banking Fraud Losses Estimated at 1B$ in US and Europe

4 New Online Banking Services Adoption Hindered by Security Concerns
What are the main reasons you have decided not to use mobile banking? My banking needs are being met without mobile banking I’m concerned about the security of mobile banking I don't trust the technology to properly process my banking transaction The cost of data access on my wireless plan is too high It is too difficult to see on my mobile phone’s screen Other It’s difficult or time consuming to set up mobile banking I don’t have a banking account with which to use mobile banking It is not offered by my bank or credit union My bank charges a fee for using mobile banking Refuse to answer Federal Survey - Consumers and Mobile Financial Services March 2012

5 The Cost of Advanced Malware Attack
of CIOs report malware related internal breaches 40% 2010 Deloitte-NASCIO Cyber Security Study of data breaches incorporated malware 49% Verizon 2010 Data Breach Report companies attacked with the same resources as RSA 760 Almost 20% of the Fortune 100 are on this list. Krebsonsecuirty.com, “Who else was hit by RSA Attackers”?” RSA is not alone (click). Malware plays a key role in a large number of data breaches. And security analyst Brian Krebs found that 760 companies suffered similar attacks including 20% of the fortune 100.

6 The end point is the weak link
 Perimeter Security  Firewall  End Point Security  Intrusion Prevention System Anti Virus End Point User Anti-Virus Gateway Encryption Easy Sensitive Data and Apps Easy What makes malware such a compelling threat? Ultimately, the target of the attack is sensitive business and financial data. Enterprises invest in many layers of security around their data. Directly attacking these backend systems is harder than targeting key employees and using their computers and mobile devices to get into the data. Cyber Criminals Difficult

7 Anatomy of Malware attack
Execute Fraud / Information Theft Attack Launch Human and Automated Malware Infection Credentials theft, Web injection, Social engineering User Target System exploit, Malicious Code install Phishing, Drive-by-Download

8 Attack Setup, Execute Fraud: Man-in-the-Browser, Web Injection
PII Theft Login: Password: **** Credentials Theft Social Engineering Now the malware is in position and can execute the fraud scheme. Here are few examples. [Click] After the user logs-in they feel rather secure. The malware then injects a page asking the user for personal information. This page looks genuine: same branding, same URL and the padlock is engaged. Nevertheless, it came from the user’s machine and NOT from the bank web site. The information entered into this page is sent to the fraudster to execute fraud. [click] However, malware doesn’t have to inject a full page. It can also slightly alter an existing page – for example to capture token values to enable real time fraud. [click] Malware can also use social engineering to get the user to approve a fraudulent transaction. In this example, the malware asks the user to use a transaction signing device to approve a dummy transaction for training purposes. The user is, in fact, approving a real money transfer. Note these are the attack steps User logs in Malware presents ‘re-calibration’ screens User asked to enter the following into the calibration device: “1st calibration number” ( = destination account) “2nd calibration number” (= amount) Trx signing device return auth code User enters data into website  User just authorized money transfer What is common to all of these scenarios? the malware controls all interaction between the user and the online banking application and can seamlessly alter it to bypass security controls and execute successful fraud schemes.

9 Keeping Banks In the Dark - Change Phone
User Access site 1 Malware Update user’s phone number 1800TrueNum 1800ToFraud 2 Malware Inform user that the bank has issued a FREE SIM CARD for security reasons, user enters code to accept offer` 4 Bank Sends a confirmation SMS to previous phone, with code and new phone number Confirmation Code: 1234 For number 1800ToFraud 3 Fraudster “Enters conformation code and redirects all future bank SMS/Calls to 1800ToFraud 5

10 Confirmation Emails - Hidden
Malware Transfer Money 1 Bank Sends Confirmation 2 Malware Hide Confirmation 3 if( document.getElementById("datatable").rows[i].innerHTML.indexOf( "Faster Payment Confirmation" ) != -1 || document.getElementById("datatable").rows[i].innerHTML.indexOf( "Payment Created" ) ) { //Faster Payment Confirmation | Payment Created document.getElementById("datatable").rows[i].style.display = "none"; } Zeus code for hiding s

11 Keeping Banks In the Dark - DDoS
FBI warning about Banking Trojan “GAMEOVER” “After the accounts are compromised, the perpetrators conduct a Distributed Denial of Service (DDoS) attack on the financial institution”

12 Facebook/Ukash – Cross Channel Attack
To confirm verification you have to enter 20 euro UKash voucher. Ukash vouchers are sold by UKash.com website and Ukash.com is not affiliated with Facebook company. 20 euro will be added to your Facebook main account balance. This verification is used to confirm your age and country of origin. The UKash Voucher consists of 19 numbers and face value (sum), begins on “633”. For example

13 MITMO/ZITMO Legitimate Website 8 1 4 5 7 2 5 3 6
Malware Command & Control Transaction approved using stolen SMS 8 SMS with link to Mobile malware (“install new certificate”) 3 Malware forwards approval SMS 7 Download Malware 4 5 Legitimate Website User Accesses Site 1 “Please provide your mobile phone number” 2 Transaction Approval SMS 6 Malware transfers funds (PC is proxy) 5

14 FFIEC Recognizes Malware as the Root Cause of Most Cybercrime Activities
“Controls implemented in conformance with the Guidance several years ago have become less effective..” The FFIEC in its latest 2011 guidance has also recognized that virtually no security control is immune to malware attacks. “Malware can compromise some of the most robust online authentication techniques”

15 The Challenge: No Silver Bullet
Device Identification Challenge Questions Malware OTP Devices Man in the Browser, Real Time Phishing Transaction Verification Man in the Mobile x Bypassed Virtual Browser on Stick Memory Injection Malware Transaction Signing Social Engineering Malware Clickstream Detection Malware adopts Human-like behavior

16 Intelligent, Adaptive, Automated
Threat Intelligence Adaptive Protection Sustainable Cybercrime Prevention Why is our customer base growing so rapidly? Because we have perfected the process for sustainable cybercrime prevention. As threats evolve we adapt to maintain optimal defense. We build on two core capabilities: First, Threat Intelligence - understanding how fraudsters change their attack tactics to bypass security controls. Second, Adaptive Protection – quickly creating and deploying countermeasures. Together, these capabilities create a dynamic security control that can maintain its effectiveness over the long haul. Let’s look into Threat Intelligence and Adaptive Protection in more detail. 16

17 Crime Logic vs. Files and Signatures
Threat Intelligence Adaptive Protection Trusteer: What it does? Crime Logic (100s) Exploit Infect Hook Inject Access Theft Anti-Virus Legacy: What it is? Files and Signatures ( s) ? How is Trusteer threat intelligence different? [click] AV and other solutions like firewalls and intrusion prevention systems focus on what the malware IS. They use signatures to detect malware. They are ineffective against new malware because they don’t have tis signature. Almost 60% of malware evades these systems and signatures are created after the damage is done. [Click]: Trusteer on the other hand focuses on what the malware DOES. We call this: Crime Logic. Crime Logic is the attack tactics used to execute fraud. Including: how malware exploits vulnerabilities on the endpoints and the specific process it uses to install itself. Trusteer also maps the ways malware hooks into critical browser services and the way it injects data into the browser. Finally, Trusteer tracks how malware distributes and process data to enable automated or human initiated fraud. more details Exploit: how malicious code on web sites can exploit a vulnerability in the browser or the operating system to initiate a download of malware Infect: how malware installs itself on the endpoint. Hook: how malware hooks into browser APIs or Add-Ons to achieve visibility and control of end user activity (key logging, web session) Inject: the pages the malware targets and the content that is being injected (additional fields, net new pages) Access: how cybercriminals achieve access to target systems (human or automated) Theft: how the theft actually occurs (credentials sent to drop servers, on-the-fly transactions, cross-channel fraud with PII)

18 First to Discover New Forms of Malware
Threat Intelligence Adaptive Protection Tens of Millions of Endpoints Endpoints Detect and stop Crime Logic OddJob Shylock Sunspot This unique focus on Crime Logic and the massive network of tens of millions endpoints enabled Trusteer to identify 6 new malware flavors in the past year alone. For example, in Australia, trusteer was first to detect SpitMO, a Spyeye variant tampering with transaction verification SMSs on Android devices. Another discovery in South Africa was the transformation of Ramnit, a benign worm, into financial malware. Apparently, Ramnit incorporated code from another malware, Zeus, and now attacks online banking. More then 25% of all financial malware we are seening in the wild is Ramnit based. Torpig v2 SpitMo for Android Ramnit goes financial

19 Ready, Before the Threat Reaches You
Threat Intelligence Adaptive Protection Tens of Millions of Endpoints Endpoints Detect and stop Crime Logic OddJob Sunspot Shylock Trusteer has adapted to stop these threats. The specific countermeasures where deployed to all of our users worldwide – so by the time threats migrated to attack new territories, users were protected against the new attack vectors. This combination of very early detection and rapid response is what separates trusteer from other fraud prevention solutions – our customers state that they have witnessed dramatic reduction in fraud attempts as you can see in public case studies on our web sites. Torpig v2 SpitMo for Android Ramint goes financial

20 Process, People, Products
Threat Intelligence Adaptive Protection Cybercrime Intelligence Analytics & Management Crime Logic Risk Assessment Fraud Alert Trusteer Intelligence Center Corp Online Threats Adaptive Protection Known crime logic Unknown crime logic Let’s take a look at the full Cybercrime Prevention process. Trusteer provides 2 protection layers: Rapport that executes on PC, Mac and mobile devices, and Pinpoint that is integrated with the online banking application. When an online threat enters a Trusteer protected endpoint, a 4 step process is executed. [click] First, Trusteer secures the endpoint by detecting and stopping any attempt to tamper with web pages, the browser or other operating system services that are required to initiate an attack. [click] Next, all new Crime Logic indicators are reported to the Trusteer Cybercrime intelligence cloud. Trusteer Intelligence Center experts use specialized tools and techniques to perform risk assessment and determine the appropriate response. [click] Trusteer develops 2 types of countermeasures: specific instructions on how to remove the threat from the endpoint and how to block future attacks on any protected endpoint. This process is repeated to ensure users remain protected against new and emerging threats.

21 Less Cost, Less Complexity
Trusteer Cybercrime Prevention Architecture: Industry leading solution for Online Cybercrime Activities Intelligence- based risk assessment Multi-layer protection against malware No malware = Transaction anomaly prevention Layer 2: Fraudulent Activity Detection Detect malware- infected users, devices Detect and Stop real-time phishing Trusteer Pinpoint for Malware Detection Trusteer Pinpoint for Phishing Detection Layer 1: Endpoint-Threat Protection Stop and remove financial malware, phishing Protect against mobile malware, high risk devices Trusteer Cybercrime Prevention Architecture is the technology foundation of our service. It tackles online fraud both on the end point and the web application tiers and is built upon real-time intelligence and threat research. [click] The first layer provides endpoint threat protection. Trusteer Rapport clients protect PC, Mac and Mobile devices. By preventing endpoint compromise and browser-based attacks, fraud attempts are drastically reduced. [click] The second layer provides fraudulent activity detection. Trusteer Pinpoint modules detect malware and phishing activity that enable our customers to focus on high risk users, devices and transactions and streamline fraud prevention processes. [click] both layers are sustained by an intelligence platform and cybercrime experts that ensure maximum protection. Overall this architecture addresses the core requirements of the FFIEC guidance: Continuous risk assessment based on intelligence gathered from Trusteer Protected endpoints and Multi-layer protection at the client and web application layers. [click] By disabling malware impact on the client and the application, anomalous transactions are reduced across all channels. At the same time, less malware means less cost and complexity in fraud prevention operations. Trusteer Rapport for PC/Mac Trusteer Rapport for Mobile Less Cost, Less Complexity

22 Thank You


Download ppt "Ziv Cohen – Director, EMEA"

Similar presentations


Ads by Google