Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Business Law

Evolution of Remote Banking fraud

advertisement 
Evolution of Remote Banking
fraud
Richard Martin
Security Unit
UK Payments
Royal Holloway, 10 September 2011
UK Payments





Voice of the payments industry
Payment scheme management – we run the
Payments Council, BACS, CHAPS, Faster Payments,
cheques, cash…
Our schemes processed nearly 7 billion payments in
2009, with a value of £69 trillion (for comparison, UK
GDP is around £2 trillion)
Protecting the integrity of UK payments systems
We are increasingly central to the UK anti-fraud effort
Payments Council members
The world we live in
Internet is a major channel for
banks and payments
Challenges

Internet is not secure

Customer PCs are not
secure

But customers love it, and
banks love it

So we need to address the
challenges
Source: UK Payments, 2011
What is being attacked?







Not the bank directly (so
much)
The customer
Static authentication
credentials & card details
“data that never changes”
And can therefore be stolen
or given away
The customer’s equipment
Malware!
Part 1: Phishing
Phishing attacks are becoming more sophisticated:
Phishing incidents – UK banks
Total for 2010: 61,873 incidents
Source: UK Payments 2011
Phishing – looking closer
100%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
Source: UK Payments 2011
Standard Phishing life cycle
Attacker
Credential recovery/
storage
SpamBot
Phishing hosts (bots)
Various DNS
Tools – fast-flux etc.
Developments in Phishing
ADAPTIVE PHISHING



Sites designed to evade / confuse analysis
Phishing host serves up different sites depending on localisation
and other factors
One site can:

Firefox with German language – redirect to German PayPal
phishing site

IE with English language – redirects to English bank phish

Seamonkey – tries to install malware

Text browsers (often used by analysts) – Error 404

Browser run within a VM (ditto) – Error 404
Developments in Phishing
LIVE PHISHING




Customer enticed to visit fake bank site as usual
All communications relayed by phishing site to bank site in
real time
Payment / authentication requests injected / amended by
attacker
Target: two-factor authentication
Phishing still here because…
It still works!

Click to edit the outline text
format

Would ignore / delete a phishing email
2004 2006 2008 2009
Second Outline Level

65%
Third Outline Level
50%
57%
59%
Fourth Outline
Level
28%
39%
31%
31%
Would ask bank for advice
 Fifth Outline
4%
3.8% Level
4%
6%
“Would act on it”
 Sixth Outline
Level
12%
12%
13%
Under 24 year-olds who “would act on it” 12%
 Seventh
Outline Level
Source: UK Payments 2004-2010
 Eighth
Outline Level

Some further reading

Dhamija (Harvard)& Tygar and Hearst (UC
Berkley)
http://people.deas.harvard.edu/~rachna/papers/why_phishing_works.pdf

Wu, Miller, Grafinkel (MIT Computer Science and
Artificial Intelligence Lab)
http://groups.csail.mit.edu/uid/projects/phishing/chi-security-toolbar.pdf

Jagatic, Johnson, Jakobsson, and Menczer
(School of Informatics Indiana University,
Bloomington)
http://www.indiana.edu/~phishing/social-network-experiment/phishingpreprint.pdf
Other good sources of research on people’s perception and acceptance of
Part 2: Malware
Some names to remember: Torpig, Zeus (aka z-Bot,
Sinowall),SpyEye, PSP2-BBB, Silent Banker, Yaludle, Bugat,
Carberp, Silon…
Two factor authentication is now a target
Man In The Browser is the new Man In The Middle
Scripting: Automated payment injection
Controlled distribution: targeted, low infection numbers, quiet
operation
They work but:









Difficult to industrialise
Their effect can be detected (odd GET and POST data,
old/nonexistent fieldnames, unusual browser headers etc…)
They can be “broken”
Part 3: Money Mules






Bad guys use phishing and malware
to gain access to accounts
But they need one more thing to get
hold of the money: Mules
Mule = a friendly account, to which
funds from a victim’s account can
be transferred
Adverts in job websites, banner ads,
printed newspapers…
We typically see 50-150 new fake
companies set up each month
Fire and forget. They usually last for
one transaction before the bank
shuts down their account
Job offer
Click to edit the outline text
format
and would like to

We have found your resume at Monster.com
suggest you a "Transfer manager"vacancy.

Second Outline Level
We have thoroughly studied your resume and
are happy to
 inform you that your skills
Third Outline Level
completely meet our requirements for this
position.

Our company buy,
currencies, like
Fourth Outline
Level
sell,
and exchange
digital
 Fifth
Outline
E-goldLevel
and E-bullion.
 Sixth Outline
Level
 Seventh
Outline Level
 Eighth
Outline Level
Put it all together – Online Banking Fraud
Workflow
Collect
Test
Credentials
valid?
Available
funds?
ID theft
opportunities?
Market
Trade
Credentials
Defraud
Launder
Transfer
funds
Money
Transfer
Build attack
profile
Intermediate
destinations
Professionals
in place
Recruit “mules”
Check validity
(no cops please!
Build attack
profile
Funds out
of system
Research & Development
Proceeds
distributed
Loss trends
Net loss to banks from online banking fraud, 2004-11
Tactics and countermeasures


Increasing customer visibility

Strength in depth – the
multi-layered approach
Identifying & protecting
point of risk
Banks can also put a
stronger lock on the front
door (two-factor
authentication)
Back-end
detection
Service controls
Transaction
authentication
Log-on
authentication
A stronger front door
Multifactor authentication - what banks need to consider:






Millions of customers
Millions with several accounts
Cheap
Easy to use
Secure
Simples!
Functions
OTP
Challenge/response
Data signing
The 2FA-effect
RBS/NatWest
2fa mandatory
100%
90%
80%
70%
60%
50%
40%
30%
20%
Nationwide
2fa mandatory
Barclays
2fa announced,
Back-end
controls
introduced
10%
0%
Source: UK Payments 2009
Barclays
2fa mandatory
Lots of options for multifactor
Attacking two-factor




Two factor remains technically very secure
Attackers circumvent by exploiting user uncertainty,
because…
Customers remain vulnerable to social engineering –
assumption of authority: “We have changed the process –
you must do it this way now…”
Attacks seen elsewhere in the world for years (TANs,
iTANs, OTP)
Socially Engineering EMV CAP
1.
2.
3.
4.
5.
6.
In order to make payment …..
Beneficiary Acct = 1234678
Amount = £400.00
Becomes
“Enter Ref”
“Enter Amount”
Passcode = 98765432
1.
2.
3.
4.
5.
6.
A further security check …..
Security Code 1 = 34265527
Security Code 2 = 315678
“Enter Ref”
“Enter Amount”
Passcode = 12736653
What does the customer see?
Malware features - Carberp







Persistent storage in
browser
Get account balance
Replace login button with a
malicious version
Hide fraudulent
transactions on statement
display from user
Hide fraudulent logins from
user
Amend transaction
requests on the fly and hide
from user
Installs a rogue Anti Virus
app
Zeus






Probably the most significant identity theft malware in
existence (but may be about to go into decline)
Nicely written, regularly updated, full technical support for
customers
Targets two-factor authentication
Man in the browser, html injection, etc etc
Some banks using out of band authentication with mobile
phones as a means of combating MITB.
Customers are sent a one-time passcode or a challenge
via SMS or voice
SMS intercept
Mobile phones for two-factor












Out of band authentication
Good in principle
Increases challenge of interception
Practical challenges:
Ensuring all customers have a phone
That it is switched on & in range
SMS delivery is not guaranteed or SLAd
Bringing other parties into the authentication loop - don’t ignore
the risks
Attacks in Turkey, South Africa, Australia, Spain and UK
Account takeover, redirection of replacement SIMs
Phone call redirection
Malware on phones is now a reality
Zeus SMS “Zitmo”








Zeus-infected victim as asked to provide
their mobile model and number
SMS containing link to “a new security
certificate” sent to phone
Victim clicks on link and malware installs
For Symbian devices, the bad guys
obtained a genuine developer certificate,
since revoked (but no OCSP!!).
Malware includes a cracked version of
SMS Monitor. SMS traffic from known
bank SMS numbers is intercepted and
redirected to C&C
Incoming SMS from C&C number used
to issue commands
Malware can create/delete entries in the
phonebook
C&C was a UK number registered to
Cable & Wireless Guernsey Ltd (Sure
Telecom)

Click to edit the
outline text format
Second Outline
Level
 MyBank Support
Calling

Third Outline
Level

Fourth
Outline Level
 Fifth
Outline
Level
Zeus arrests




11 Arrests in UK in September 2010 (mainly mules)
38 in USA (ditto)
5 in Ukraine (aha!)
Consequences: Zeus the subject of a “takeover” by
SpyEye coder, with functionality to be migrated to SpyEye
UK arrests
USA arrests
Ukraine arrests
Malware – what next?




Zeus/SpyEye merger probably a sign that the “Tier 1” bad guys have
recognised that Zeus’ usefulness is nearing its end.
Dump and move on
Malware as a service emerging
Point and click malware kits
Further malware reading









Zeus tracker: https://zeustracker.abuse.ch/
Spyeye tracker: https://spyeyetracker.abuse.ch/
InfoWar Monitor: http://www.infowar-monitor.net
Malware Intelligence Blog:
malwareint.blogspot.com
Contagio malware dump:
contagiodump.blogspot.com
TrustDefender Labs blog:
http://www.trustdefender.com/blog
F-Secure blog: http://www.f-secure.com/weblog
Brian Krebs : http://krebsonsecurity.com
Gary Warner blog: garwarner.blogspot.com
Where are the real vulnerabilities?
OS


95% of customers use Windows – it’s the way it is
90% of Windows installs ARE up to date
Ubiquitous 3rd Party Software

80% of Adobe Flash installs are NOT up to date

84% of Adobe Acrobat installs are NOT up to date

“Trusted” software does not always act in the users’ best
interests: some of the most popular iPhone games contain
spyware
Banks are not the only fruit





As banks harden their defences, the attackers are turning
to weaker targets
ALL online businesses are at risk
Facebook, Twitter, Myspace, LinkedIn etc. being raided for
ID theft and card data
Retailer customer accounts raided for payment details,
backend databases
Businesses being attacked via their web front ends or by
“spear phishing” to gain access to corporate networks.
Industrial & state espionage, intellectual property theft,
sabotage, financial fraud, etc.
Things to come
Living in a digital world, expect the unexpected
Richard Martin
Head of Innovation
UK Payments
richard.martin@ukpayments.org.uk
www.banksafeonline.org.uk
Related documents
Cyber Security is everybody`s responsibility
Cyber Security is everybody`s responsibility
Security Awareness for ISACA
Security Awareness for ISACA
What is Bad Email?
What is Bad Email?
PCC_Social-Engineering_2014_Final
PCC_Social-Engineering_2014_Final
Presentation - myroyalmail
Presentation - myroyalmail
Bridging the Gap in Computer Security Warnings
Bridging the Gap in Computer Security Warnings
Network Security - Information Technology at the Johns Hopkins
Network Security - Information Technology at the Johns Hopkins
Virtual Worlds - Cyberspace Law and Policy Centre
Virtual Worlds - Cyberspace Law and Policy Centre
Download
advertisement