e-banking fraud schemes e-banking fraud schemes: attack trends and defenses andrew showstead, vasco...
Post on 16-Dec-2015
227 Views
Preview:
TRANSCRIPT
E-Banking Fraud Schemes
E-Banking Fraud Schemes: Attack Trends and Defenses
Andrew Showstead,
VASCO Data Security
E-Banking Fraud Schemes
Agenda
› Attack trends› Phishing attacks
› Spyware attacks
› Man-in-the-middle (MITM) attacks
› The cybercrime black market
› Defense mechanisms› One-time passwords
› Electronic signatures
› User education
› Conclusion
E-Banking Fraud Schemes
Phishing attacks: introduction (2/2)
End-user
Phishing webserver
Phisher
E-banking server6
$$$
1
E-Banking Fraud Schemes
Why phishing works
› Technologies for server authentication exist › E.g. SSL/TLS with X.509v3 certificates
› Study by Harvard University & UC Berkeley (4/2006)
› Security indicators are not noticed or understood
› Security indicators can be spoofedParticipants Success rate
Website content only 23% 40%
Also address bar 36% 61%
Also “https” 9% 63%
Also padlock icon 23% 79%
Also certificates 9% 76%
E-Banking Fraud Schemes
Context-aware phishing (1/4)
› Also called “spear phishing”
› Phishing attack against:› Employees of certain company, agency, organization, ...
› People using a certain product or service
› Spear phishing e-mails are more convincing:› Include personal information
› Appear to come from known person (e.g. IT, head of HR, head of Sales and Marketing)
› Information sources:› Compromised databases
› monster.com (1.3M job seekers, 8/2007), USAJobs.com (146K job seekers, 8/2007), Salesforce.com (11/2007)
› Social networking sites (e.g. LinkedIn, FaceBook, MySpace)
E-Banking Fraud Schemes
Context-aware phishing (6/6)
› Reported case: (9/2006)
› Step 1: information gathering› Attackers broke into computer systems of <a large
company>
› Attackers stole information of 19,000 customers
› Step 2: information usage› Attackers sent e-mail to customers, including personal
information and a claim about recent order requiring the customer’s attention
› Customers were led to website and asked for more information
E-Banking Fraud Schemes
Effectiveness of Spear Phishing
› Gartner: non-targeted phishing› 19% clicks on link in e-mail
› 3% gives away personal information
› Indiana University (US): targeted phishing› E-mail from friend: 72% gives away personal information
› E-mail from unknown student: 16% gives away personal information
› West Point Military Academy (US): targeted phishing› E-mail from colonel to cadets: 80% gives away personal
information
E-Banking Fraud Schemes
Whaling (1/4)
› Definition› Spear phishing attack against high-level executives in a
single organization, or executives common to different organizations (e.g. CEO, CIO, PM)
› May involve e-mail, postal mail, ...
E-Banking Fraud Schemes
Whaling (3/4)
› Reported case: MessageLabs (6/2007)
› MessageLabs intercepted 500 highly targeted e-mail messages with Word-document
› Name and job title in subject line
› Family and friends were targeted as well in order to access home computers
E-Banking Fraud Schemes
Whaling (4/4)
BBB (SecureWorks, 5/2007 and MessageLabs, 11/2007)
Federal Trade Commission (11/2007)
United States Department of Justice (Websense, 11/2007)
E-Banking Fraud Schemes
Optimizing delivery of phishing e-mails
› Common phishing protection mechanisms: › Spam filter: detect phishing e-mails before end-user’s inbox
› Browser: warn end-user when visiting phishing server
› Based on blacklisting URLs of known phishing servers› Report phishing website at http://www.PhishTank.com
Preventing Blacklisting
› URL variations
› http://www.secure-bank.com:80
› Randomized subdomains
› Unique URL per user / number of users
› http://www.barclays.co.uk.X.lot80.info/ (X: random number)
› Allows tracking end-user responses
E-Banking Fraud Schemes
E-Banking Fraud Schemes
Alternative channels (1/2) - vishing
› Voice (phone) phishing
› Two types:1. Fraudster calls end-user and asks
for credentials
2. End-user is tricked to call fraudster (via e-mail, voice mail)
› Strengths:› Telephone systems have longer
record of trust
› A greater percentage of people can be reached (e.g. elderly)
› People are used to automatic answering services
› Making or receiving calls is cheap
› Caller ID can be spoofed
Alternative channels (2/2) - smishing
› SMS phishing – phishing with text messages
› Process:
1. End-user receives SMS telling him that
› he has successfully subscribed to a service,
› he will be charged for the service,
› he can visit a website to unsubscribe from a service
2. End-user visits website and provides sensitive information
E-Banking Fraud Schemes
Pharming (1/7)
› Interfere with the resolution of a domain name to an IP-address so that domain name of genuine website is mapped onto IP-address of rogue website
www.barclays.co.uk www.google.co.uk
213.219.1.141 64.233.183.99
E-Banking Fraud Schemes
Pharming (3/7) – hosts file poisoning
› Adding {domain name, IP-address} pairs to hosts file
› Method:
› Hosts-file contains {domain name, IP-address} pairs
› Windows XP/Vista: %SystemRoot%\system32\drivers\etc
› DNS resolver looks up hosts file on end-user’s PC prior to contacting DNS-server
E-Banking Fraud Schemes
End-user PC
IP of www.mock-bank.com?
1
Rogue DNS-server
www.mock-bank.com is at 134.58.7.20www.real-bank.com is at 134.58.7.20
2
› Unsolicited information in replies is accepted
› Example: a DNS-server can provide an IP-address for www.real-bank.com although the address of www.mock-bank.com was asked
Pharming (5/7) – DNS cache poisoning
Drive By Attacks – Samy is My Hero
E-Banking Fraud Schemes
› MySpace Worm
› Added users to Samy’s Friends list without authorization by user
› Added text “but most of all, Samy is My Hero” to user pages
› Propogation:
› Author originally had 73 “friends”
› 7 hours later, 221 new friend requests
› 13 hours: 2,503 friends and 6,373 friend requests
› After about 18 hours, over 1,005,831 new friend requests
› Response
› MySpace – complete service shutdown
› “Samy” sentenced to 3 years probabtion and community service – Internet ban
E-Banking Fraud Schemes
Pharming (6/7) – drive-by pharming
› Technique to alter DNS settings of (wireless) home router
› Method:
1. User downloads web page containing Java applet and JavaScript
2. Java applet detects IP-address of host and addressing scheme
3. JavaScript pings other hosts and discovers brand of router
4. JavaScript accesses configuration screens using default passwords
› Reported case: Mexican bank (1/2008)
› Attack on 2wire router
› Victim receives e-mail saying e-card waiting at www.gusanito.com
› E-mail contains HTML IMG tag resulting in HTTP GET to home router; no HTTP-authentication required
› HTTP GET changes DNS settings of router (XSRF attack)
E-Banking Fraud Schemes
Fast-flux service networks (1/2)
› Basic components of phishing infrastructure› One or more web-servers to host rogue website
› One or more domain names, e.g. www.my-bank.info
› Popular top-level domains: .hk, .cc and .info
› One or more DNS-servers, which are configured to be authoritative for the registered domain names
› Phishing infrastructure requirements:› High availability
› Website should not be taken down too soon by bank or ISP
› Easily manageable
› Webpages should not be dispersed among too many web servers
› Can be realized using fast-flux approach
E-Banking Fraud Schemes
Fast-flux service networks (2/2)
End-user PCDNS-server
for .com
Botnet
157.120.9.15134.158.7.10129.47.6.5
Web server
1
IP of www.mybank.com?
6
www.mybank.com is at 134.158.7.10
IP of www.mybank.com?
2
IP-address of DNS-server for mybank.com
3
Request webpage 7
Webpage10
Request webpage 8 Webpage9
5www.mybank.com is
at 134.157.7.104
IP of www.mybank.com?
LocalDNS-server
› Simple fast-flux
DNS-server for mybank.com
E-Banking Fraud Schemes
Spyware
› Definition of spyware attack
› Attempt to fraudulently obtain sensitive information such as usernames, passwords and credit-card details, by covertly intercepting information exchanged during an electronic communication
End-user’s PC
Adversary
E-banking server
1
2
3
4 5 67
$$$End-user
E-Banking Fraud Schemes
Bank Trojans
› Designed to obtain bank credentials (since mid-2004)
› 4 main functions:
› Monitoring
› Harvest data when user visits banking website efficiency
› Filter list: www.citibank.com , /TAN/ , “Welcome to Citi”
› Spying
› Capture user’s banking credentials
› Hiding
› Ensure Trojan cannot be detected by security software
› Updating
› Regular update of filter list from control server
E-Banking Fraud Schemes
Monitoring techniques (1/3)
› Browser Helper Objects (BHOs)
› Lightweight DLL extension adding custom functionality to IE
› Confirm to Common Object Model (COM)
› Loading of BHO into IE
› At start-up IE loads COM objects whose CLSID is present in certain Windows registry key
› Allows eavesdropping on browser events and user input
› InfoStealer Trojan
› MITM Attacks
E-Banking Fraud Schemes
Monitoring techniques (2/3)
› Hooking WinInet API functions
› WinInet.dll: Windows implementation of HTTP(S),FTP
› Hooking:
› Call to function in WinInet.dll passes via Trojan (redirection)
› Trojan has read/write access to payload of function
IExplore.exe
Call HTTPSendRequestA
Import Address Table
HTTPSendRequestA is
at address 12345
WinInet.dll
HTTPSendRequestA12345
Trojan.dll
HTTPSendRequestA
…
Get payload
Call 12345
45789
HTTPSendRequestA is
at address 45789
E-Banking Fraud Schemes
Monitoring techniques (3/3)
› Winsock’s Layered Service Providers (LSP) architecture› WinSock.dll: Windows implementation of TCP/IP
› Applications performing network operations load WinSock
› Additional libraries can be loaded into WinSock
› Benign applications:› Parental control: content filtering
› Application-transparent encryption
› Malign applications:› Eavesdropping on network communication
› Altering financial transaction data
E-Banking Fraud Schemes
Spying techniques
› Form grabbing› Trojan captures only data that is entered into web form
› Common techniques: BHOs, API hooking
› Injection of fraudulent pages or fields› Trojan modifies HTML-pages coming from bank on-the-fly
› Inserts additional fields or modifies destination of “Log on” button
› Trojan receives HTML-pages from control server
› Screenshots and video captures
› Keylogging› Trojan is triggered when user visits certain URL
› Only data entered into webpage is logged
› Note: techniques defeat SSL, virtual keyboards, ...
E-Banking Fraud Schemes
Example: Infostealer.Banker (1/2)
› Installation› Registration of BHO in Windows registry
› Generation of random number as ID for infected PC
› Registration of ID at server via PHP-script
› Operation› BHO contacts server for updated “help.txt”
› BHO listens for connections to URLs in “help.txt”
› When BHO detects connection to certain URL
› BHO looks in “help.txt” for HTML-code to be injected
› BHO injects HTML code
› Browser displays modified webpage
› When user enters credentials into modified webpage, BHO calls PHP-script to upload credentials to server
E-Banking Fraud Schemes
Man-in-the-middle attack
› Real-time interception and modification of information interchanged between two entities without either entity noticing
› Uses phishing and/or spyware techniques
› Man-in-the-middle can be:
› Local: spyware on end-user’s PC
› Remote: phishing website
MITME-banking
serverEnd-user
E-Banking Fraud Schemes
Local man-in-the-middle attack
› “Man-in-the-browser”, “Local session riding”
› General procedure
› Infect system with Banking Trojan
› Hijack successfully authenticated session
› Insert or modify fraudulent transactions
End-user’s computer
2: OTP E-banking
server
Banking
Trojan
1: “John”
Browser
1: “John” 1: “John”
2: OTP 2: OTP
3: “$500 to
Bob”
3: “$500 to
Bob”3: “$5000
to Bill”
End-user
“John”
E-Banking Fraud Schemes
Remote man-in-the-middle attack
› General procedure:› Redirect traffic to rogue website
› Using common phishing techniques: e-mail, pharming, …
› Act as proxy between end-user and real banking website
› Keep authenticated session alive and modify transaction data
› Reported cases:› Dutch and Swedish retail banks (March 2007):
› Infostealer.Banker.C and phishing website
› Damage: 4 customers, unknown amount
› Belgian retail bank (May/June 2007)
› Damage: 3 customers, ~ 10 000 euro
E-Banking Fraud Schemes
Organization (1/2)
On-line forum
(IRC, web)
Spammer
Exploiter
Card
skimmer
Money mule
Money mule
recruiter
Website
designer
Coder
Botnet
Herder
E-Banking Fraud Schemes
Organization (2/2) – money mules
› Problem of phisher: › E-banking system may not allow money transfers to foreign
accounts
› Solution:› Phisher recruits “money mules” with bank account in country of
targeted bank
› Phisher transfers money to bank account of mule
› Mule transfers money to phisher (e.g. Western Union, Moneygram)
› Money mule recruitment› Regular job adversitement channels
› “Financial service manager”, “shipping manager”, “private financial retreiver”, etc.
› More information: http://bobbear.co.uk/
E-Banking Fraud Schemes
Fraud Accounting
› Cost of phishing attack:
› Phishing e-mail + phishing website: $5
› Spam list: $8
› Botnet for sending out spam during 6 hours: $30
› Hacked server to host phishing website: $10
› Valid DNS-name: $10
› Total cost: $63
› Profit from phishing attack
› Option 1: selling stolen banking credentials
› 20 accounts: $200 - $2000
› Profit: $137 - $1,937
› Option 2: cashing money via money mule
› $10,000 on account; 50% for money mule; 50% rip-off rate
› Income: $2500
E-Banking Fraud Schemes
One-time passwords (1/3)
› Strengths› Render compromised end-user credentials less valuable for
adversary (only valid once and during limited amount of time)
› Limit amount of time between collection and exploitation steps of phishing attack
› Break down the traditional economic model of phishing attacks
› Phishing economy: specialization means trading
› Trading credentials takes time
› One-time passwords are invalid before used
Application
Time-Based Response
Userid = A
Password = OTP
3DES
342601
Internet
A – SN – DP Secret
B – SN’ – DP Secret’“.dpx file”
3DES
DP Secret
Digipass
Serial Number
= SN
?
=
E-Banking Fraud Schemes
Electronic signatures (1/6)
› One-time passwords provide only end-user authentication
› Server only knows that genuine end-user is present at log-on
› Server cannot detect modifications or injections after log-on
› Electronic signatures provide transaction authentication
› Server can detect and reject unauthenticated transactions or changes to transactions
3: OTP
End-user
“John”
E-banking
serverMITM
1: “John” 2: “John”
5: “OK”6: “Error”
7: “$5000 to Bill”
4: OTP
Data Signature (Electronic Signature, MAC)
3DES
MAC
DP SecretField A
Field B
Field C+
› Electronic signatures provide transaction authentication
› Server can detect and reject unauthenticated transactions or changes to transactions
Application
Data Signature (Electronic Signature, MAC)
Userid = A
Field A
Field B
Field C
Password = MAC
3DES
MAC
Internet
Digipass
Serial Number
= SN
3DES
MAC
DP SecretField A
Field B
Field C
Field A
Field B
Field C
A – SN – DP Secret
B – SN’ – DP Secret’“.dpx file”
+
+
?
=
E-Banking Fraud Schemes
Electronic signatures
› Conflict: security vs. user-friendliness
› Solution: security policies› Policies determine when / what has to be signed
› Implemented at server-side flexible
› Possible criteria› Amount of money (how large?)
› Beneficiary bank account number (used previously?)
› Determine risk of transaction
› Result› Electronic signature only required in case of high-risk transactions
› Paying tax or bills (e.g. electricity, water, phone, ...): no signature
› Transferring to other accounts of end-user (e.g. savings account): no signature
› Facilitates envelope transactions (many-in-one)
› “Risk-based Transaction Authentication”
E-Banking Fraud Schemes
End-user education
› The end-user remains the weakest link in the security chain
› Train end-users in “street smarts”:› Do NOT respond to emails asking to log-on
› Install software from a trustworthy source only
› DO type URLs or use bookmarks
› DO motivate end-users to install a firewall and anti-virus scanner
› E.g. Barclays UK & F-Secure
› E.g. Firstrade Securities US & Trend Micro
› Follow your own guidelines!› For example, many organizations fail to renew SSL-certificates
before they expire!
E-Banking Fraud Schemes
Conclusion
› Sophistication of e-banking fraud schemes is increasing› Phishing
› Alternative delivery channels: not only e-mail
› Targeted phishing
› Spyware
› Better hiding techniques; rootkit technology likely to be used more
› Better stealing techniques
› Need for strong authentication mechanisms is increasing› Safe solutions are possible
› Combine end-user authentication and transaction authentication
› Usability must be taken into account to prevent social engineering
top related