Cyber Threats to e-Commerce

S.C. LeungCISSP CISA CBCP

Page 2

Who are we?

HKCERT– Established in 2001. Operated by HK Productivity Council– Provide Internet users and SME services (free-of-charge)– Scope of services

• Security Monitor and Early Warning• Incident Report Handling• Publication of guideline• Public Awareness

– www.hkcert.org– Free subscription of alert information via email and mobile (we pay for the SMS

charges)

Page 3

HKCERT

Local Enterprise & Internet Users

本地企業及互聯網用戶

CERTCERT

CERTCERTCERTCERT

CERTCERT

APCERTAPCERT

CERT Teams in Asia Pacific亞太區其他協調中心

CERTCERT

CERTCERT CERTCERT

CERTCERT

CERTCERTFIRSTFIRST

CERT Teams around the World全球其他協調中心

Law Enforcement 執法機關

Internet Infrastructure互聯網基建機構

Universities大學

Software Vendor軟件供應商

Security Research Centre

保安研究中心

Page 4

Agenda

Attackers and the Motives of Attacks

Attack Trends Highlight

Relevance to e-Commerce

Attacks and Counter-attack Strategies

Cyber Threats to e-Commerce

Page 5

Attackers and Motives

Kiddies and Early Hackers: Fame

Activists: Hacktivism– Anonymous, Lulzsec groups

State sponsored– Civilian monitoring

• Doubts on R2D2 Trojan in Germany– Attacks to state critical infrastructure or military

• Stuxnet - 2010• USA drone malware - 2011

E-Commerce Relevant

Cybercriminals: Money– Theft of information– Extortion– Control machine for other purposes

Unfriendly parties– Disgruntled employees

- loss of reputation via data leakage or scandals

– Business competitors• DoS• Theft of business sensitive information,

patent, forumla

Page 6

Cybercrime as a Service

Products Piracy: theft of CD Keys

Theft of Personal Information and Identification (SSN, id, password, cc #.)

Services Hosting: Spam relays, phishing web hosting

Phishing attacks: paid web hosting

Proxy network (so beware of unsolicited open proxy!)

Spyware/adware installation: pay per installation

Click fraud: pay per click

DDoS: extortion or competitor service site attack

Blackmail / Ransomware

encrypts hard drive data demand ransom

Page 7

Attack Trend Highlights

Attack becomes less visible - uninformed victims

Botnet as platform to deliver attacks

Cybercrime as a Service

Moving up from network attack– to web application attack

– to business logic abuse

Exploit points of weak defense

Going Mobile, Going Social, Going Cloud

Page 8

Attacks Becomes Less Visible

– Visible mass spreading worms (Blaster, Sasser, Netsky) peaked 2003-2005. – Reports on malware attack dropped significantly. – Security incident reports (hacking, phishing, defacement, botnet and others)

increased by 4 folds.

520805

527 446 326 272 144190

898

14571255 1101 948 955 928

31092815

234 260

596

0

500

1000

1500

2000

2500

3000

3500

2001-2002

2002-2003

2003-2004

2004-2005

2005-2006

2006-2007

2007-2008

2008-2009

2009-2010

2010-2011

Virus attack

Security attack

HKCERT incident report statistics

Page 9

Reporting Party (2010/11)

27.84%

44.25%

27.92% local

overseas

proactivediscovery

How Less Visible Attacks Surfaces

Victim report figure is low.

Compromise becomes visible when victim machine being used to participate in phishing, malware hosting or other attacks.

1. Overseas parties reported incidents to HKCERT

2. HKCERT use proactive discovery methodologies to find out hacked machines in Hong Kong

Page 10

Botnet (roBot Network) - infrastructure for cybercrime

DDoS DDoS attackattackSpamSpam

Up: DataDown: Command/Update

Bot Herder

bot bot bot bot bot bot bot

Up: DataDown: Command/Update

C&C C&C C&C

victim victim

Wikipedia not totally correct in “botnet”, Botnet is much more than DDOS platform.

Page 11

Relevance to e-Commerce

Websites– Exploit server to provide launchpad for attacks

– For data on server

– For money in extortion

Web Users– Targeted for credential, data breach, fraudulent transaction

– Man-in-the-Middle (MitM), Man-in-the-Browser (MitB), Man-in-the-Mobile (MitMo) attacks

Attacks to Websites

Page 13

Mass injection of osCommerce websites (Jul 2011)

osCommerce is an open source shopping cart using web 2.0 technology

Large scale injection attack since July. Over 2.7M web pages infected globally.

Over 45,000 pages in Hong Kong

Inject "<iframe>" and "<script>" pointing to malicious links such as "willysy.com" and "exero.eu“

Page 14

Page 15

Redirecte

d to Malware

server

Download

Malw

are

Exploits imported from other servers via iframes, redirects

When compromised, dropper download and install the actual bot malware

Multi-stage infection (drive-by download)

Exploit serverWeb server (injected) Malware Hosting

Browser

Web request

Serve Exploit Page

Redirected to

Exploit server

Page 16

Website Protection Strategies

Plugging security holes – Get security vulnerabilities warnings (available in http://www.hkcert.org)– Regular and Timely Patching

Application Firewall– Block web application attacks

Writing secure web applications is the root– Good coding practice; Minimum privilege of database user account– Code scanning, Vulnerability scanning– HKCERT SQL injection defense guideline

• http://www.hkcert.org/english/sguide_faq/sguide/sql_injection_en.pdf– OWASP (Open Web Application Security Project) Top Ten Project

• SQL injection, Cross-site scripting, Broken authentication and session management, mis-configuration …– https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Page 17

Website Protection Strategies

Defense in depth- Separate web server and database server

- Encryption- Encrypt web communication- Encrypt sensitive data on server

- Plan for contingency- What if website not available ?

- Alternate website- Manual procedure?

- Backup and Recovery

Attacks to Web Users

Page 19

Attacks targeting web users

Attack more sophisticated, targeting two-factor authentication, using Man-in-the-Middle attacks

From getting credential to transfer money on the spot, because piggybacking window is temporary

From phishing (fake site) to fraud on real online site

Targeted, because each online e-commerce site is different

E-Commerce site does not see hacker from access log. They are in the browser carrying the cyber identity of the customer

Page 20

What is Man-in-the-Middle attack?

Hacker sits in the middle of the client and server and able to read, modify and insert messages sent between the parties

Client and Server NOT AWARE the existence of the middle man

It is an ACTIVE attack instead of passive sniffing

webserver

webbrowser

GET http://abc.com

HTTP/1.0 200 OK

Normal HTTP connection

GET http://abc.comHTTP/1.0 200 OK

attacker

GET http://abc.com

HTTP/1.0 200 OK

MITM hijacked connection

Page 21

Botnet targeting Banks and e-Commerce

Zeus and SpyEye Botnets

– steals banking information by Keylogging and Form Grabbing

– features:

• Take screenshot (save to html without image)

• Fake redirect (redirect to a prepared fake bank webpage)

• HTML inject (hijack the login session and inject new field)

• Log the visiting information of each banking site, record the input string (text or post URL)

Page 22

Man-in-the-Browser

Hackers’ dream: breaking two factor authentication– Intercept transaction

• Install software/plugin inside the browser, hook major OS and web browser APIs and proxying data

Rewrite the screen. Trick user to enter credentials.

Change amount and change destination to attacker account

Change the display to user as if his transaction was executed– Calculate the “should be amount”

and rewrites the remaining total to screen

– store in database in the cloud the amount transacted in user's perspective

Source: www.cronto.com

Page 23

Zeus in the Mobile

ZitMo (reported in Sep-2010)– Zeus ver 2.0, with Man-in-the-Mobile (MitMo) feature

– Mobile Infection: • Infected PC visit bank website• Zeus inject HTML content into webpage,

requesting user to input their mobile phone number and the IMEI # (and phone model)

• Hacker sends a new "digital certificate" to the phone

• User install the Zeus mobile.

– Platforms: Symbian, Android, WinCE and BlackBerry– Sniff the SMS messages when waken up by special

SMS• Steal one-time password (OTP) sent via SMS

SpyEye go mobile (Apr-2011) using similar techniques

2011-July

Page 24

Inserting transaction (when login)

Login Trojan kick upshadow login at

the back

Submit

Submit

Shadow Login

“Not successful. Please retry”

PIN + OTP

PIN + OTP2

PIN + OTP

Hacker use OTP2 to authenticate a transaction

Insert a new window

Page 25

Defense at client side

3 Baseline Defense is necessary but not insufficient– Protection from malware

– Personal Firewall

– Update patches this is more and more important

Install Microsoft Malicious Software Removal Tool (MSRT)

Secunia Personal Software Inspectorhttp://secunia.com/vulnerability_scanning/personal/

Page 26

Defense at client side

Use newer and secure browsers (Chrome 12, FF 5, IE 9)

The Use separate browsers for casual browsing and transaction based come with new features: URL blocking, sandbox

Avoid installing add-ons (extension, activeX objects …) on the browser

Attacks to Business Logics

Page 28

Attacks to Business Logics

When SQL and XSS vulnerabilities are reducing, attackers change focus to vulnerabilities in business logic

Business logic flaws are not software bug. Business logic abuse are not exploits. Attackers are using functionality used by legitimate users.– Web application firewalls has no defense on it.

– Quality assurance may overlook this because tests usually test what the code is supposed to do, and not what it can be made to do.

Page 29

Abuse of Functionality

Case 1: Winning Online Auction– Online auction website : all logged in user can bid and view who is bidding what.

– Intruder logout: prevents password guess for 1 hour after 5 failed tries within 5 minute.

What can be abused here?– One can bruteforce other bidders’ account login (denial of service)

What can be done to improve?– Use CAPTCHA instead of intruder logout (~Gmail)

– Need to display who is bidding what?

– Allow minimum bid to discourage unreasonable deal

Page 30

Insufficient Process Validation

Case 2: CNBC’s Million Dollar Portfolio Challenge– Ten 1-week challenges among 375K amateur traders for a prize of USD10K– Place simulated stock trade steps

1. Select the stock to purchase, no. of shares and user press submit button2. Backend system compute the total order using current price and wait for user

confirmation

What can be abused here?– One can hold step 2 confirmation until after trading close. Execute only if the stock price

rise significantly

What can be done to improve?– Always use the current share price to transact– Set timeout to session– Reject order execution after market closes

Page 31

Other Business Logic Abuses

Information leakage

Data scrapping

Password recovery

Pump-and-dump

Spoofing cookie values to gain access to other user's accounts

… more

Reference – https://www.whitehatsec.com/resource/wh

itepapers/business_logic_flaws.html

Page 32

Protection

Identification and Detection of attacks– Detect abnormal behaviour, e.g. large volume download, non-human speed

activities

– criminals behaves differently from normal users

– check login location, login device

– log analysis

Prevention– Pentest your business logic

– Use CAPTCHA to defend against robots

– Personal questions like image identification

Take down Botnet

Page 34

Hit criminals' critical infrastructure

Trace the supply chain of criminals (Law Enforcement)

Bring down their infrastructure (ISP, DNR)– C&C, Malicious web sites, fake domain names

– Domain name registry manage domain registration abuse

– ISP unplug malware hosting networks

Bring down spam borne attacks– Corps and ISPs to adopt Port 25 management (blocks SMTP); force

spammer to use credentials but is more accountable (advocated byAPWG, CERT)

http://www.maawg.org/port25/

Page 35

Botnet Takedowns in the past 2 years

Collaboration of law enforcement, Microsoft, security researchers, ISP, domain name registries taking fight to the court

Operations– Operation b49 (Waledac

botnet) Feb, 2010

– Operation Trident Breach(Rimecud botnet) - Oct 1, 2010 in Spain and Slovenia

– Operation Tolling (Bredolabbotnets) - Oct 25, 2010 in the Netherlands

• C&C is sinkholed

• Bots are redirected to a page informing infection

Page 36

Botnet Takedowns in the past 2 years

– Operation B107 (Rustock botnet) - Mar 16, 2011: most C&C in USA

• Global spam down by 40% immediately afterwards

• Bots still need to be cleaned up

– Operation Adeona (CoreFlood botnet) - Apr 13, 2011

• C&C sinkholed; send KILL command to bots to terminate in memory

– Operation Trident Tribunal (Scareware) - Jun 22, 2011 : long with international law enforcement partners, announced the indictment of two individuals from Latvia and the seizure of more than 40 computers

• http://www.fbi.gov/news/stories/2011/june/cyber_062211

– Operation B79 (Kelihos, DNS abuse) - Sep 26, 2011:

• http://blogs.technet.com/b/mmpc/archive/2011/09/26/operation-b79-kelihos-and-additional-msrt-september-release.aspx

Page 37

Success Factors in Botnet Takedown

Be a Good Neighbour– Collaboration with Law Enforcement and CERT to take down malicious content

– If you and other parties (ISPs, OSP, Security researchers, Academia) collaborate, the world will be different

Creative disruption tactics in takedown– Sharing of intelligence

– Operation Security (confidentiality, coordinated timing and speed)

– Preempt future attacks

– Use Sinkhole to get information of bots. Find out bot machines left before they join another botnet. They are vulnerable. They may be leaking data

– Solve legal issues

WE NEED YOU!

Going Cloud

Page 39

Security Issues arising from the Cloud

Service Level Management Challenge

Crime in the Cloud– Password cracking– Hosting of phishing site, malware– Botnet in the Cloud

• Zeus using Amazon's EC2 as command and control server (Dec-2009)– http://www.zdnet.com/blog/security/zeus-crimeware-using-amazons-ec2-as-command-and-

control-server/5110• SpyEye uses Amazon S3 to exploit (Jul-2011)

– http://www.scmagazine.com.au/News/265367,amazon-used-to-spread-bank-stealing-trojan.aspx

– Launching DDoS

Investigation Challenge– Most fraud and attacks are conducted via fraudulent accounts (fraud cards)

• Create one more investigation– No seize of devices; no paradigm of forensics– Chain of custody start with cloud provider– Jurisdiction: where was the crime scene? where to serve warrant?

Page 40

Security Opportunity with Cloud

Cloud is elastic to take up more traffic volume by design

Secure Web as a Service– Provide secured frontline for customers’ web servers

– Shield most application attacks

– Shield moderate level of DoS attack defense

– Continuous monitoring. Regular audit

– Investigation

– Learn from one customer and apply to others

– ** But SSL websites may have consideration of confidentiality

Page 41

Conclusion

ATTACKERS– Attackers go after $$$. E-Commerce a sure target.

– Attackers also go mobile, sns and cloud

ATTACKS– Security Attacks are more and more sophisticated

– Botnet and “invisible” malware are the cybercrime vehicles

YOUR SECURITY, OUR SECURITY– Public Awareness is important: CARE is vital. Tools can only help.

– Close all security holes in (1) software, (2) procedure/business logic and (3) human

– We all need to work together for a safe, clean and reliable Internet.

Q & AQ & A

Website:  www.hkcert.orgHotline:  81056060Email:  hkcert@hkcert.org