Evolution of Remote Banking fraud
Richard MartinSecurity UnitUK Payments
Royal Holloway, 10 September 2011
UK Payments
Voice of the payments industry Payment scheme management – we run the
Payments Council, BACS, CHAPS, Faster Payments, cheques, cash…
Our schemes processed nearly 7 billion payments in 2009, with a value of £69 trillion (for comparison, UK GDP is around £2 trillion)
Protecting the integrity of UK payments systems We are increasingly central to the UK anti-fraud effort
Payments Council members
The world we live in
Internet is a major channel for banks and payments
Challenges Internet is not secure Customer PCs are not
secure But customers love it, and
banks love it So we need to address the
challenges
Source: UK Payments, 2011
What is being attacked?
Not the bank directly (so much)
The customer Static authentication
credentials & card details “data that never changes” And can therefore be stolen
or given away The customer’s equipment
Malware!
Part 1: Phishing
Phishing attacks are becoming more sophisticated:
Phishing incidents – UK banks
Source: UK Payments 2011
Total for 2010: 61,873 incidents
Phishing – looking closer
Source: UK Payments 2011
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Standard Phishing life cycle
SpamBot
Phishing hosts (bots)
Various DNS
Tools – fast-flux etc.
Credential recovery/ storage
Attacker
Developments in Phishing
ADAPTIVE PHISHING
Sites designed to evade / confuse analysis Phishing host serves up different sites depending on localisation
and other factors One site can:
Firefox with German language – redirect to German PayPal phishing site
IE with English language – redirects to English bank phish Seamonkey – tries to install malware Text browsers (often used by analysts) – Error 404 Browser run within a VM (ditto) – Error 404
Developments in Phishing
LIVE PHISHING
Customer enticed to visit fake bank site as usual All communications relayed by phishing site to bank site in
real time Payment / authentication requests injected / amended by
attacker Target: two-factor authentication
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth Outline
Level Seventh
Outline Level Eighth
Outline Level
Ninth Outline LevelClick to edit Master text styles
Second level Third level
Fourth level Fifth level
Phishing still here because…
It still works!
Source: UK Payments 2004-2010
2004
2006
2008
2009
Would ignore / delete a phishing email 65% 50% 57% 59%
Would ask bank for advice 28% 39% 31% 31%
“Would act on it” 4% 3.8% 4% 6%
Under 24 year-olds who “would act on it”
12% 12% 12% 13%
Some further reading
Dhamija (Harvard)& Tygar and Hearst (UC Berkley)
http://people.deas.harvard.edu/~rachna/papers/why_phishing_works.pdf
Wu, Miller, Grafinkel (MIT Computer Science and Artificial Intelligence Lab)
http://groups.csail.mit.edu/uid/projects/phishing/chi-security-toolbar.pdf
Jagatic, Johnson, Jakobsson, and Menczer (School of Informatics Indiana University, Bloomington)
http://www.indiana.edu/~phishing/social-network-experiment/phishing-preprint.pdf
Other good sources of research on people’s perception and acceptance of risk:
Prof. A. John Maule (Leeds), Dr Angela Sasse (UCL), Hazel Lacohee (BT)
Part 2: Malware
Some names to remember: Torpig, Zeus (aka z-Bot, Sinowall),SpyEye, PSP2-BBB, Silent Banker, Yaludle, Bugat, Carberp, Silon…
Two factor authentication is now a target Man In The Browser is the new Man In The Middle Scripting: Automated payment injection Controlled distribution: targeted, low infection numbers, quiet
operation They work but:
Difficult to industrialise Their effect can be detected (odd GET and POST data,
old/nonexistent fieldnames, unusual browser headers etc…) They can be “broken”
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth Outline
Level Seventh
Outline Level Eighth
Outline Level
Ninth Outline LevelClick to edit Master text styles
Second level Third level
Fourth level Fifth level
Part 3: Money Mules
Bad guys use phishing and malware to gain access to accounts
But they need one more thing to get hold of the money: Mules
Mule = a friendly account, to which funds from a victim’s account can be transferred
Adverts in job websites, banner ads, printed newspapers…
We typically see 50-150 new fake companies set up each month
Fire and forget. They usually last for one transaction before the bank shuts down their account
Job offer
We have found your resume at Monster.com
and would like to
suggest you a "Transfer manager"vacancy.
We have thoroughly studied your resume and
are happy to inform you that your skills
completely meet our requirements for this
position.
Our company buy, sell, and exchange digital
currencies, like E-gold and E-bullion.
Put it all together – Online Banking Fraud Workflow
Collect Test Market Defraud Launder
Credentials valid?
Available funds?
ID theft opportunities?
Professionals in place
Recruit “mules”Check validity
(no cops please!
Trade Credentials
Build attack profile
Build attack profile
Transferfunds
Funds out of system
Money Transfer
Intermediatedestinations
Proceeds distributed
Research & Development
Loss trends
Net loss to banks from online banking fraud, 2004-11
Tactics and countermeasures
Strength in depth – the multi-layered approach
Identifying & protecting point of risk
Banks can also put a stronger lock on the front door (two-factor authentication)
Back-end detection
Service controls
Transaction authentication
Log-on authentication
Increasing customer visibility
A stronger front door
Millions of customers Millions with several accounts Cheap Easy to use Secure Simples!
Multifactor authentication - what banks need to consider:
Functions
OTP Challenge/response Data signing
The 2FA-effect
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Source: UK Payments 2009
Barclays2fa announced,
Back-end controls
introduced
Barclays2fa mandatory
RBS/NatWest2fa mandatory
Nationwide2fa mandatory
Lots of options for multifactor
Attacking two-factor
Two factor remains technically very secure Attackers circumvent by exploiting user uncertainty,
because… Customers remain vulnerable to social engineering –
assumption of authority: “We have changed the process – you must do it this way now…”
Attacks seen elsewhere in the world for years (TANs, iTANs, OTP)
Socially Engineering EMV CAP
1. In order to make payment …..2. Beneficiary Acct = 12346783. Amount = £400.004. “Enter Ref”5. “Enter Amount”6. Passcode = 98765432
1. A further security check …..2. Security Code 1 = 342655273. Security Code 2 = 3156784. “Enter Ref”5. “Enter Amount”6. Passcode = 12736653
Becomes
What does the customer see?
Malware features - Carberp
Persistent storage in browser
Get account balance Replace login button with a
malicious version Hide fraudulent
transactions on statement display from user
Hide fraudulent logins from user
Amend transaction requests on the fly and hide from user
Installs a rogue Anti Virus app
Zeus
Probably the most significant identity theft malware in existence (but may be about to go into decline)
Nicely written, regularly updated, full technical support for customers
Targets two-factor authentication Man in the browser, html injection, etc etc Some banks using out of band authentication with mobile
phones as a means of combating MITB. Customers are sent a one-time passcode or a challenge
via SMS or voice
SMS intercept
Mobile phones for two-factor
Out of band authentication Good in principle
Increases challenge of interception Practical challenges:
Ensuring all customers have a phone That it is switched on & in range SMS delivery is not guaranteed or SLAd Bringing other parties into the authentication loop - don’t ignore
the risks
Attacks in Turkey, South Africa, Australia, Spain and UK Account takeover, redirection of replacement SIMs Phone call redirection Malware on phones is now a reality
Click to edit the outline text format
Second Outline Level Third Outline
Level Fourth
Outline Level Fifth
Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelClick to edit Master text styles
Second level Third level
Fourth level Fifth level
Zeus SMS “Zitmo”
Zeus-infected victim as asked to provide their mobile model and number
SMS containing link to “a new security certificate” sent to phone
Victim clicks on link and malware installs For Symbian devices, the bad guys
obtained a genuine developer certificate, since revoked (but no OCSP!!).
Malware includes a cracked version of SMS Monitor. SMS traffic from known bank SMS numbers is intercepted and redirected to C&C
Incoming SMS from C&C number used to issue commands
Malware can create/delete entries in the phonebook
C&C was a UK number registered to Cable & Wireless Guernsey Ltd (Sure Telecom)
Calling
MyBank Support
Zeus arrests
11 Arrests in UK in September 2010 (mainly mules) 38 in USA (ditto) 5 in Ukraine (aha!) Consequences: Zeus the subject of a “takeover” by
SpyEye coder, with functionality to be migrated to SpyEye
UK arrests USA arrests Ukraine arrests
Malware – what next?
Zeus/SpyEye merger probably a sign that the “Tier 1” bad guys have recognised that Zeus’ usefulness is nearing its end.
Dump and move on Malware as a service emerging Point and click malware kits
Further malware reading
Zeus tracker: https://zeustracker.abuse.ch/ Spyeye tracker: https://spyeyetracker.abuse.ch/ InfoWar Monitor: http://www.infowar-monitor.net Malware Intelligence Blog:
malwareint.blogspot.com Contagio malware dump:
contagiodump.blogspot.com TrustDefender Labs blog:
http://www.trustdefender.com/blog F-Secure blog: http://www.f-secure.com/weblog Brian Krebs : http://krebsonsecurity.com Gary Warner blog: garwarner.blogspot.com
Where are the real vulnerabilities?
OS 95% of customers use Windows – it’s the way it is 90% of Windows installs ARE up to date
Ubiquitous 3rd Party Software 80% of Adobe Flash installs are NOT up to date 84% of Adobe Acrobat installs are NOT up to date “Trusted” software does not always act in the users’ best
interests: some of the most popular iPhone games contain spyware
Banks are not the only fruit
As banks harden their defences, the attackers are turning to weaker targets
ALL online businesses are at risk Facebook, Twitter, Myspace, LinkedIn etc. being raided for
ID theft and card data Retailer customer accounts raided for payment details,
backend databases Businesses being attacked via their web front ends or by
“spear phishing” to gain access to corporate networks. Industrial & state espionage, intellectual property theft, sabotage, financial fraud, etc.
Things to come
Living in a digital world, expect the unexpected
Top Related