© 2012 Trusteer Confidential1

© 2012 Trusteer Confidential

No Silver BulletHow Malware Defeats Security Measures and What You Can Do About it

Ziv Cohen – Director, EMEA

April 2012

© 2012 Trusteer Confidential2

Malware incidents increased more

than 30% between 2008 and 2011, causing significant damage

54 million U.S. adults said they had incidents of malware on their desktops in 2011

Malware Attacks Are on the Rise

Research - Use a Layered Security Approach to Combat Phishing and Malware-Based Attacks

Published: 26 March 2012

© 2012 Trusteer Confidential3

Online Banking Fraud is Happening

Online Banking Fraud Losses Estimated at 1B$ in US and Europe

© 2012 Trusteer Confidential4

My banking needs are being met without mobile banking

I’m concerned about the security of mobile banking

I don't trust the technology to properly process my banking transaction

The cost of data access on my wireless plan is too high

It is too difficult to see on my mobile phone’s screen

Other

It’s difficult or time consuming to set up mobile banking

I don’t have a banking account with which to use mobile banking

It is not offered by my bank or credit union

My bank charges a fee for using mobile banking

Refuse to answer 1%

2%

3%

9%

10%

13%

17%

18%

22%

48%

57%

What are the main reasons you have decided not to use mobile banking?

New Online Banking Services Adoption Hindered by Security Concerns

Federal Survey - Consumers and Mobile Financial Services March 2012

© 2012 Trusteer Confidential5

© 2010 Trusteer Confidential5

The Cost of Advanced Malware Attack

of CIOs report malware related internal breaches40%

2010 Deloitte-NASCIO Cyber Security Study

of data breaches incorporated malware49%

Verizon 2010 Data Breach Report

companies attacked with the same resources as RSA760

Almost 20% of the Fortune 100 are on this list.

Krebsonsecuirty.com, “Who else was hit by RSA Attackers”?”

© 2012 Trusteer Confidential6

© 2012 Trusteer Confidential6

The end point is the weak link

Sensitive Data and Apps

End Point User

Cyber Criminals

Difficult

Easy

Easy

© 2012 Trusteer Confidential7

Human and Automated

Credentials theft, Web injection,

Social engineering

System exploit, Malicious Code

install

Phishing, Drive-by-Download

Anatomy of Malware attack

User Target

AttackLaunch

Malware Infection

Execute Fraud /

Information Theft

© 2012 Trusteer Confidential8

Attack Setup, Execute Fraud:Man-in-the-Browser, Web Injection

PII Theft

Login:

Password:

****

Credentials Theft

Social Engineering

© 2012 Trusteer Confidential9

User Access site

1

Fraudster “Enters conformation code and redirects all future bank SMS/Calls to 1800ToFraud

5

Malware Inform user that the bank has issued a FREE SIM CARD for security reasons, user enters code to accept offer`

4

Bank Sends a confirmation SMS to previous phone, with code and new phone number

Confirmation Code: 1234For number

1800ToFraud

3

Malware Update user’s phone number

1800TrueNum1800ToFraud

2

Keeping Banks In the Dark - Change Phone

© 2012 Trusteer Confidential10

Confirmation Emails - Hidden

Malware Transfer Money

1

From Subject SentYour Trusteed Bank Transaction Confirmation - Money Transfer Tue 13 Dec 2011 12:03Jack Friend Party Saturday Night Tue 13 Dec 2011 12:02Bill Boss Promotion Tue 13 Dec 2011 12:01Jill Wife Love You Tue 13 Dec 2011 12:00

Bank Sends Confirmation Email

2

if( document.getElementById("datatable").rows[i].innerHTML.indexOf( "Faster Payment Confirmation" ) != -1 || document.getElementById("datatable").rows[i].innerHTML.indexOf( "Payment Created" ) ) { //Faster Payment Confirmation | Payment Created

document.getElementById("datatable").rows[i].style.display = "none";}

Zeus code for hiding emails

From Subject SentJack Friend Party Saturday Night Tue 13 Dec 2011 12:02Bill Boss Promotion Tue 13 Dec 2011 12:01Jill Wife Love You Tue 13 Dec 2011 12:00

Malware Hide Confirmation Email

3

© 2012 Trusteer Confidential11

Keeping Banks In the Dark - DDoS

“After the accounts are

compromised, the

perpetrators conduct a

Distributed Denial of

Service (DDoS) attack on

the financial institution”

FBI warning about Banking Trojan “GAMEOVER”

© 2012 Trusteer Confidential12

Facebook/Ukash – Cross Channel Attack

To confirm verification you have to enter 20 euro UKash voucher. Ukash vouchers are sold by UKash.com website and Ukash.com is not affiliated with Facebook company. 20 euro will be added to your Facebook main account balance. This verification is used to confirm your age and country of origin.The UKash Voucher consists of 19 numbers and face value (sum), begins on “633”. For example 6337757575757

© 2012 Trusteer Confidential13

Malware Command &

Control

5

SMS with link to Mobile malware

(“install new certificate”)

3

MITMO/ZITMO

Legitimate Website

User Accesses Site

1

Malware transfers funds

(PC is proxy)

5

Malware forwards approval SMS

7Download Malware

4

Transaction approved using

stolen SMS

8

“Please provide your mobile phone

number”

2

TransactionApproval SMS

6

© 2012 Trusteer Confidential14

FFIEC Recognizes Malware as the Root Cause of Most Cybercrime Activities

“Controls implemented in conformance with the Guidance several years ago have become less effective..”

“Malware can compromise some of the most robust online authentication techniques”

© 2012 Trusteer Confidential15

The Challenge: No Silver Bullet

Device Identification Challenge Questions Malware

OTP DevicesMan in the Browser,Real Time Phishing

TransactionVerification

Man in the Mobile

TransactionSigning

Social Engineering Malware

Virtual Browser on Stick

Memory Injection Malware

Clickstream Detection

Malware adopts Human-like behavior

x

Bypassed

© 2012 Trusteer Confidential16

Intelligent, Adaptive, Automated

Threat Intelligence

Adaptive Protection

Sustainable CybercrimePrevention

16

© 2012 Trusteer Confidential17

Trusteer: What it does?Crime Logic (100s)

Crime Logic vs. Files and Signatures

Exploit Infect Hook Inject Access Theft

An

ti-Viru

s

Legacy: What it is?Files and Signatures (1000000s)

? ?

Threat Intelligence Adaptive Protection

© 2012 Trusteer Confidential18

First to Discover New Forms of Malware

Tens of Millions of Endpoints

Endpoints Detect and stop Crime Logic

SunspotShylock

Torpig v2

OddJob

Ramnit goes financial

SpitMo for Android

Threat Intelligence Adaptive Protection

© 2012 Trusteer Confidential19

Ready, Before the Threat Reaches You

Tens of Millions of Endpoints

Endpoints Detect and stop Crime Logic

SunspotShylock

Torpig v2

OddJob

SpitMo for Android

Ramint goes financial

Threat Intelligence Adaptive Protection

© 2012 Trusteer Confidential20

Process, People, Products

Online Threats

Adaptive Protection

Cybercrime Intelligence

Analytics &Management

Crime Logic

RiskAssessment

Fraud Alert Crime Logic

Trusteer Intelligence

Center

Corp

Known crime logic

Unknown crime logic

Threat Intelligence Adaptive Protection

© 2012 Trusteer Confidential21

Trusteer Cybercrime Prevention Architecture:Industry leading solution for Online Cybercrime Activities

Stop and remove financial malware, phishing

Protect against mobile malware, high risk devices

Detect malware-infected users, devices

Detect and Stop real-time phishing

Trusteer Rapport for PC/Mac

Trusteer Rapport for Mobile

Trusteer Pinpoint for Malware Detection

Trusteer Pinpoint for Phishing

Detection

Less Cost, Less Complexity

Intelligence-based risk assessment

Multi-layer protection against malware

No malware = Transaction anomaly prevention

© 2012 Trusteer Confidential22

© 2012 Trusteer Confidential

Thank You