e-banking fraud schemes e-banking fraud schemes: attack trends and defenses andrew showstead, vasco...

E-Banking Fraud Schemes

E-Banking Fraud Schemes: Attack Trends and Defenses

Andrew Showstead,

VASCO Data Security


Agenda

› Attack trends› Phishing attacks

› Spyware attacks

› Man-in-the-middle (MITM) attacks

› The cybercrime black market

› Defense mechanisms› One-time passwords

› Electronic signatures

› User education

› Conclusion

Computer Malware & Countermeasures

Phishing


Phishing attacks: introduction (2/2)

End-user

Phishing webserver

Phisher

E-banking server6

$$$

1


Why phishing works

› Technologies for server authentication exist › E.g. SSL/TLS with X.509v3 certificates

› Study by Harvard University & UC Berkeley (4/2006)

› Security indicators are not noticed or understood

› Security indicators can be spoofedParticipants Success rate

Website content only 23% 40%

Also address bar 36% 61%

Also “https” 9% 63%

Also padlock icon 23% 79%

Also certificates 9% 76%


Context-aware phishing (1/4)

› Also called “spear phishing”

› Phishing attack against:› Employees of certain company, agency, organization, ...

› People using a certain product or service

› Spear phishing e-mails are more convincing:› Include personal information

› Appear to come from known person (e.g. IT, head of HR, head of Sales and Marketing)

› Information sources:› Compromised databases

› monster.com (1.3M job seekers, 8/2007), USAJobs.com (146K job seekers, 8/2007), Salesforce.com (11/2007)

› Social networking sites (e.g. LinkedIn, FaceBook, MySpace)



› Reported case: (9/2006)

› Step 1: information gathering› Attackers broke into computer systems of <a large

company>

› Attackers stole information of 19,000 customers

› Step 2: information usage› Attackers sent e-mail to customers, including personal

information and a claim about recent order requiring the customer’s attention

› Customers were led to website and asked for more information


Effectiveness of Spear Phishing

› Gartner: non-targeted phishing› 19% clicks on link in e-mail

› 3% gives away personal information

› Indiana University (US): targeted phishing› E-mail from friend: 72% gives away personal information

› E-mail from unknown student: 16% gives away personal information

› West Point Military Academy (US): targeted phishing› E-mail from colonel to cadets: 80% gives away personal

information


Whaling (1/4)

› Definition› Spear phishing attack against high-level executives in a

single organization, or executives common to different organizations (e.g. CEO, CIO, PM)

› May involve e-mail, postal mail, ...


Whaling (2/4)


Whaling (3/4)

› Reported case: MessageLabs (6/2007)

› MessageLabs intercepted 500 highly targeted e-mail messages with Word-document

› Name and job title in subject line

› Family and friends were targeted as well in order to access home computers


Whaling (4/4)

BBB (SecureWorks, 5/2007 and MessageLabs, 11/2007)

Federal Trade Commission (11/2007)

United States Department of Justice (Websense, 11/2007)


Optimizing delivery of phishing e-mails

› Common phishing protection mechanisms: › Spam filter: detect phishing e-mails before end-user’s inbox

› Browser: warn end-user when visiting phishing server

› Based on blacklisting URLs of known phishing servers› Report phishing website at http://www.PhishTank.com

Preventing Blacklisting

› URL variations

› http://www.secure-bank.com:80

› Randomized subdomains

› Unique URL per user / number of users

› http://www.barclays.co.uk.X.lot80.info/ (X: random number)

› Allows tracking end-user responses



Alternative channels (1/2) - vishing

› Voice (phone) phishing

› Two types:1. Fraudster calls end-user and asks

for credentials

2. End-user is tricked to call fraudster (via e-mail, voice mail)

› Strengths:› Telephone systems have longer

record of trust

› A greater percentage of people can be reached (e.g. elderly)

› People are used to automatic answering services

› Making or receiving calls is cheap

› Caller ID can be spoofed

Alternative channels (2/2) - smishing

› SMS phishing – phishing with text messages

› Process:

1. End-user receives SMS telling him that

› he has successfully subscribed to a service,

› he will be charged for the service,

› he can visit a website to unsubscribe from a service

2. End-user visits website and provides sensitive information

Pharming


Pharming (1/7)

› Interfere with the resolution of a domain name to an IP-address so that domain name of genuine website is mapped onto IP-address of rogue website

www.barclays.co.uk www.google.co.uk

213.219.1.141 64.233.183.99


Pharming (2/7) – hosts file poisoning


Pharming (3/7) – hosts file poisoning

› Adding {domain name, IP-address} pairs to hosts file

› Method:

› Hosts-file contains {domain name, IP-address} pairs

› Windows XP/Vista: %SystemRoot%\system32\drivers\etc

› DNS resolver looks up hosts file on end-user’s PC prior to contacting DNS-server


End-user PC

IP of www.mock-bank.com?

1

Rogue DNS-server

www.mock-bank.com is at 134.58.7.20www.real-bank.com is at 134.58.7.20

2

› Unsolicited information in replies is accepted

› Example: a DNS-server can provide an IP-address for www.real-bank.com although the address of www.mock-bank.com was asked

Pharming (5/7) – DNS cache poisoning

Drive By Attacks – Samy is My Hero


› MySpace Worm

› Added users to Samy’s Friends list without authorization by user

› Added text “but most of all, Samy is My Hero” to user pages

› Propogation:

› Author originally had 73 “friends”

› 7 hours later, 221 new friend requests

› 13 hours: 2,503 friends and 6,373 friend requests

› After about 18 hours, over 1,005,831 new friend requests

› Response

› MySpace – complete service shutdown

› “Samy” sentenced to 3 years probabtion and community service – Internet ban


Drive By Attacks – Samy is My Hero


Pharming (6/7) – drive-by pharming

› Technique to alter DNS settings of (wireless) home router

› Method:

1. User downloads web page containing Java applet and JavaScript

2. Java applet detects IP-address of host and addressing scheme

3. JavaScript pings other hosts and discovers brand of router

4. JavaScript accesses configuration screens using default passwords

› Reported case: Mexican bank (1/2008)

› Attack on 2wire router

› Victim receives e-mail saying e-card waiting at www.gusanito.com

› E-mail contains HTML IMG tag resulting in HTTP GET to home router; no HTTP-authentication required

› HTTP GET changes DNS settings of router (XSRF attack)


Fast-flux service networks (1/2)

› Basic components of phishing infrastructure› One or more web-servers to host rogue website

› One or more domain names, e.g. www.my-bank.info

› Popular top-level domains: .hk, .cc and .info

› One or more DNS-servers, which are configured to be authoritative for the registered domain names

› Phishing infrastructure requirements:› High availability

› Website should not be taken down too soon by bank or ISP

› Easily manageable

› Webpages should not be dispersed among too many web servers

› Can be realized using fast-flux approach


Fast-flux service networks (2/2)

End-user PCDNS-server

for .com

Botnet

157.120.9.15134.158.7.10129.47.6.5

Web server

1

IP of www.mybank.com?

6

www.mybank.com is at 134.158.7.10


2

IP-address of DNS-server for mybank.com

3

Request webpage 7

Webpage10

Request webpage 8 Webpage9

5www.mybank.com is

at 134.157.7.104


LocalDNS-server

› Simple fast-flux

DNS-server for mybank.com

Spyware


Spyware

› Definition of spyware attack

› Attempt to fraudulently obtain sensitive information such as usernames, passwords and credit-card details, by covertly intercepting information exchanged during an electronic communication

End-user’s PC

Adversary

E-banking server

1

2

3

4 5 67

$$$End-user


Bank Trojans

› Designed to obtain bank credentials (since mid-2004)

› 4 main functions:

› Monitoring

› Harvest data when user visits banking website efficiency

› Filter list: www.citibank.com , /TAN/ , “Welcome to Citi”

› Spying

› Capture user’s banking credentials

› Hiding

› Ensure Trojan cannot be detected by security software

› Updating

› Regular update of filter list from control server


Monitoring techniques (1/3)

› Browser Helper Objects (BHOs)

› Lightweight DLL extension adding custom functionality to IE

› Confirm to Common Object Model (COM)

› Loading of BHO into IE

› At start-up IE loads COM objects whose CLSID is present in certain Windows registry key

› Allows eavesdropping on browser events and user input

› InfoStealer Trojan

› MITM Attacks



› Hooking WinInet API functions

› WinInet.dll: Windows implementation of HTTP(S),FTP

› Hooking:

› Call to function in WinInet.dll passes via Trojan (redirection)

› Trojan has read/write access to payload of function

IExplore.exe

Call HTTPSendRequestA

Import Address Table

HTTPSendRequestA is

at address 12345

WinInet.dll

HTTPSendRequestA12345

Trojan.dll

HTTPSendRequestA

…

Get payload

Call 12345

45789

HTTPSendRequestA is

at address 45789



› Winsock’s Layered Service Providers (LSP) architecture› WinSock.dll: Windows implementation of TCP/IP

› Applications performing network operations load WinSock

› Additional libraries can be loaded into WinSock

› Benign applications:› Parental control: content filtering

› Application-transparent encryption

› Malign applications:› Eavesdropping on network communication

› Altering financial transaction data


Spying techniques

› Form grabbing› Trojan captures only data that is entered into web form

› Common techniques: BHOs, API hooking

› Injection of fraudulent pages or fields› Trojan modifies HTML-pages coming from bank on-the-fly

› Inserts additional fields or modifies destination of “Log on” button

› Trojan receives HTML-pages from control server

› Screenshots and video captures

› Keylogging› Trojan is triggered when user visits certain URL

› Only data entered into webpage is logged

› Note: techniques defeat SSL, virtual keyboards, ...


Example: Infostealer.Banker (1/2)

› Installation› Registration of BHO in Windows registry

› Generation of random number as ID for infected PC

› Registration of ID at server via PHP-script

› Operation› BHO contacts server for updated “help.txt”

› BHO listens for connections to URLs in “help.txt”

› When BHO detects connection to certain URL

› BHO looks in “help.txt” for HTML-code to be injected

› BHO injects HTML code

› Browser displays modified webpage

› When user enters credentials into modified webpage, BHO calls PHP-script to upload credentials to server


Example: Infostealer.Banker (2/2)

Man-in-the-middle Attacks


Man-in-the-middle attack

› Real-time interception and modification of information interchanged between two entities without either entity noticing

› Uses phishing and/or spyware techniques

› Man-in-the-middle can be:

› Local: spyware on end-user’s PC

› Remote: phishing website

MITME-banking

serverEnd-user


Local man-in-the-middle attack

› “Man-in-the-browser”, “Local session riding”

› General procedure

› Infect system with Banking Trojan

› Hijack successfully authenticated session

› Insert or modify fraudulent transactions

End-user’s computer

2: OTP E-banking

server

Banking

Trojan

1: “John”

Browser

1: “John” 1: “John”

2: OTP 2: OTP

3: “$500 to

Bob”

3: “$500 to

Bob”3: “$5000

to Bill”

End-user

“John”


Remote man-in-the-middle attack

› General procedure:› Redirect traffic to rogue website

› Using common phishing techniques: e-mail, pharming, …

› Act as proxy between end-user and real banking website

› Keep authenticated session alive and modify transaction data

› Reported cases:› Dutch and Swedish retail banks (March 2007):

› Infostealer.Banker.C and phishing website

› Damage: 4 customers, unknown amount

› Belgian retail bank (May/June 2007)

› Damage: 3 customers, ~ 10 000 euro

The Cybercrime Black Market


Organization (1/2)

On-line forum

(IRC, web)

Spammer

Exploiter

Card

skimmer

Money mule

Money mule

recruiter

Website

designer

Coder

Botnet

Herder


Organization (2/2) – money mules

› Problem of phisher: › E-banking system may not allow money transfers to foreign

accounts

› Solution:› Phisher recruits “money mules” with bank account in country of

targeted bank

› Phisher transfers money to bank account of mule

› Mule transfers money to phisher (e.g. Western Union, Moneygram)

› Money mule recruitment› Regular job adversitement channels

› “Financial service manager”, “shipping manager”, “private financial retreiver”, etc.

› More information: http://bobbear.co.uk/


Fraud Accounting

› Cost of phishing attack:

› Phishing e-mail + phishing website: $5

› Spam list: $8

› Botnet for sending out spam during 6 hours: $30

› Hacked server to host phishing website: $10

› Valid DNS-name: $10

› Total cost: $63

› Profit from phishing attack

› Option 1: selling stolen banking credentials

› 20 accounts: $200 - $2000

› Profit: $137 - $1,937

› Option 2: cashing money via money mule

› $10,000 on account; 50% for money mule; 50% rip-off rate

› Income: $2500

Computer Malware & Countermeasures

Defense Mechanisms


One-time passwords (1/3)

› Strengths› Render compromised end-user credentials less valuable for

adversary (only valid once and during limited amount of time)

› Limit amount of time between collection and exploitation steps of phishing attack

› Break down the traditional economic model of phishing attacks

› Phishing economy: specialization means trading

› Trading credentials takes time

› One-time passwords are invalid before used

One Time Passwords (Response Only)

Encryption

DP Secret

Application

Time-Based Response

Userid = A

Password = OTP

3DES

342601

Internet

A – SN – DP Secret

B – SN’ – DP Secret’“.dpx file”

3DES

DP Secret

Digipass

Serial Number

= SN

?

=


Electronic signatures (1/6)

› One-time passwords provide only end-user authentication

› Server only knows that genuine end-user is present at log-on

› Server cannot detect modifications or injections after log-on

› Electronic signatures provide transaction authentication

› Server can detect and reject unauthenticated transactions or changes to transactions

3: OTP

End-user

“John”

E-banking

serverMITM

1: “John” 2: “John”

5: “OK”6: “Error”

7: “$5000 to Bill”

4: OTP

Data Signature (Electronic Signature, MAC)

3DES

MAC

DP SecretField A

Field B

Field C+

› Electronic signatures provide transaction authentication

› Server can detect and reject unauthenticated transactions or changes to transactions

Application

Data Signature (Electronic Signature, MAC)

Userid = A

Field A

Field B

Field C

Password = MAC

3DES

MAC

Internet

Digipass

Serial Number

= SN

3DES

MAC

DP SecretField A

Field B

Field C

Field A

Field B

Field C

A – SN – DP Secret

B – SN’ – DP Secret’“.dpx file”

+

+

?

=


Electronic signatures

› Conflict: security vs. user-friendliness

› Solution: security policies› Policies determine when / what has to be signed

› Implemented at server-side flexible

› Possible criteria› Amount of money (how large?)

› Beneficiary bank account number (used previously?)

› Determine risk of transaction

› Result› Electronic signature only required in case of high-risk transactions

› Paying tax or bills (e.g. electricity, water, phone, ...): no signature

› Transferring to other accounts of end-user (e.g. savings account): no signature

› Facilitates envelope transactions (many-in-one)

› “Risk-based Transaction Authentication”


End-user education

› The end-user remains the weakest link in the security chain

› Train end-users in “street smarts”:› Do NOT respond to emails asking to log-on

› Install software from a trustworthy source only

› DO type URLs or use bookmarks

› DO motivate end-users to install a firewall and anti-virus scanner

› E.g. Barclays UK & F-Secure

› E.g. Firstrade Securities US & Trend Micro

› Follow your own guidelines!› For example, many organizations fail to renew SSL-certificates

before they expire!


Conclusion

› Sophistication of e-banking fraud schemes is increasing› Phishing

› Alternative delivery channels: not only e-mail

› Targeted phishing

› Spyware

› Better hiding techniques; rootkit technology likely to be used more

› Better stealing techniques

› Need for strong authentication mechanisms is increasing› Safe solutions are possible

› Combine end-user authentication and transaction authentication

› Usability must be taken into account to prevent social engineering

e-banking fraud schemes e-banking fraud schemes: attack trends and defenses andrew showstead, vasco...

Documents

spear phishing phishing

personal information

targeted phishing email

myspace slide

nontargeted phishing

personal information

service spear phishing

vasco data security