Evolution of Remote Banking fraud

Richard MartinSecurity UnitUK Payments

Royal Holloway, 10 September 2011

UK Payments

Voice of the payments industry Payment scheme management – we run the

Payments Council, BACS, CHAPS, Faster Payments, cheques, cash…

Our schemes processed nearly 7 billion payments in 2009, with a value of £69 trillion (for comparison, UK GDP is around £2 trillion)

Protecting the integrity of UK payments systems We are increasingly central to the UK anti-fraud effort

Payments Council members

The world we live in

Internet is a major channel for banks and payments

Challenges Internet is not secure Customer PCs are not

secure But customers love it, and

banks love it So we need to address the

challenges

Source: UK Payments, 2011

What is being attacked?

Not the bank directly (so much)

The customer Static authentication

credentials & card details “data that never changes” And can therefore be stolen

or given away The customer’s equipment

Malware!

Part 1: Phishing

Phishing attacks are becoming more sophisticated:

Phishing incidents – UK banks

Source: UK Payments 2011

Total for 2010: 61,873 incidents

Phishing – looking closer

Source: UK Payments 2011

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Standard Phishing life cycle

SpamBot

Phishing hosts (bots)

Various DNS

Tools – fast-flux etc.

Credential recovery/ storage

Attacker

Developments in Phishing

ADAPTIVE PHISHING

Sites designed to evade / confuse analysis Phishing host serves up different sites depending on localisation

and other factors One site can:

Firefox with German language – redirect to German PayPal phishing site

IE with English language – redirects to English bank phish Seamonkey – tries to install malware Text browsers (often used by analysts) – Error 404 Browser run within a VM (ditto) – Error 404

Developments in Phishing

LIVE PHISHING

Customer enticed to visit fake bank site as usual All communications relayed by phishing site to bank site in

real time Payment / authentication requests injected / amended by

attacker Target: two-factor authentication

Click to edit the outline text format

Second Outline Level

Third Outline Level Fourth Outline

Level Fifth Outline

Level Sixth Outline

Level Seventh

Outline Level Eighth

Outline Level

Ninth Outline LevelClick to edit Master text styles

Second level Third level

Fourth level Fifth level

Phishing still here because…

It still works!

Source: UK Payments 2004-2010

2004

2006

2008

2009

Would ignore / delete a phishing email 65% 50% 57% 59%

Would ask bank for advice 28% 39% 31% 31%

“Would act on it” 4% 3.8% 4% 6%

Under 24 year-olds who “would act on it”

12% 12% 12% 13%

Some further reading

Dhamija (Harvard)& Tygar and Hearst (UC Berkley)

http://people.deas.harvard.edu/~rachna/papers/why_phishing_works.pdf

Wu, Miller, Grafinkel (MIT Computer Science and Artificial Intelligence Lab)

http://groups.csail.mit.edu/uid/projects/phishing/chi-security-toolbar.pdf

Jagatic, Johnson, Jakobsson, and Menczer (School of Informatics Indiana University, Bloomington)

http://www.indiana.edu/~phishing/social-network-experiment/phishing-preprint.pdf

Other good sources of research on people’s perception and acceptance of risk:

Prof. A. John Maule (Leeds), Dr Angela Sasse (UCL), Hazel Lacohee (BT)

Part 2: Malware

Some names to remember: Torpig, Zeus (aka z-Bot, Sinowall),SpyEye, PSP2-BBB, Silent Banker, Yaludle, Bugat, Carberp, Silon…

Two factor authentication is now a target Man In The Browser is the new Man In The Middle Scripting: Automated payment injection Controlled distribution: targeted, low infection numbers, quiet

operation They work but:

Difficult to industrialise Their effect can be detected (odd GET and POST data,

old/nonexistent fieldnames, unusual browser headers etc…) They can be “broken”

Click to edit the outline text format

Second Outline Level

Third Outline Level Fourth Outline

Level Fifth Outline

Level Sixth Outline

Level Seventh

Outline Level Eighth

Outline Level

Ninth Outline LevelClick to edit Master text styles

Second level Third level

Fourth level Fifth level

Part 3: Money Mules

Bad guys use phishing and malware to gain access to accounts

But they need one more thing to get hold of the money: Mules

Mule = a friendly account, to which funds from a victim’s account can be transferred

Adverts in job websites, banner ads, printed newspapers…

We typically see 50-150 new fake companies set up each month

Fire and forget. They usually last for one transaction before the bank shuts down their account

Job offer

We have found your resume at Monster.com

and would like to

suggest you a "Transfer manager"vacancy.

We have thoroughly studied your resume and

are happy to inform you that your skills

completely meet our requirements for this

position.

Our company buy, sell, and exchange digital

currencies, like E-gold and E-bullion.

Put it all together – Online Banking Fraud Workflow

Collect Test Market Defraud Launder

Credentials valid?

Available funds?

ID theft opportunities?

Professionals in place

Recruit “mules”Check validity

(no cops please!

Trade Credentials

Build attack profile

Build attack profile

Transferfunds

Funds out of system

Money Transfer

Intermediatedestinations

Proceeds distributed

Research & Development

Loss trends

Net loss to banks from online banking fraud, 2004-11

Tactics and countermeasures

Strength in depth – the multi-layered approach

Identifying & protecting point of risk

Banks can also put a stronger lock on the front door (two-factor authentication)

Back-end detection

Service controls

Transaction authentication

Log-on authentication

Increasing customer visibility

A stronger front door

Millions of customers Millions with several accounts Cheap Easy to use Secure Simples!

Multifactor authentication - what banks need to consider:

Functions

OTP Challenge/response Data signing

The 2FA-effect

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Source: UK Payments 2009

Barclays2fa announced,

Back-end controls

introduced

Barclays2fa mandatory

RBS/NatWest2fa mandatory

Nationwide2fa mandatory

Lots of options for multifactor

Attacking two-factor

Two factor remains technically very secure Attackers circumvent by exploiting user uncertainty,

because… Customers remain vulnerable to social engineering –

assumption of authority: “We have changed the process – you must do it this way now…”

Attacks seen elsewhere in the world for years (TANs, iTANs, OTP)

Socially Engineering EMV CAP

1. In order to make payment …..2. Beneficiary Acct = 12346783. Amount = £400.004. “Enter Ref”5. “Enter Amount”6. Passcode = 98765432

1. A further security check …..2. Security Code 1 = 342655273. Security Code 2 = 3156784. “Enter Ref”5. “Enter Amount”6. Passcode = 12736653

Becomes

What does the customer see?

Malware features - Carberp

Persistent storage in browser

Get account balance Replace login button with a

malicious version Hide fraudulent

transactions on statement display from user

Hide fraudulent logins from user

Amend transaction requests on the fly and hide from user

Installs a rogue Anti Virus app

Zeus

Probably the most significant identity theft malware in existence (but may be about to go into decline)

Nicely written, regularly updated, full technical support for customers

Targets two-factor authentication Man in the browser, html injection, etc etc Some banks using out of band authentication with mobile

phones as a means of combating MITB. Customers are sent a one-time passcode or a challenge

via SMS or voice

SMS intercept

Mobile phones for two-factor

Out of band authentication Good in principle

Increases challenge of interception Practical challenges:

Ensuring all customers have a phone That it is switched on & in range SMS delivery is not guaranteed or SLAd Bringing other parties into the authentication loop - don’t ignore

the risks

Attacks in Turkey, South Africa, Australia, Spain and UK Account takeover, redirection of replacement SIMs Phone call redirection Malware on phones is now a reality

Click to edit the outline text format

Second Outline Level Third Outline

Level Fourth

Outline Level Fifth

Outline Level

Sixth Outline Level

Seventh Outline Level

Eighth Outline Level

Ninth Outline LevelClick to edit Master text styles

Second level Third level

Fourth level Fifth level

Zeus SMS “Zitmo”

Zeus-infected victim as asked to provide their mobile model and number

SMS containing link to “a new security certificate” sent to phone

Victim clicks on link and malware installs For Symbian devices, the bad guys

obtained a genuine developer certificate, since revoked (but no OCSP!!).

Malware includes a cracked version of SMS Monitor. SMS traffic from known bank SMS numbers is intercepted and redirected to C&C

Incoming SMS from C&C number used to issue commands

Malware can create/delete entries in the phonebook

C&C was a UK number registered to Cable & Wireless Guernsey Ltd (Sure Telecom)

Calling

MyBank Support

Zeus arrests

11 Arrests in UK in September 2010 (mainly mules) 38 in USA (ditto) 5 in Ukraine (aha!) Consequences: Zeus the subject of a “takeover” by

SpyEye coder, with functionality to be migrated to SpyEye

UK arrests USA arrests Ukraine arrests

Malware – what next?

Zeus/SpyEye merger probably a sign that the “Tier 1” bad guys have recognised that Zeus’ usefulness is nearing its end.

Dump and move on Malware as a service emerging Point and click malware kits

Further malware reading

Zeus tracker: https://zeustracker.abuse.ch/ Spyeye tracker: https://spyeyetracker.abuse.ch/ InfoWar Monitor: http://www.infowar-monitor.net Malware Intelligence Blog:

malwareint.blogspot.com Contagio malware dump:

contagiodump.blogspot.com TrustDefender Labs blog:

http://www.trustdefender.com/blog F-Secure blog: http://www.f-secure.com/weblog Brian Krebs : http://krebsonsecurity.com Gary Warner blog: garwarner.blogspot.com

Where are the real vulnerabilities?

OS 95% of customers use Windows – it’s the way it is 90% of Windows installs ARE up to date

Ubiquitous 3rd Party Software 80% of Adobe Flash installs are NOT up to date 84% of Adobe Acrobat installs are NOT up to date “Trusted” software does not always act in the users’ best

interests: some of the most popular iPhone games contain spyware

Banks are not the only fruit

As banks harden their defences, the attackers are turning to weaker targets

ALL online businesses are at risk Facebook, Twitter, Myspace, LinkedIn etc. being raided for

ID theft and card data Retailer customer accounts raided for payment details,

backend databases Businesses being attacked via their web front ends or by

“spear phishing” to gain access to corporate networks. Industrial & state espionage, intellectual property theft, sabotage, financial fraud, etc.

Things to come

Living in a digital world, expect the unexpected

Richard MartinHead of Innovation

UK Paymentsrichard.martin@ukpayments.org.uk

www.banksafeonline.org.uk