Evolution of Remote Banking fraud Richard Martin Security Unit UK Payments Royal Holloway, 10 September 2011
UK Payments • Voice of the payments industry • Payment scheme management – we run the Payments Council, BACS, CHAPS, Faster Payments, cheques, cash… • Our schemes processed nearly 7 billion payments in 2009, with a value of £69 trillion (for comparison, UK GDP is around £2 trillion) • Protecting the integrity of UK payments systems • We are increasingly central to the UK anti-fraud effort
The world we live in • Internet is a major channel for banks and payments • Challenges • Internet is not secure • Customer PCs are not secure • But customers love it, and banks love it • So we need to address the challenges Source: UK Payments, 2011
What is being attacked? • Not the bank directly (so much) • The customer • Static authentication credentials & card details • “data that never changes” • And can therefore be stolen or given away • The customer’s equipment • Malware!
Part 1: Phishing Phishing attacks are becoming more sophisticated:
Phishing incidents – UK banks Total for 2010: 61,873 incidents Source: UK Payments 2011
Phishing – looking closer Source: UK Payments 2011
Standard Phishing life cycle Attacker Credential recovery/ storage SpamBot Phishing hosts (bots) Various DNS Tools – fast-flux etc.
Developments in Phishing • ADAPTIVE PHISHING • Sites designed to evade / confuse analysis • Phishing host serves up different sites depending on localisation and other factors • One site can: • Firefox with German language – redirect to German PayPal phishing site • IE with English language – redirects to English bank phish • Seamonkey – tries to install malware • Text browsers (often used by analysts) – Error 404 • Browser run within a VM (ditto) – Error 404
Developments in Phishing • LIVE PHISHING • Customer enticed to visit fake bank site as usual • All communications relayed by phishing site to bank site in real time • Payment / authentication requests injected / amended by attacker • Target: two-factor authentication
Phishing still here because… • It still works! Source: UK Payments 2004-2010
Some further reading • Dhamija (Harvard)& Tygar and Hearst (UC Berkley) http://people.deas.harvard.edu/~rachna/papers/why_phishing_works.pdf • Wu, Miller, Grafinkel (MIT Computer Science and Artificial Intelligence Lab) http://groups.csail.mit.edu/uid/projects/phishing/chi-security-toolbar.pdf • Jagatic, Johnson, Jakobsson, and Menczer (School of Informatics Indiana University, Bloomington) http://www.indiana.edu/~phishing/social-network-experiment/phishing-preprint.pdf Other good sources of research on people’s perception and acceptance of risk: Prof. A. John Maule (Leeds), Dr Angela Sasse (UCL), Hazel Lacohee (BT)
Part 2: Malware • Some names to remember: Torpig, Zeus (aka z-Bot, Sinowall),SpyEye, PSP2-BBB, Silent Banker, Yaludle, Bugat, Carberp, Silon… • Two factor authentication is now a target • Man In The Browser is the new Man In The Middle • Scripting: Automated payment injection • Controlled distribution: targeted, low infection numbers, quiet operation • They work but: • Difficult to industrialise • Their effect can be detected (odd GET and POST data, old/nonexistent fieldnames, unusual browser headers etc…) • They can be “broken”
Part 3: Money Mules • Bad guys use phishing and malware to gain access to accounts • But they need one more thing to get hold of the money: Mules • Mule = a friendly account, to which funds from a victim’s account can be transferred • Adverts in job websites, banner ads, printed newspapers… • We typically see 50-150 new fake companies set up each month • Fire and forget. They usually last for one transaction before the bank shuts down their account Job offer We have found your resume at Monster.com and would like to suggest you a "Transfer manager"vacancy. We have thoroughly studied your resume and are happy to inform you that your skills completely meet our requirements for this position. Our company buy, sell, and exchange digital currencies, like E-gold and E-bullion.
Put it all together – Online Banking Fraud Workflow Research & Development Collect Test Market Defraud Launder Credentials valid? Available funds? ID theft opportunities? Trade Credentials Build attack profile Transfer funds Money Transfer Intermediate destinations Professionals in place Recruit “mules” Check validity (no cops please! Build attack profile Funds out of system Proceeds distributed
Loss trends Net loss to banks from online banking fraud, 2004-11
Tactics and countermeasures • Strength in depth – the multi-layered approach • Identifying & protecting point of risk • Banks can also put a stronger lock on the front door (two-factor authentication) Increasing customer visibility Back-end detection Service controls Transaction authentication Log-on authentication
A stronger front door Multifactor authentication - what banks need to consider: • Millions of customers • Millions with several accounts • Cheap • Easy to use • Secure • Simples!
Functions Challenge/response Data signing OTP
The 2FA-effect RBS/NatWest 2fa mandatory Nationwide 2fa mandatory Barclays 2fa announced, Back-end controls introduced Barclays 2fa mandatory Source: UK Payments 2009
Attacking two-factor • Two factor remains technically very secure • Attackers circumvent by exploiting user uncertainty, because… • Customers remain vulnerable to social engineering – assumption of authority: “We have changed the process – you must do it this way now…” • Attacks seen elsewhere in the world for years (TANs, iTANs, OTP)
Socially Engineering EMV CAP In order to make payment ….. Beneficiary Acct = 1234678 Amount = £400.00 “Enter Ref” “Enter Amount” Passcode = 98765432 A further security check ….. Security Code 1 = 34265527 Security Code 2 = 315678 “Enter Ref” “Enter Amount” Passcode = 12736653 Becomes
Malware features - Carberp • Persistent storage in browser • Get account balance • Replace login button with a malicious version • Hide fraudulent transactions on statement display from user • Hide fraudulent logins from user • Amend transaction requests on the fly and hide from user • Installs a rogue Anti Virus app
Zeus • Probably the most significant identity theft malware in existence (but may be about to go into decline) • Nicely written, regularly updated, full technical support for customers • Targets two-factor authentication • Man in the browser, html injection, etc etc • Some banks using out of band authentication with mobile phones as a means of combating MITB. • Customers are sent a one-time passcode or a challenge via SMS or voice SMS intercept
Mobile phones for two-factor • Out of band authentication • Good in principle • Increases challenge of interception • Practical challenges: • Ensuring all customers have a phone • That it is switched on & in range • SMS delivery is not guaranteed or SLAd • Bringing other parties into the authentication loop - don’t ignore the risks • Attacks in Turkey, South Africa, Australia, Spain and UK • Account takeover, redirection of replacement SIMs • Phone call redirection • Malware on phones is now a reality
Calling Zeus SMS “Zitmo” • Zeus-infected victim as asked to provide their mobile model and number • SMS containing link to “a new security certificate” sent to phone • Victim clicks on link and malware installs • For Symbian devices, the bad guys obtained a genuine developer certificate, since revoked (but no OCSP!!). • Malware includes a cracked version of SMS Monitor. SMS traffic from known bank SMS numbers is intercepted and redirected to C&C • Incoming SMS from C&C number used to issue commands • Malware can create/delete entries in the phonebook • C&C was a UK number registered to Cable & Wireless Guernsey Ltd (Sure Telecom) MyBank Support
Zeus arrests • 11 Arrests in UK in September 2010 (mainly mules) • 38 in USA (ditto) • 5 in Ukraine (aha!) • Consequences: Zeus the subject of a “takeover” by SpyEye coder, with functionality to be migrated to SpyEye UK arrests USA arrests Ukraine arrests
Malware – what next? • Zeus/SpyEye merger probably a sign that the “Tier 1” bad guys have recognised that Zeus’ usefulness is nearing its end. • Dump and move on • Malware as a service emerging • Point and click malware kits
Further malware reading • Zeus tracker: https://zeustracker.abuse.ch/ • Spyeye tracker: https://spyeyetracker.abuse.ch/ • InfoWar Monitor: http://www.infowar-monitor.net • Malware Intelligence Blog: malwareint.blogspot.com • Contagio malware dump: contagiodump.blogspot.com • TrustDefender Labs blog: http://www.trustdefender.com/blog • F-Secure blog: http://www.f-secure.com/weblog • Brian Krebs : http://krebsonsecurity.com • Gary Warner blog: garwarner.blogspot.com
Where are the real vulnerabilities? • OS • 95% of customers use Windows – it’s the way it is • 90% of Windows installs ARE up to date Ubiquitous 3rd Party Software • 80% of Adobe Flash installs are NOT up to date • 84% of Adobe Acrobat installs are NOT up to date • “Trusted” software does not always act in the users’ best interests: some of the most popular iPhone games contain spyware
Banks are not the only fruit • As banks harden their defences, the attackers are turning to weaker targets • ALL online businesses are at risk • Facebook, Twitter, Myspace, LinkedIn etc. being raided for ID theft and card data • Retailer customer accounts raided for payment details, backend databases • Businesses being attacked via their web front ends or by “spear phishing” to gain access to corporate networks. Industrial & state espionage, intellectual property theft, sabotage, financial fraud, etc.
Things to come Living in a digital world, expect the unexpected
Richard Martin Head of Innovation UK Payments firstname.lastname@example.org www.banksafeonline.org.uk