Cyber crime always has been a major challenge, not only for enterprises but also for different national governments across the world. New formulas, new tactics and new threat vectors are emerging strongly in this space. Author has explained some of the devastative methods and modules of attacks, which today’s intelligent hackers are embracing.

Talk to any system administrator, IT manager, or CIO, and it becomes apparent that security is a big deal. Looking at various statistics and cases in the news, it is easy to see why most organizations are paralyzed with fear when it comes to securing systems; and most of these attacks are not isolated incidents, but instead organized criminals preying on weak system security and the good nature of people.

In mid-July, a gang of scam artists had succeeded in stealing more than $447,000 from a construction company, by using Trojan software installed on user’s machines without them being aware of it. The Trojans helped the cyber crooks initiate a large batch of transfers from the company’s online bank account to 39 "money mules".

And it is not too difficult to launch such an attack. Malware building toolkits like the Turkojan, BitTera.C, Wormer and YfakeCreator makes it extremely simple for aspiring attackers to get into the game and begin distributing fairly complex malware threats with very little technical acumen. Turkojan can be bought online for as little as $99 and comes in bronze, silver and platinum edition—with a replacement warranty if it gets detected by any antivirus!

With security reaching a critical point, what can you do to secure your users, your partners, and your internal employees from falling prey to cyber crimes? To understand the solutions let’s look at the evolution of organized cybercrime and the mechanisms they have been using.

Phishing

Phishing and its variants like Smishing (SMS phishing), Vishing (VOIP phishing), Pharming (traffic redirection) and Chat-in-the-Middle are all ways to acquire confidential data such as usernames, passwords and credit card details, by masquerading as a trustworthy entity. This data is then sold in the underground online forums (such as DarkMarket which has now been shutdown) where criminals bought and sold personal data from as little as Rs 30 to as much as Rs 50,000 per credential. Attackers who buy this data then use these credentials to logon to the online application (like internet banking) and transfer funds to other "money mules". Money mules are accomplices of the attackers who receive money transfers and resend them to the criminal in return for a commission.

Ineffective anti-phishing toolbars

A recent test of best-of-breed Web browser anti-phishing filters by Cyveillance revealed that more than half of active malware and phishing threats on the Internet go undetected, with an average detection rate 42 percent for phishing.

Fight phishing using 2FA

One of the most effective methods in combating phishing attacks is using Two-factor authentication (2FA). 2FA using one-time-passwords (OTP) defeats the way the underground economy works. The online application users are given a token (a piece of hardware or software) that can generate OTPs. Users are prompted to enter the OTPs along with their static username and passwords. OTPs have a short life span. So even if the attackers manage to acquire the credentials through a phishing attack, they will not be able to gain access to the internet banking account since the OTP will be invalid.

Since hardware tokens are expensive to procure, distribute, manage and replace, banks are now rolling our software tokens that can be installed on mobile devices such as laptop, mobile phone, PDA, BlackBerry, etc. This ensures a cost-effective and highly scalable solution without compromising on security.

Out-of-band authentication using SMS is another cost-effective solution without having to install any software token. Users simply log into their applications—such as a VPN, online banking, online e-mail, etc—and enter their user name and password into the login interface, and instantly they receive an SMS with the OTP. They type the OTP onto the applications to authenticate. Since the second factor of authentication is carried out-of-band across the telephone network, it’s significantly more secure. Not only does Out-of-band authentication prevent unauthorized logins and transactions, it notifies you instantly if a user’s credentials have been compromised and an attack is in progress.

The OATH authentication standard further ensures that companies future-proof their 2FA offering are not locked into a certain security vendor for tokens.

In internet banking, 2FA using OTPs are extensively used during logon, transactions such as funds transfer or even while adding a beneficiary account as a payee. The presence of the second factor (phone or token) ensures that it’s the user doing the transaction and not an attacker.

Man-in-the-Middle (MITM)

An MITM attacker puts up a fraudulent bank Web site and entices a user to it. The fraudulent site passes the user’s credentials, including the OTP, in real-time to the legitimate site, giving the attacker complete access. Since the attack is in real-time, any OTP security mechanism is rendered futile.

Figure 1

Man-in-the-Browser (MITB)

A more lethal variation of MITM is the Man-in-the-Browser (MITB) attack. The attacker installs a Trojan on a user’s computer that is capable of intercepting and/or interacting with the user’s online transactions in real-time. Unlike a phishing attack, a MITB attack occurs simply when the user enters a URL into their browser—or clicks on a stored bookmark. One such Trojan that affected nearly 400 banks worldwide is SilentBanker.

Figure-2

When the Trojan detects a page-load for a specific pattern in its targeted list (for example https://secure.bank.site/account/do_transaction) it gets activated. When the user submits the transaction, the Trojan silently modifies the values of the transaction—often changing the destination account number to that of the attacker. The browser sends the modified values to the server which cannot differentiate between the original values and the modified values, or detect the changes. The server performs the transaction and generates a receipt. The Trojan replaces the modified data in the receipt with the original data that the user had entered. The user thinks that the original transaction was received by the server intact and authorized correctly.

Some MITB Trojans also have the ability to acquire missing information from unsuspecting customers. If the attackers are missing a key piece of information they need to conduct a transaction, the Trojan adds extra HTML to the authorization page asking the user for that extra information.

The Trojan hijacks an existing authenticated session, and works on a different part of the transaction cycle to authentication. Hence any two-factor authentication or One-time-Password mechanism is insufficient to counter MITB attacks. The Trojan is able to intercept traffic before it is encrypted, so that even if the transaction takes place over SSL, the attack is still valid.

Transaction Signing

One of the most effective methods in combating MITM, MITB and similar session hijack attacks is by signing transactions. Till recently, the only way to sign transactions digitally was by using expensive and complicated PKI (Public Key Infrastructure). Now there are technologies available to sign transactions using software tokens.

Figure 3

Transaction Signing software tokens allow users to enter all transaction data in the token, generate a transaction signature corresponding to the values of the transaction and then enter the signatures on the online application. The server will process the transaction only if the transaction signature matches the transaction values.

This method prevents Man/Browser-In-The-Middle-attacks since the digital signature is firmly connected to the specific transaction signed by the client and cannot be used by the attacker in order to divert any payment. The transaction signature generated can also be used for transaction signing and non-repudiation.

Malware

Malware is a general term covering any type of malicious unwanted software including worms, Trojans, spyware, adware, etc and denotes the sophistication of cyber crime attacks. Some malware are inadvertently downloaded by users visiting illegitimate sites but recent research shows that upwards of 70% of Web sites serving malware are actually legitimate sites that have been compromised! An antivirus vendor recently detected over 250 malware masquerading as security software programs that was downloaded 43 million times between July 2008 and June 2009.

Some types of malware (for example "Zeus") allow the attackers to change the display of a bank's login page as a victim is entering their credentials. For example, when a victim submits his one-time password along with his credentials, the malware may force the browser to return a counterfeit page (still showing the bank's domain name in the URL bar) stating that the bank's site is down for maintenance, please try back again in 15 minutes. Meanwhile, those credentials are not submitted to the bank but instead sent to the attackers.

Another cybergang successfully stole 300,000 Euro from German bank accounts secured with two-factor authentication using the well-known commercial-grade LuckySpoilt crimeware toolkit. The URLZone bank Trojan was installed on the user’s browser and used to send instructions and to control the money transfer from the victims’ bank accounts via money mules to the cybergang. The URLZone bank Trojan used various techniques to stay under the radar of common anti-fraud systems.

End-Point Assessment – Definitive protection against Malware

The definitive way of preventing Trojans from stealing user credentials is to make sure the user’s computer has no such Trojan installed. Some vendors provide an End-Point Security Assessment module, which can check the user’s machine for any number of threats, including virus, spyware, and Trojans before any access is granted. End-Point Security Assessment can also makes sure that virus protection software is installed, up-to-date, and active. Moreover, it can assure that network configuration settings, including IP address, open ports, domain and registry settings, and latest operating system and security patches installed. End-Point Security Assessment can also examine the browser to ensure it has not been tampered with by a Trojan and remove all downloaded files, URL history, cache, and temporary files from the device upon session completion.

Figure 4

By defining different policies, an organization can provide different levels of access depending on which level of trust you put on a particular device. For instance, a user using a high-risk device will get only view-level access to internet banking while a user using a low-risk Device will be allowed to carry out transactions such as funds transfer.

Conclusion

Cybercriminals will keep on targeting online applications and reaching new levels of sophistication in their attacks. They refine their methods, and search for new ways to maximize their illegal profit while minimizing their chance of detection. The only definitive way for countering cybercrime is to follow the three pronged strategy of two-factor authentication, transaction signing and endpoint security assessment.

—By: Tejas Lagad, Director – Product Management, BFSI at PortWise.