Thomas Ralph Slides

  • Upload
    rstsyn

  • View
    217

  • Download
    0

Embed Size (px)

Citation preview

  • 8/14/2019 Thomas Ralph Slides

    1/50

    FIRST 2007 - SevilleCyber Fraud Trends and Mitigation

    Verisign iDefense Security Intelligence ServicesRalph Thomas - Malcode Operations Director

    June 21, 2007

  • 8/14/2019 Thomas Ralph Slides

    2/50

  • 8/14/2019 Thomas Ralph Slides

    3/50

    3

    Traditional Phishing

    Home

    User

    Banking Web Server

    Faked BankingWeb Server

    http://65.40.13.173:122/ unicaja.es .html

  • 8/14/2019 Thomas Ralph Slides

    4/50

    4

    Traditional Phishing

    HomeUser

    Banking Web Server

    https://www.unicaja.es

    Faked BankingWeb Server

    http://65.40.13.173:122/ unicaja.es .html

  • 8/14/2019 Thomas Ralph Slides

    5/50

    5

    Traditional Phishing

    HomeUser

    Banking WebServer

    Bad Guy

    https://www.unicaja.es

  • 8/14/2019 Thomas Ralph Slides

    6/50

    6

    Traditional Phishing

    + Measures against Phishing: Prevent users from being phished

    EV certs

    Passmark system .bank TLD initiative Prevent stolen credentials from being misused

    Stronger authentication (2FA, nFA)

    Fraud detection system

    + But of course:

    If you deploy 2FA the bad guys will steal your second factor!

  • 8/14/2019 Thomas Ralph Slides

    7/50

    7

    Phishing the second factor

  • 8/14/2019 Thomas Ralph Slides

    8/50

    8

    MetaFisher Overview

    HomeUser

    Banking WebServer

    Exploits WMFVulnerability

    Installs BHO in IE

    InitialCompromise

  • 8/14/2019 Thomas Ralph Slides

    9/50

    9

    Browser Helper Objects

    HomeUser

    Exploits WMFVulnerability

    Installs BHO in IE

    InitialCompromise

    + DLL modules designed as a plug-in forMicrosoft's IE to provide added functionality.

    + Introduced in October 1997

    + Loaded once by each new instance of Internet Explorer.

    + Loaded for each instance of the WindowsFile Explorer

    + Examples: Adobe Acrobat, Alexa Toolbar,Google Toolbar

    + The BHO API provides access to theDocument Object Model (DOM)

    + No Reasonable Prevention

    + DLL modules designed as a plug-in forMicrosoft's IE to provide added functionality.

    + Introduced in October 1997

    + Loaded once by each new instance of Internet Explorer.

    + Loaded for each instance of the WindowsFile Explorer

    + Examples: Adobe Acrobat, Alexa Toolbar,Google Toolbar

    + The BHO API provides access to theDocument Object Model (DOM)

    + No Reasonable Prevention

  • 8/14/2019 Thomas Ralph Slides

    10/50

    10

    Browser Help Object Add-on Manager

    XP SP2

    IE

    Tools

    MangeAdd-ons

    XP SP2

    IE

    Tools

    MangeAdd-ons

  • 8/14/2019 Thomas Ralph Slides

    11/50

    11

    BHO Process Injection

    + Browser Help Object: METAFISHER 'Plugin' for Microsoft Internet Explorer Runs in the process space of IE Has complete control over what IE does SSL transfer is seen in cleartext by BHO any sort of MITM attack is possible every piece of information that is send to the internet or received from the net

    can be intercepted and modified, data integrity, confidentiality and accessibility

    are at risk

    BHO loaded into Internet Explorer

    C:\> tasklist /M ipsec6mon.dll

    Image Name PID Modules========================= ====== =======

    IEXPLORE.EXE 1632 ipsec6mon.dll

  • 8/14/2019 Thomas Ralph Slides

    12/50

    12

    Network Injection (Case Study)

    + HTML Injection and phishing against Spanish Banks: Metafisher

    The Metafisher Trojan is able to use HTML injection in a man-in-the-middle phishingattack against a list of Spanish banks that is supplied by the C&C server. At the time

    of this writing the following institutions are being targeted:

    Banco Bilbao Vizcaya Argentaria S.A. (bbvanet.com, bbvanetoffice.com) Caja de Ahorros y Monte de Piedad de Madrid (cajamadrid.es,

    cajamadridempresas.es) Montes de Piedad y Caja de Ahorros de Ronda Cadiz Almeria Malaga y

    Antequera (unicaja.es) Caixa D`Estalvis de Catalunya (caixacatalunya.es)

    Banco Espanol de Credito S.A. (banesto.es) Banco Popular Espanol S.A. (bancopopular.es) Deutsche Bank Sociedad Anonima Espanola (deutsche-bank.es)

  • 8/14/2019 Thomas Ralph Slides

    13/50

    13

    Network Injection (Case Study)

    + HTML injection and phishing against Spanish banks: Metafisher

  • 8/14/2019 Thomas Ralph Slides

    14/50

    14

    MetaFisher Overview

    HomeUser

    Banking WebServer

    Exploits WMFVulnerability

    Installs BHO in IE

    Unique Directory Name by

    Country & Computer

    InitialCompromise

    FTPDrop

    Servers

  • 8/14/2019 Thomas Ralph Slides

    15/50

    15

    MetaFisher Overview

    HomeUser

    Banking WebServer

    Exploits WMFVulnerability

    Installs BHO in IE

    HTTP not IRC

    ObfuscatedC&CCommands

    Unique Directory Name by

    Country & Computer

    InitialCompromise

    FTPDrop

    Servers

    Command andControl Servers

  • 8/14/2019 Thomas Ralph Slides

    16/50

    16

    MetaFisher Command & Control

    HomeUser

    HTTP not IRC

    ObfuscatedC&CCommands

    Command andControl Servers

  • 8/14/2019 Thomas Ralph Slides

    17/50

    17

    MetaFisher Configuration Page - Bots

  • 8/14/2019 Thomas Ralph Slides

    18/50

    18

    MetaFisher Configuration Page - Exploits

  • 8/14/2019 Thomas Ralph Slides

    19/50

    19

    MetaFisher Configuration Page - Multiple Users

  • 8/14/2019 Thomas Ralph Slides

    20/50

    20

    MetaFisher Configuration Page - Zombies

  • 8/14/2019 Thomas Ralph Slides

    21/50

    21

    MetaFisher Configuration Page - FTP Login

  • 8/14/2019 Thomas Ralph Slides

    22/50

    22

    MetaFisher Configuration Page - TANS

    TransactionNumbers

    (TAN)s

    One Time pads

    Indexed TANs

    Mobile TANs

    TransactionNumbers

    (TAN)s

    One Time pads

    Indexed TANs

    Mobile TANs

  • 8/14/2019 Thomas Ralph Slides

    23/50

    M Fi h C fi i P S i i

  • 8/14/2019 Thomas Ralph Slides

    24/50

    24

    MetaFisher Configuration Page - Statistics

    M Fi h S i i

  • 8/14/2019 Thomas Ralph Slides

    25/50

    25

    MetaFisher Statistics

    M t Fi h R t D l t

  • 8/14/2019 Thomas Ralph Slides

    26/50

    26

    MetaFisher Recent Developments

    Home User

    Exploits WMFVulnerability

    Installs BHO in IE

    HTTP not IRC

    ObfuscatedC&CCommands

    Unique Directory Name byCountry & Computer

    Initial Compromise

    FTP DropServers

    Command and Control Servers+ Evidence of activity in the US

    + Evidence of Russian BusinessNetwork and Rock Phish

    + Auto-deposits for Sparkasse andPostbank ($3000)

    + American Express single Sign-onmodules

    + Disables Firefox

    + Trojan toolkit and Web server toolkitsold on Russian Underground ($6K)

    M t fi h f S l !

  • 8/14/2019 Thomas Ralph Slides

    27/50

    27

    Metafisher for Sale!

    More Trojans (Russian Toolkits)

  • 8/14/2019 Thomas Ralph Slides

    28/50

    28

    More Trojans (Russian Toolkits)

    + Metafisher/Agent.dq/BZub/Tanspy/Cimuz/Nurech

    + Torpig/Sinowal/Anserin

    + OrderGun/Gozi/Ursniff/Snifula/Zlobotka

    + Snatch

    + Corpse NuclearGrabber + Corpse A-311 Death (Haxdoor)

    + NetHell

    + VisualBriz

    + Apophis

    + Pinch/Xinch

    + Limbo

    + Power Grabber

    + 'Matryoshka'

    + 'Banker.CMB'

    + 'Developer'

    More Trojans (Russian Toolkits)

  • 8/14/2019 Thomas Ralph Slides

    29/50

    29

    More Trojans (Russian Toolkits)

    New Tactics & Techniques

  • 8/14/2019 Thomas Ralph Slides

    30/50

    30

    New Tactics & Techniques

    + Key Logging Add trigger (e.g. application title)

    + Generic Form Grabbing More selective to data being transferred by user Add context ( manage dump)

    + IE Stored Passwords and Auto-Complete Fields (!)

    Victim's life is stolen: MySpace, eMail, Retailer, Fraudster sees systematic behind usernames/passwords

    + Targeted Approaches Add more context ( manage dump) Circumvent specific security measures

    virtual keypads, TANs, instant defraud (vs. collecting credentials)

    Recent Developments 'Rogue' ISPs

  • 8/14/2019 Thomas Ralph Slides

    31/50

    31

    Recent Developments Rogue ISPs

    AS | IP | CC | AS Name

    17992 | 203.223.159.78 | MY | AIMS-AP Applied Information Management Serv

    14361 | 209.160.64.214 | US | HOPONE-GLOBAL - HopOne Internet Corporation

    25532 | 217.16.27.160 | RU | MASTERHOST-AS .masterhost autonomous system

    40989 | 81.95.148.23 | RU | RBN-AS RBusiness Network

    2706 | 58.65.232.34 | HK | HKSUPER-HK-AP Pacific Internet (Hong Kong)

  • 8/14/2019 Thomas Ralph Slides

    32/50

    One Time Password

  • 8/14/2019 Thomas Ralph Slides

    33/50

    33

    One Time Password

    ayvdh5zw

    fjsbguiy

    c3kwchi8

    v85wv8v4

    un2e5ie5pfuiabim

    tdsx8nnz

    as6zs6cv

    va92k3jm

    qiai35vz

    One Time Passwords Do not Mitigate

  • 8/14/2019 Thomas Ralph Slides

    34/50

    34

    One Time Passwords Do not Mitigate

    HomeUser

    Banking WebServer

    InitialCompromise

    BHO

    One Time Passwords Do not Mitigate

  • 8/14/2019 Thomas Ralph Slides

    35/50

    35

    One Time Passwords Do not Mitigate

    HomeUser

    InitialCompromise

    Captures Account Information

    Inject HTMLLocally

    BHO

    Error Message: OTP is invalid try another

    One Time Passwords Do Not Mitigate

  • 8/14/2019 Thomas Ralph Slides

    36/50

    36

    One Time Passwords Do Not Mitigate

    HomeUser

    Banking WebServer

    InitialCompromise

    FTPDrop

    ServersBHO

    Mitigation Techniques

  • 8/14/2019 Thomas Ralph Slides

    37/50

    37

    t gat o ec ques

    + Browser Help Object Management

    + Enterprise A/V Solutions

    + High Assurance Certificates

    + Fraud Detection

    + Authentication Schemes One Time Passwords (scratch pads, TAN) Indexed One Time Passwords (iTAN) Timed One Time Passwords Indexed Out of Band One Time Passwords (mTAN)

    Token Based Two Factor Authentication

    Indexed One Time Passwords Mitigate Some

  • 8/14/2019 Thomas Ralph Slides

    38/50

    38

    HomeUser

    Banking WebServer

    Indexed One Time Passwords Mitigate Some

  • 8/14/2019 Thomas Ralph Slides

    39/50

    39

    HomeUser

    InitialCompromise

    Inject HTMLLocally

    BHO

    Banking WebServer

    CapturesAccountInformation

    Inject HTMLLocally

    Error Message: OTPis invalid tryanother

    Indexed One Time Passwords Mitigate Some

  • 8/14/2019 Thomas Ralph Slides

    40/50

    40

    HomeUser

    Banking WebServer

    FTPDrop

    ServersBHO

    Mitigation Techniques

  • 8/14/2019 Thomas Ralph Slides

    41/50

    41

    g q

    + Browser Help Object Management

    + Enterprise A/V Solutions

    + High Assurance Certificates

    + Fraud Detection

    + Authentication Schemes One Time Passwords (scratch pads, TAN) Indexed One Time Passwords (iTAN) Timed One Time Passwords Indexed Out of Band One Time Passwords (mTAN)

    Token Based Two Factor Authentication

    Mitigation Techniques

  • 8/14/2019 Thomas Ralph Slides

    42/50

    42

    + Browser Help Object Management

    + Enterprise A/V Solutions

    + High Assurance Certificates

    + Fraud Detection

    + Authentication Schemes One Time Passwords Indexed One Time Passwords Timed One Time Passwords Indexed Out of Band One Time Passwords

    Token Based Two Factor Authentication

    Indexed Out of Band One Time Passwords Complete Mitigation

  • 8/14/2019 Thomas Ralph Slides

    43/50

    43

    HomeUser

    Banking WebServer

    Mitigation Techniques

  • 8/14/2019 Thomas Ralph Slides

    44/50

    44

    + Browser Help Object Management

    + Enterprise A/V Solutions

    + High Assurance Certificates

    + Fraud Detection

    + Authentication Schemes One Time Passwords Indexed One Time Passwords Timed One Time Passwords Indexed Out of Band One Time Passwords

    Token Based Two Factor Authentication

    Token Based Two Factor Authentication Some Mitigation

  • 8/14/2019 Thomas Ralph Slides

    45/50

    45

    HomeUser

    InitialCompromise

    Banking WebServer

    BHO

    CapturesTokenInformation

    Inject HTMLLocally

    Error Message: OTPis invalid tryanother

    Token Based Two Factor Authentication Some Mitigation

  • 8/14/2019 Thomas Ralph Slides

    46/50

    46

    HomeUser Banking Web

    Server

    Second

    Bank

    BHO

    Mitigation Techniques Verdict

  • 8/14/2019 Thomas Ralph Slides

    47/50

    47

    + Browser Help Object Management+ Enterprise A/V Solutions

    + High Assurance Certificates

    + Fraud Detection

    + Authentication Schemes One Time Passwords Indexed One Time Passwords Timed One Time Passwords Indexed Out of Band One Time Passwords

    Token Based Two Factor Authentication

    Credit Card Fraud

  • 8/14/2019 Thomas Ralph Slides

    48/50

    48

    Credit Card Fraud

  • 8/14/2019 Thomas Ralph Slides

    49/50

    49

  • 8/14/2019 Thomas Ralph Slides

    50/50

    Q and A

    Ralph Thomas

    [email protected]

    VeriSign iDefense Security Intelligence Services