Thomas Ralph Slides

8/14/2019 Thomas Ralph Slides

1/50

FIRST 2007 - SevilleCyber Fraud Trends and Mitigation

Verisign iDefense Security Intelligence ServicesRalph Thomas - Malcode Operations Director

June 21, 2007


2/50


3/50

3

Traditional Phishing

Home

User

Banking Web Server

Faked BankingWeb Server

http://65.40.13.173:122/ unicaja.es .html


4/50

4


HomeUser

Banking Web Server

https://www.unicaja.es

Faked BankingWeb Server

http://65.40.13.173:122/ unicaja.es .html


5/50

5


HomeUser

Banking WebServer

Bad Guy

https://www.unicaja.es


6/50

6


+ Measures against Phishing: Prevent users from being phished

EV certs

Passmark system .bank TLD initiative Prevent stolen credentials from being misused

Stronger authentication (2FA, nFA)

Fraud detection system

+ But of course:

If you deploy 2FA the bad guys will steal your second factor!


7/50

7

Phishing the second factor


8/50

8

MetaFisher Overview

HomeUser

Banking WebServer

Exploits WMFVulnerability

Installs BHO in IE

InitialCompromise


9/50

9

Browser Helper Objects

HomeUser


Installs BHO in IE

InitialCompromise

+ DLL modules designed as a plug-in forMicrosoft's IE to provide added functionality.

+ Introduced in October 1997

+ Loaded once by each new instance of Internet Explorer.

+ Loaded for each instance of the WindowsFile Explorer

+ Examples: Adobe Acrobat, Alexa Toolbar,Google Toolbar

+ The BHO API provides access to theDocument Object Model (DOM)

+ No Reasonable Prevention

+ DLL modules designed as a plug-in forMicrosoft's IE to provide added functionality.

+ Introduced in October 1997

+ Loaded once by each new instance of Internet Explorer.

+ Loaded for each instance of the WindowsFile Explorer

+ Examples: Adobe Acrobat, Alexa Toolbar,Google Toolbar

+ The BHO API provides access to theDocument Object Model (DOM)

+ No Reasonable Prevention


10/50

10

Browser Help Object Add-on Manager

XP SP2

IE

Tools

MangeAdd-ons

XP SP2

IE

Tools

MangeAdd-ons


11/50

11

BHO Process Injection

+ Browser Help Object: METAFISHER 'Plugin' for Microsoft Internet Explorer Runs in the process space of IE Has complete control over what IE does SSL transfer is seen in cleartext by BHO any sort of MITM attack is possible every piece of information that is send to the internet or received from the net

can be intercepted and modified, data integrity, confidentiality and accessibility

are at risk

BHO loaded into Internet Explorer

C:\> tasklist /M ipsec6mon.dll

Image Name PID Modules========================= ====== =======

IEXPLORE.EXE 1632 ipsec6mon.dll


12/50

12

Network Injection (Case Study)

+ HTML Injection and phishing against Spanish Banks: Metafisher

The Metafisher Trojan is able to use HTML injection in a man-in-the-middle phishingattack against a list of Spanish banks that is supplied by the C&C server. At the time

of this writing the following institutions are being targeted:

Banco Bilbao Vizcaya Argentaria S.A. (bbvanet.com, bbvanetoffice.com) Caja de Ahorros y Monte de Piedad de Madrid (cajamadrid.es,

cajamadridempresas.es) Montes de Piedad y Caja de Ahorros de Ronda Cadiz Almeria Malaga y

Antequera (unicaja.es) Caixa D`Estalvis de Catalunya (caixacatalunya.es)

Banco Espanol de Credito S.A. (banesto.es) Banco Popular Espanol S.A. (bancopopular.es) Deutsche Bank Sociedad Anonima Espanola (deutsche-bank.es)


13/50

13

Network Injection (Case Study)

+ HTML injection and phishing against Spanish banks: Metafisher


14/50

14

MetaFisher Overview

HomeUser

Banking WebServer


Installs BHO in IE

Unique Directory Name by

Country & Computer

InitialCompromise

FTPDrop

Servers


15/50

15

MetaFisher Overview

HomeUser

Banking WebServer


Installs BHO in IE

HTTP not IRC

ObfuscatedC&CCommands

Unique Directory Name by

Country & Computer

InitialCompromise

FTPDrop

Servers

Command andControl Servers


16/50

16

MetaFisher Command & Control

HomeUser

HTTP not IRC


Command andControl Servers


17/50

17

MetaFisher Configuration Page - Bots


18/50

18

MetaFisher Configuration Page - Exploits


19/50

19

MetaFisher Configuration Page - Multiple Users


20/50

20

MetaFisher Configuration Page - Zombies


21/50

21

MetaFisher Configuration Page - FTP Login


22/50

22

MetaFisher Configuration Page - TANS

TransactionNumbers

(TAN)s

One Time pads

Indexed TANs

Mobile TANs

TransactionNumbers

(TAN)s

One Time pads

Indexed TANs

Mobile TANs


23/50

M Fi h C fi i P S i i


24/50

24

MetaFisher Configuration Page - Statistics

M Fi h S i i


25/50

25

MetaFisher Statistics

M t Fi h R t D l t


26/50

26

MetaFisher Recent Developments

Home User


Installs BHO in IE

HTTP not IRC


Unique Directory Name byCountry & Computer

Initial Compromise

FTP DropServers

Command and Control Servers+ Evidence of activity in the US

+ Evidence of Russian BusinessNetwork and Rock Phish

+ Auto-deposits for Sparkasse andPostbank ($3000)

+ American Express single Sign-onmodules

+ Disables Firefox

+ Trojan toolkit and Web server toolkitsold on Russian Underground ($6K)

M t fi h f S l !


27/50

27

Metafisher for Sale!

More Trojans (Russian Toolkits)


28/50

28


+ Metafisher/Agent.dq/BZub/Tanspy/Cimuz/Nurech

+ Torpig/Sinowal/Anserin

+ OrderGun/Gozi/Ursniff/Snifula/Zlobotka

+ Snatch

+ Corpse NuclearGrabber + Corpse A-311 Death (Haxdoor)

+ NetHell

+ VisualBriz

+ Apophis

+ Pinch/Xinch

+ Limbo

+ Power Grabber

+ 'Matryoshka'

+ 'Banker.CMB'

+ 'Developer'



29/50

29


New Tactics & Techniques


30/50

30

New Tactics & Techniques

+ Key Logging Add trigger (e.g. application title)

+ Generic Form Grabbing More selective to data being transferred by user Add context ( manage dump)

+ IE Stored Passwords and Auto-Complete Fields (!)

Victim's life is stolen: MySpace, eMail, Retailer, Fraudster sees systematic behind usernames/passwords

+ Targeted Approaches Add more context ( manage dump) Circumvent specific security measures

virtual keypads, TANs, instant defraud (vs. collecting credentials)

Recent Developments 'Rogue' ISPs


31/50

31

Recent Developments Rogue ISPs

AS | IP | CC | AS Name

17992 | 203.223.159.78 | MY | AIMS-AP Applied Information Management Serv

14361 | 209.160.64.214 | US | HOPONE-GLOBAL - HopOne Internet Corporation

25532 | 217.16.27.160 | RU | MASTERHOST-AS .masterhost autonomous system

40989 | 81.95.148.23 | RU | RBN-AS RBusiness Network

2706 | 58.65.232.34 | HK | HKSUPER-HK-AP Pacific Internet (Hong Kong)


32/50

One Time Password


33/50

33

One Time Password

ayvdh5zw

fjsbguiy

c3kwchi8

v85wv8v4

un2e5ie5pfuiabim

tdsx8nnz

as6zs6cv

va92k3jm

qiai35vz

One Time Passwords Do not Mitigate


34/50

34


HomeUser

Banking WebServer

InitialCompromise

BHO



35/50

35


HomeUser

InitialCompromise

Captures Account Information

Inject HTMLLocally

BHO

Error Message: OTP is invalid try another

One Time Passwords Do Not Mitigate


36/50

36

One Time Passwords Do Not Mitigate

HomeUser

Banking WebServer

InitialCompromise

FTPDrop

ServersBHO

Mitigation Techniques


37/50

37

t gat o ec ques

+ Browser Help Object Management

+ Enterprise A/V Solutions

+ High Assurance Certificates

+ Fraud Detection

+ Authentication Schemes One Time Passwords (scratch pads, TAN) Indexed One Time Passwords (iTAN) Timed One Time Passwords Indexed Out of Band One Time Passwords (mTAN)

Token Based Two Factor Authentication

Indexed One Time Passwords Mitigate Some


38/50

38

HomeUser

Banking WebServer



39/50

39

HomeUser

InitialCompromise

Inject HTMLLocally

BHO

Banking WebServer

CapturesAccountInformation

Inject HTMLLocally

Error Message: OTPis invalid tryanother



40/50

40

HomeUser

Banking WebServer

FTPDrop

ServersBHO



41/50

41

g q




+ Fraud Detection

+ Authentication Schemes One Time Passwords (scratch pads, TAN) Indexed One Time Passwords (iTAN) Timed One Time Passwords Indexed Out of Band One Time Passwords (mTAN)




42/50

42




+ Fraud Detection

+ Authentication Schemes One Time Passwords Indexed One Time Passwords Timed One Time Passwords Indexed Out of Band One Time Passwords


Indexed Out of Band One Time Passwords Complete Mitigation


43/50

43

HomeUser

Banking WebServer



44/50

44




+ Fraud Detection



Token Based Two Factor Authentication Some Mitigation


45/50

45

HomeUser

InitialCompromise

Banking WebServer

BHO

CapturesTokenInformation

Inject HTMLLocally

Error Message: OTPis invalid tryanother

Token Based Two Factor Authentication Some Mitigation


46/50

46

HomeUser Banking Web

Server

Second

Bank

BHO

Mitigation Techniques Verdict


47/50

47

+ Browser Help Object Management+ Enterprise A/V Solutions


+ Fraud Detection



Credit Card Fraud


48/50

48

Credit Card Fraud


49/50

49


50/50

Q and A

Ralph Thomas

[email protected]

VeriSign iDefense Security Intelligence Services

Documents

Thomas Ralph Slides