Social Engineering in Banking Trojans: attacking the weakest link

585 views
442 views

Published on

Social Engineering is the art of obtaining confidential information through the manipulation of the people with this knowledge. This technique is based on the fact that human beings represent the weakest link in a secure system, as somebody usually knows how to access it. The idea being that it is easier to manipulate a person than the system itself. Online banking is no exception. In this case, the most vulnerable people are the users themselves, the end clients of the banks, and the objective is to access their accounts. Cybercriminals use Social Engineering through HTML Injections to cheat on users and obtain their credentials. In this presentation a demo was performed to detect HTML Injections in web browsers.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
585
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Social Engineering in Banking Trojans: attacking the weakest link

  1. 1. Social Engineering in Banking Trojans Attacking the weakest link Jose Miguel Esparza Mikel Gastesi
  2. 2. Agenda • Social Engineering?? • Social Engineering + Malware • HTML Injections • Underground Market • Solutions??
  3. 3. Social Engineering?? • The art of… – … knowing how to handle people
  4. 4. Social Engineering?? • …or how to manipulate them
  5. 5. Social Engineering?? • …to Achieve an Objective – Information gathering – Buildings / Rooms access – Power – Material possessions – Others: flirting, favors…
  6. 6. Social Engineering?? • …to Achieve an Objective – Information gathering – Buildings / Rooms access – Power – Material possessions – Others: flirting, favors (sexual or not)…
  7. 7. • How? – Face to face – Phone / SMS – Mail – … • Used by – Politicians – Salesmen – Delinquents / Fraudsters – You and me Social Engineering??
  8. 8. Social Engineering??
  9. 9. Social Engineering?? • Take advantage of human nature – Feelings / emotions / state of mind – Behavior / personality
  10. 10. Social Engineering?? • Take advantage of human nature – Feelings / emotions / state of mind • Sadness • Fear • Rancor • Embarrassment • Happiness • Love • Hope – Behavior / personality
  11. 11. Social Engineering?? • Take advantage of human nature – Feelings / emotions / state of mind – Behavior / personality • Curiosity • Inocence • Honesty • Generosity • Gratitude • Avarice
  12. 12. Social Engineering?? • Take advantage of human nature – Feelings / emotions / state of mind – Behavior / personality • Tendency to trust
  13. 13. Social Engineering + Malware
  14. 14. Ransomware
  15. 15. Ransomware
  16. 16. Ransomware
  17. 17. Ransomware
  18. 18. Fake Antivirus
  19. 19. Banking Trojans • Images Overlapping • GUI Applications • Pharming • WebFakes • HTML Injections
  20. 20. Banking Trojans • Images Overlapping • GUI Applications • Pharming • WebFakes • HTML Injections
  21. 21. Banking Trojans • Images Overlapping • GUI Applications • Pharming • WebFakes • HTML Injections
  22. 22. GUI Applications
  23. 23. GUI Applications
  24. 24. Banking Trojans • Images Overlapping • GUI Applications • Pharming • WebFakes • HTML Injections
  25. 25. Banking Trojans • Images Overlapping • GUI Applications • Pharming • WebFakes  Phishings • HTML Injections
  26. 26. Banking Trojans • Images Overlapping • GUI Applications • Pharming • WebFakes • HTML Injections
  27. 27. HTML Injections
  28. 28. HTML Injections
  29. 29. HTML Injections VS WebFakes
  30. 30. Injections – How they work (I) • Trojan – Binary • Generic – Keylogging, form-grabbing, etc. – Stealing data silently – Configuration file • Specific affectation – Custom attack to entities – User interaction
  31. 31. Injections - How they work (II) • Configuration – Injecting where? – Injecting what? – Injecting when? • Flags: G,P,L
  32. 32. Injections - How they work (III) 1. URI found? 2. Obtain webpage 3. Find starting mark 4. Injection 5. Copy from the ending mark 6. Obtain data thanks to formgrabbing
  33. 33. Injections – How they work (IV)
  34. 34. Authentication Virtual Keyboard Code Card OTP Token SMS : mTAN PasswordID + 2FA
  35. 35. Bypassing Authentication • ID + Password + Operations Password
  36. 36. Bypassing Authentication • Virtual Keyboard – Injection is not necessary here
  37. 37. Bypassing Authentication • 2FA: Code Card
  38. 38. Bypassing Authentication • 2FA: SMS – Cheat on the user to infect his mobile phone • Always after login • Security Software simulation • Activation simulation • Profit from the ignorance of the threat
  39. 39. Bypassing Authentication • ZeuS + Mobile Component (I)
  40. 40. Bypassing Authentication • ZeuS + Mobile Component (and II)
  41. 41. Bypassing Authentication • SpyEye + Mobile Component (I)
  42. 42. Bypassing Authentication • SpyEye + Mobile Component (and II)
  43. 43. Bypassing Authentication • 2FA: Token – MitB Attack  It is NOT Social Engineering • Mobile Transfer warnings? – Let’s play “Simon says…” Demo
  44. 44. Affected countries
  45. 45. Affected Sectors
  46. 46. Underground Market • Binaries Market • Injections Market – Standardized – Single Injections – Full-package
  47. 47. Underground Market • Binaries Market • Injections Market – Standardized  ZeuS & co. / SpyEye – Single Injections – Full-package
  48. 48. Underground Market • Binaries Market • Injections Market – Standardized – Single Injections • Per countries and entities • 60 WMZ/LR (WebMoney / Liberty Reserve) • Package: 700-800 WMZ/LR • Update / Modification: 20 WMZ/LR – Full-package
  49. 49. Underground Market
  50. 50. Underground Market • Binaries Market • Injections Market – Standardized – Sólo inyecciones – Full-package • Botnet Renting + Injections • $400??
  51. 51. Underground Market
  52. 52. Underground Market • How do they create them? – Obtaining legit code from the banking pages – Injection creation – Testing
  53. 53. Underground Market • How do they create them? – Obtaining legit code from the banking pages – Injection creation – Testing
  54. 54. Underground Market • Obtaining legit code from the banking pages – Manual • Login + Dumping pages
  55. 55. Underground Market • Obtaining legit code from the banking pages – Automatic • Specific modules • Configuration file
  56. 56. Underground Market • Obtaining legit code from the banking pages – Automatic • Specific modules – Tatanga • Configuration file
  57. 57. Underground Market
  58. 58. Underground Market
  59. 59. Underground Market • Obtaining legit code from the banking pages – Automatic • Specific modules • Configuration files – ZeuS – SpyEye
  60. 60. Underground Market
  61. 61. Underground Market • How do they create them? – Obtaining legit code from the banking pages – Injection creation – Testing
  62. 62. Underground Market • How do they create them? – Obtaining legit code from the banking pages – Injection creation  SOCIAL ENGINEERING!! – Testing
  63. 63. Underground Market • How do they create them? – Obtaining legit code from the banking pages – Injection creation – Testing • Login • Screenshots • Video  Tatanga, Citadel
  64. 64. • Detection / Prevention • Information / Trainings • Common sense Solutions??
  65. 65. • Detection / Prevention – Client • Check HTML structure (DOM) – Server • Additional parameters • Dynamique pages  Avoid locating injection point Solutions??
  66. 66. • Detection / Prevention Solutions??
  67. 67. • Detection / Prevention • Information / Trainings • Common sense Solutions??
  68. 68. • Detection / Prevention • Information / Trainings • Common sense Solutions??
  69. 69. • Detection / Prevention • Information / Trainings • Common sense…is not so common Solutions??
  70. 70. Conclusions • If the user can make a transfer you will always be able to cheat on him and change the destination of the money • How would you cheat on the user by phone? Do it after the login, use a fake webpage, or even call him!
  71. 71. Questions??
  72. 72. ¡¡Thanks!! Mikel Gastesi @mgastesi Jose Miguel Esparza @EternalTodo

×