HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And Exciting Ways To Steal Your Cash


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And Exciting Ways To Steal Your Cash

  1. 1. Money Is In The Eye Of The Beholder:New And Exciting Ways To Steal YourCash Yuval Vadim Polevoy – Hackito Ergo Sum 2011
  2. 2. Agenda A bit of nostalgia Listening to the wind of change Fraudsters going brutal Security industry catching up Fraudsters prepare to take the next leap
  3. 3. Geek Viruses My virus beats your virus! Naïve exploitation of poorly written systems Fun oriented Developed by „Basement Dwellers‟ in spare time No financial gain
  4. 4. Business Viruses – Brave New World Fun turns to profit Financially oriented: • Clickers • Espionage • Ransomeware • Financial Crimeware Developed by underground companies as a fully commercial software
  5. 5. Financial Crimeware Basic Idea: • Obtain login credentials • “Keep it secret – keep it safe!” – Gandalf The Gray • Login using stolen data • Buy / sell stocks • Pay your bills • Transfer some cash to your grandma
  6. 6. Getting From A to B Phishing Pharming
  7. 7. Getting From A to B Phishing Pharming
  8. 8. Getting From A to B Phishing Pharming
  9. 9. Getting From A to B - cont Field injection
  10. 10. Getting From A to B - cont Field injection
  11. 11. Simple, right? WRONG! Detection: • Each action is logged • Bills have names • And so do bank accounts
  12. 12. Simple, right? WRONG! Prevention: • User profiling • Device Profiling • Timing Tests • Geo positioning • Two-factor authentication • Drop-point shutdown
  13. 13. Simple, right? WRONG! Technology: • Bot • Infecting correct victims • Obtaining and maintaining a drop-point: • DNS • Storage • Uptime
  14. 14. War it is! Small transfers Short distance transfers – branch and/or location Mules Bullet-proof hosting Socks Fast-flux
  15. 15. Mules Unsuspecting 3rd party doing the dirty work Setup phony company webpage Hire people to “cash out” the stolen money • Either transfer cash via Cash wiring services etc OR • Buy goods and ship them over OR • Login to online gambling sites and “loose”
  16. 16. Mules - cont Mules cannot be punished Two steps plan for successful “cashing out”: • Have more Mules than Bots • Come up with creative and untraceable way to transfer cash / goods
  17. 17. Mules - cont 1,925 applied
  18. 18. Mules - cont
  19. 19. Mules - cont
  20. 20. Two-Factor Authentication First secret considered to be compromised Second secret on a decoupled medium Internet Math: User knows it + User has Trojan = I knows it! I, for one, welcome our new Man-In-The-Browser (MITB) Overlords
  21. 21. MITB Usage Spot user-initiated money transfer Replace destination Bank Account with your Account / Mule‟s Account Sit back and let the user do all the authentication for you • (Have a beer!)
  22. 22. MITB Advanced Usage Spot user-requested history view Replace „hijacked‟ transfers with their original destination Open an iframe in the background, Initiate money transfers on your own • If encountered two-factor authentication – relay it to the user
  23. 23. Operation Overview Bot Infection campaign Drop-point Bot-plugins Hiring Mules Managing Mules Establishing covert channels for “cashing out” Maintaining Fast-Flux - Optional
  24. 24. Required Skill Set Low-level programmer Spammer / 0-day researcher Hosting owner Javascript programmer HR recruiter E-commerce expert IT specialist - Optional Simple, right?
  25. 25. War it is, Take II Security industry catching up Keyboard sniffers are tackled with Virtual On-Screen keyboards MITB getting a lot of attention • Obfuscating documents to prevent HTML injections • High-logic tests to determine the origin of the request
  26. 26. Divide and Conquer Obviously not a one-man-gig Function based approach • Or is it „outsourcing‟? A multi-stage cross-border sting operation • Now Hiring: VP of Operations for an international money stealing venture In Soviet Russia, criminals cyber you • The Al Capone of the Digital Age
  27. 27. Criminals Cyber You
  28. 28. Outsourcing Bots
  29. 29. Outsourcing Drop Points
  30. 30. Fraud “Customer Care”
  31. 31. Screen, the Final Frontier
  32. 32. Screen, the Final Frontier
  33. 33. Russ ZeuS Hamilton A wide range of online games where „seeing‟ the opponents screen guarantees winning • A subset of these involves real money gambling The other side doesn‟t know you‟re cheating • The perfect theft! • In case you keep low profile, of course Also takes care of Virtual Keyboards!
  34. 34. Screen Scraping More than one way to get it done • Which way to protect? Cannot be hermetically monitored No attention • Various programs use screen capturing to display advanced visual effects The new cat-n-mouse game
  35. 35. Screen Scraping POC
  36. 36. Final Thoughts
  37. 37. Thank you!