Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Banking Fraud Evolution

3,049 views

Published on

SOURCE Seattle 2011 - Jose Miguel Esparza

Published in: Technology, Business
  • Be the first to comment

Banking Fraud Evolution

  1. 1. [ Banking Fraud Evolution ] New techniques in real fraud cases Jose Miguel Esparza
  2. 2. [ Agenda ]• Banking trojans• Tatanga: a new actor emerges• Anatomy of an e-banking fraud incident• The eternal game of cat and mouse• Real e-banking fraud incidents• Conclusions
  3. 3. [ Banking trojans ]• …• ZeuS• Sinowal (Torpig)• Gozi• SpyEye• Carberp• Feodo• …
  4. 4. [ Banking trojans ] Source: abuse.ch
  5. 5. [ Banking trojans ]• Binaries functionalities – Bot – Configuration update – Binary update – HTML injection – Redirection
  6. 6. [ Banking trojans ]• Binaries functionalities – Screenshots – Capture virtual keyboards – Credentials theft – Certificates theft – System corruption (KillOS)
  7. 7. [ Banking trojans ]• Binaries functionalities – Screenshots – Capture virtual keyboards Information theft – Credentials theft – Certificates theft – System corruption (KillOS)
  8. 8. [ Tatanga ]• Discovered by S21sec in February 2011• Very low detection• MarioForever (2008) evolution?• C++• No packers• Modular design• Anti-VM, anti-debugging• 64bits support
  9. 9. [ Tatanga ]• Proxys to distribute binaries• Weak encrypted communication with C&C• HTML injection• Man in the Browser• Records video!!
  10. 10. [ Tatanga ]• Proxys to distribute binaries• Weak encrypted communication with C&C• HTML injection• Man in the Browser• Records video!!
  11. 11. [ Tatanga ]• Modules: XOR + BZIP2 – HTTPTrafficLogger – Comm – ModDynamicInjection – ModEmailGrabber – ModAVTrafficBlocker – ModCrashGuard
  12. 12. [ Tatanga ]• Modules: XOR + BZIP2 – ModMalwareRemover
  13. 13. [ Tatanga ]• Modules: XOR + BZIP2 – SSL Decrypt – FilePatcher – IMSender – HTTPSender – Coredb – SmartHTTPDoser
  14. 14. [ Tatanga ]• Control panel – Statistics: country, browser, OS, AV, injections, honeypots – Injections and drops management – Storing dumps of banking webpages – Classified versions of droppers and modules – Dependencies between modules – DDoS – FTP iframer –…
  15. 15. [ Tatanga ]
  16. 16. [ Tatanga ]
  17. 17. [ Tatanga ]
  18. 18. [ Tatanga ]
  19. 19. [ Tatanga ]
  20. 20. [ Tatanga ]
  21. 21. [ Tatanga ]
  22. 22. [ Tatanga ]
  23. 23. [ Tatanga ]
  24. 24. [ Anatomy of an e-fraud incident ]• Infection• Configuration file update/download• Interaction with the user Social engineering!! HTML injection, Mit(B|M|Mo), Pharming, Phishing…• Banking credentials theft
  25. 25. [ Anatomy of an e-fraud incident ]• Account spying – Manual / Automatic – Getting balance to choose the victim• Fraudulent transaction – Manual Mules – Automatic Man in the Browser (MitB)• Money laundering
  26. 26. [ The game of cat and mouse ] Virtual keyboard Code cardID + Password 2FA OTP Token SMS : mTAN
  27. 27. [ The game of cat and mouse ]Virtual keyboard screen/video capturing…
  28. 28. [ The game of cat and mouse ]Code card pharming, phishing, injection…
  29. 29. [ The game of cat and mouse ]Token mTAN …MITM, code injection
  30. 30. [ The game of cat and mouse ] SCREEN-CAPTURING Virtual keyboard PHARMING PHISHINGKEYLOGGING Code cardID + Password MITM FORM GRABBING OTP Token CODE INJECTION SMS : mTAN
  31. 31. [ Real e-banking fraud incidents ]• SpyEye MitB, October 2010• Automatic fraudulent transfer – Session of the legit user – Balance request – Account selection based on balance – Getting mules from the server – Social engineering password request – Automatic transaction – Modification of balance and operations
  32. 32. [ Real e-banking fraud incidents ]• Tatanga MitB, February 2011• Automatic fraudulent transfer using OTP – Session of the legit user – Balance request – Account selection based on balance – Getting mules from the server – Social engineering password request – Social engineering OTP request – Automatic transaction – Modification of balance and operations
  33. 33. [ Real e-banking fraud incidents ]• Tatanga MitB, February 2011
  34. 34. [ Real e-banking fraud incidents ]• ZeuS Man in the Mobile (MitMo) – September 2010, Spain – February 2011, Poland
  35. 35. [ ZeuS Man in the Mobile ]
  36. 36. [ ZeuS Man in the Mobile ]Each day we try to improve your security. Lately we havenoticed many mobile SIM cloning attacks that result infraudulent transfers. Due to the increase of these incidents,we have implemented a new mobile identification method,using a digital certificate. The certificate works insmartphones and is an additional method of protection.This application ensures that only you can access youronline account.Please click here to start the installation
  37. 37. [ ZeuS Man in the Mobile ] Source: http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/
  38. 38. [ ZeuS Man in the Mobile ] Please choose your mobile manufacturer and model and add your mobile number. The digital certificate installation link will be sent via SMS. Please download and install the application
  39. 39. [ ZeuS Man in the Mobile ] Source: http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/
  40. 40. [ ZeuS Man in the Mobile ] The certificate installation program link will be sent by SMS. Once received, please download and install the aplication.
  41. 41. [ ZeuS Man in the Mobile ] Spoofed SMS Sender IDID Token (remember this for later!)
  42. 42. [ ZeuS Man in the Mobile ]Serial Number:BF43000100230353FF79159EF3B3Revocation Date:Sep 28 08:26:26 2010 GMTSerial Number:61F1000100235BC2794380405E52Revocation Date:Sep 28 08:26:26 2010 GMT
  43. 43. [ ZeuS Man in the Mobile ] http://dtarasov.ru/smsmonitor_lite.html
  44. 44. [ ZeuS Man in the Mobile ] Spoofed SMS Sender IDID Token (rememberthis for later! It isimportant) …sent to a UK mobile phone.
  45. 45. [ ZeuS Man in the Mobile ]ON / OFFSET ADMINADD SENDER ALLREMSET …sent from the “bad guy” mobile phone.
  46. 46. [ ZeuS Man in the Mobile ]
  47. 47. [ ZeuS Man in the Mobile ]
  48. 48. [ ZeuS Man in the Mobile ]if ($urlPathExt == ’sis) {$oGate->addHeader(Content-Type:application/vnd.symbian.install);if ($data[mobile_os_type] == OS_SYMBIAN_78) $oGate->outputFile(./symbian/cert_78.sis.txt);else if ($data[mobile_os_type] ==OS_SYMBIAN_9) $oGate->outputFile(./symbian/cert_9.sis.txt);}if ($urlPathExt == cab) {$oGate->addHeader(Content-Type: application/cab);if ($data[mobile_os_type]==OS_WINDOWS_MOBILE_2K)$oGateoutputFile(./wm/cert_uncompress.cab.txt);else if($data[mobile_os_type]=OS_WINDOWS_MOBILE_GR5) $oGate->outputFile(./wm/cert_compress.cab.txt);if ($urlPathExt == ’cod) {$oGate->addHeader(Content-Type:application/vnd.rim.cod);if ($data[mobile_os_type] == OS_BLACKBERRY_41)$oGate->outputFile(./blackberry/cert_41.cod.txt); else if($data[mobile_os_type] == OS_BLACKBERRY_GR44)
  49. 49. [ ZeuS Man in the Mobile ]Remember the token ?mysql_unbuffered_query(“UPDATE sms_list SETmobile_os_version=$mobile_os_version,is_downloaded=YES,ts_downloaded=$ts_downloaded WHEREtoken=$token");
  50. 50. [ ZeuS Man in the Mobile ]ZeuS infected
  51. 51. [ ZeuS Man in the Mobile ]ZeuS infected
  52. 52. [ ZeuS Man in the Mobile ] ID + PASSWORDZeuS infected
  53. 53. [ ZeuS Man in the Mobile ] ID + PASSWORDZeuS infectedMitmo Infected
  54. 54. [ ZeuS Man in the Mobile ] ID + PASSWORDZeuS infected COMMANDSMitmo Infected
  55. 55. [ ZeuS Man in the Mobile ] ID + PASSWORDZeuS infected COMMANDSMitmo Infected
  56. 56. [ ZeuS Man in the Mobile ] ID + PASSWORDZeuS infected COMMANDSMitmo Infected
  57. 57. [ ZeuS Man in the Mobile ] ID + PASSWORDZeuS infected OTP: 0023424 COMMANDSMitmo Infected
  58. 58. [ ZeuS Man in the Mobile ] ID + PASSWORD GAME OVERZeuS infected OTP: 0023424 COMMANDSMitmo Infected
  59. 59. [ DEMO TIME!! ]
  60. 60. [ Conclusions ]• Successful attacks: not binary dependent• Social engineering – HTML injections + extras • Innovation • Underground market – User dependent• Monitoring injections• Sharing information
  61. 61. [ Questions? ]
  62. 62. [ Thank You!! ] Jose Miguel Esparza jesparza s21sec.com @eternaltodo

×