Banking Fraud Evolution

Source Conference
Source ConferenceEducator
[ Banking Fraud Evolution ] New techniques in real fraud cases Jose Miguel Esparza
[ Agenda ] • Banking trojans • Tatanga: a new actor emerges • Anatomy of an e-banking fraud incident • The eternal game of cat and mouse • Real e-banking fraud incidents • Conclusions
[ Banking trojans ] • … • ZeuS • Sinowal (Torpig) • Gozi • SpyEye • Carberp • Feodo • …
[ Banking trojans ] Source: abuse.ch
[ Banking trojans ] • Binaries functionalities – Bot – Configuration update – Binary update – HTML injection – Redirection
[ Banking trojans ] • Binaries functionalities – Screenshots – Capture virtual keyboards – Credentials theft – Certificates theft – System corruption (KillOS)
[ Banking trojans ] • Binaries functionalities – Screenshots – Capture virtual keyboards Information theft – Credentials theft – Certificates theft – System corruption (KillOS)
[ Tatanga ] • Discovered by S21sec in February 2011 • Very low detection • MarioForever (2008) evolution? • C++ • No packers • Modular design • Anti-VM, anti-debugging • 64bits support
[ Tatanga ] • Proxys to distribute binaries • Weak encrypted communication with C&C • HTML injection • Man in the Browser • Records video!!
[ Tatanga ] • Proxys to distribute binaries • Weak encrypted communication with C&C • HTML injection • Man in the Browser • Records video!!
[ Tatanga ] • Modules: XOR + BZIP2 – HTTPTrafficLogger – Comm – ModDynamicInjection – ModEmailGrabber – ModAVTrafficBlocker – ModCrashGuard
[ Tatanga ] • Modules: XOR + BZIP2 – ModMalwareRemover
[ Tatanga ] • Modules: XOR + BZIP2 – SSL Decrypt – FilePatcher – IMSender – HTTPSender – Coredb – SmartHTTPDoser
[ Tatanga ] • Control panel – Statistics: country, browser, OS, AV, injections, honeypots – Injections and drops management – Storing dumps of banking webpages – Classified versions of droppers and modules – Dependencies between modules – DDoS – FTP iframer –…
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Anatomy of an e-fraud incident ] • Infection • Configuration file update/download • Interaction with the user Social engineering!! HTML injection, Mit(B|M|Mo), Pharming, Phishing… • Banking credentials theft
[ Anatomy of an e-fraud incident ] • Account spying – Manual / Automatic – Getting balance to choose the victim • Fraudulent transaction – Manual Mules – Automatic Man in the Browser (MitB) • Money laundering
[ The game of cat and mouse ] Virtual keyboard Code card ID + Password 2FA OTP Token SMS : mTAN
[ The game of cat and mouse ] Virtual keyboard screen/video capturing…
[ The game of cat and mouse ] Code card pharming, phishing, injection…
[ The game of cat and mouse ] Token mTAN …MITM, code injection
[ The game of cat and mouse ] SCREEN-CAPTURING Virtual keyboard PHARMING PHISHING KEYLOGGING Code card ID + Password MITM FORM GRABBING OTP Token CODE INJECTION SMS : mTAN
[ Real e-banking fraud incidents ] • SpyEye MitB, October 2010 • Automatic fraudulent transfer – Session of the legit user – Balance request – Account selection based on balance – Getting mules from the server – Social engineering password request – Automatic transaction – Modification of balance and operations
[ Real e-banking fraud incidents ] • Tatanga MitB, February 2011 • Automatic fraudulent transfer using OTP – Session of the legit user – Balance request – Account selection based on balance – Getting mules from the server – Social engineering password request – Social engineering OTP request – Automatic transaction – Modification of balance and operations
[ Real e-banking fraud incidents ] • Tatanga MitB, February 2011
[ Real e-banking fraud incidents ] • ZeuS Man in the Mobile (MitMo) – September 2010, Spain – February 2011, Poland
[ ZeuS Man in the Mobile ]
[ ZeuS Man in the Mobile ] Each day we try to improve your security. Lately we have noticed many mobile SIM cloning attacks that result in fraudulent transfers. Due to the increase of these incidents, we have implemented a new mobile identification method, using a digital certificate. The certificate works in smartphones and is an additional method of protection. This application ensures that only you can access your online account. Please click here to start the installation
[ ZeuS Man in the Mobile ] Source: http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/
[ ZeuS Man in the Mobile ] Please choose your mobile manufacturer and model and add your mobile number. The digital certificate installation link will be sent via SMS. Please download and install the application
[ ZeuS Man in the Mobile ] Source: http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/
[ ZeuS Man in the Mobile ] The certificate installation program link will be sent by SMS. Once received, please download and install the aplication.
[ ZeuS Man in the Mobile ] Spoofed SMS Sender ID ID Token (remember this for later!)
[ ZeuS Man in the Mobile ] Serial Number: BF43000100230353FF7915 9EF3B3 Revocation Date: Sep 28 08:26:26 2010 GMT Serial Number: 61F1000100235BC2794380 405E52 Revocation Date: Sep 28 08:26:26 2010 GMT
[ ZeuS Man in the Mobile ] http://dtarasov.ru/smsmonitor_lite.html
[ ZeuS Man in the Mobile ] Spoofed SMS Sender ID ID Token (remember this for later! It is important) …sent to a UK mobile phone.
[ ZeuS Man in the Mobile ] ON / OFF SET ADMIN ADD SENDER ALL REM SET …sent from the “bad guy” mobile phone.
[ ZeuS Man in the Mobile ]
[ ZeuS Man in the Mobile ]
[ ZeuS Man in the Mobile ] if ($urlPathExt == ’sis') { $oGate->addHeader('Content-Type: application/vnd.symbian.install'); if ($data['mobile_os_type'] == OS_SYMBIAN_78) $oGate->outputFile('./symbian/cert_78.sis.txt'); else if ($data['mobile_os_type'] ==OS_SYMBIAN_9) $oGate->outputFile('./symbian/cert_9.sis.txt');} if ($urlPathExt == 'cab') { $oGate->addHeader('Content-Type: application/cab'); if ($data['mobile_os_type']==OS_WINDOWS_MOBILE_2K) $oGateoutputFile('./wm/cert_uncompress.cab.txt');else if ($data['mobile_os_type']=OS_WINDOWS_MOBILE_GR5) $oGate->outputFile('./wm/cert_compress.cab.txt'); if ($urlPathExt == ’cod') {$oGate->addHeader('Content-Type: application/vnd.rim.cod');if ($data['mobile_os_type'] == OS_BLACKBERRY_41) $oGate->outputFile('./blackberry/cert_41.cod.txt'); else if ($data['mobile_os_type'] == OS_BLACKBERRY_GR44)
[ ZeuS Man in the Mobile ] Remember the token ? mysql_unbuffered_query(“ UPDATE sms_list SET mobile_os_version=$mobile_os_version, is_downloaded='YES', ts_downloaded=$ts_downloaded WHERE token='$token'");
[ ZeuS Man in the Mobile ] ZeuS infected
[ ZeuS Man in the Mobile ] ZeuS infected
[ ZeuS Man in the Mobile ] ID + PASSWORD ZeuS infected
[ ZeuS Man in the Mobile ] ID + PASSWORD ZeuS infected Mitmo Infected
[ ZeuS Man in the Mobile ] ID + PASSWORD ZeuS infected COMMANDS Mitmo Infected
[ ZeuS Man in the Mobile ] ID + PASSWORD ZeuS infected COMMANDS Mitmo Infected
[ ZeuS Man in the Mobile ] ID + PASSWORD ZeuS infected COMMANDS Mitmo Infected
[ ZeuS Man in the Mobile ] ID + PASSWORD ZeuS infected OTP: 0023424 COMMANDS Mitmo Infected
[ ZeuS Man in the Mobile ] ID + PASSWORD GAME OVER ZeuS infected OTP: 0023424 COMMANDS Mitmo Infected
[ DEMO TIME!! ]
[ Conclusions ] • Successful attacks: not binary dependent • Social engineering – HTML injections + extras • Innovation • Underground market – User dependent • Monitoring injections • Sharing information
[ Questions? ]
[ Thank You!! ] Jose Miguel Esparza jesparza s21sec.com @eternaltodo
1 of 62

Banking Fraud Evolution

Download to read offline
TechnologyBusiness

SOURCE Seattle 2011 - Jose Miguel Esparza

Source Conference
Source ConferenceEducator

Recommended

A-Z of Banking Fraud 2016 by
A-Z of Banking Fraud 2016A-Z of Banking Fraud 2016
A-Z of Banking Fraud 2016NetGuardians
2K views56 slides
Banking Fraud Evolution - New techniques in real fraud cases by
Banking Fraud Evolution - New techniques in real fraud casesBanking Fraud Evolution - New techniques in real fraud cases
Banking Fraud Evolution - New techniques in real fraud casesJose Miguel Esparza
1.6K views62 slides
Hurtado diaz doraliza by
Hurtado diaz doralizaHurtado diaz doraliza
Hurtado diaz doralizaMatematica2APV
475 views5 slides
Denis Gorchakov, Olga Kochetova. SMS Banking Fraud. by
Denis Gorchakov, Olga Kochetova. SMS Banking Fraud.Denis Gorchakov, Olga Kochetova. SMS Banking Fraud.
Denis Gorchakov, Olga Kochetova. SMS Banking Fraud.Positive Hack Days
2.1K views13 slides
Рositive Hack Days V. Противодействие платёжному фроду на сети оператора связи by
Рositive Hack Days V. Противодействие платёжному фроду на сети оператора связиРositive Hack Days V. Противодействие платёжному фроду на сети оператора связи
Рositive Hack Days V. Противодействие платёжному фроду на сети оператора связиDenis Gorchakov
595 views32 slides
ISM ppt October 2014_final by
ISM ppt October 2014_finalISM ppt October 2014_final
ISM ppt October 2014_finalAudrius Sapola
752 views64 slides

More Related Content

Viewers also liked

Risk Management e assicurazioni by
Risk Management e assicurazioniRisk Management e assicurazioni
Risk Management e assicurazioniMauro Del Pup
4.3K views60 slides
Risk Management e gestione dei rischi finanziari by
Risk Management e gestione dei rischi finanziariRisk Management e gestione dei rischi finanziari
Risk Management e gestione dei rischi finanziariFondazione CUOA
10.3K views21 slides
[Ai in finance] AI in regulatory compliance, risk management, and auditing by
[Ai in finance] AI in regulatory compliance, risk management, and auditing[Ai in finance] AI in regulatory compliance, risk management, and auditing
[Ai in finance] AI in regulatory compliance, risk management, and auditingNatalino Busa
1.6K views34 slides
Indian banking by
Indian bankingIndian banking
Indian bankingRakhul Nahar
696 views39 slides
Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv... by
Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...
Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...Dinidu Weeraratne
5.1K views38 slides
Fraud principles1 by
Fraud principles1Fraud principles1
Fraud principles1Sevisa Isufaj
10.6K views21 slides

Viewers also liked(8)

Risk Management e assicurazioni by Mauro Del Pup
Risk Management e assicurazioniRisk Management e assicurazioni
Risk Management e assicurazioni
Mauro Del Pup4.3K views
Risk Management e gestione dei rischi finanziari by Fondazione CUOA
Risk Management e gestione dei rischi finanziariRisk Management e gestione dei rischi finanziari
Risk Management e gestione dei rischi finanziari
Fondazione CUOA10.3K views
[Ai in finance] AI in regulatory compliance, risk management, and auditing by Natalino Busa
[Ai in finance] AI in regulatory compliance, risk management, and auditing[Ai in finance] AI in regulatory compliance, risk management, and auditing
[Ai in finance] AI in regulatory compliance, risk management, and auditing
Natalino Busa1.6K views
Indian banking by Rakhul Nahar
Indian bankingIndian banking
Indian banking
Rakhul Nahar696 views
Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv... by Dinidu Weeraratne
Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...
Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...
Dinidu Weeraratne5.1K views
Fraud principles1 by Sevisa Isufaj
Fraud principles1Fraud principles1
Fraud principles1
Sevisa Isufaj10.6K views
Fraud Management Solutions by SAS Institute India Pvt. Ltd
Fraud Management SolutionsFraud Management Solutions
Fraud Management Solutions
SAS Institute India Pvt. Ltd9.3K views
Webinar: Fighting Fraud with Graph Databases by DataStax
Webinar: Fighting Fraud with Graph DatabasesWebinar: Fighting Fraud with Graph Databases
Webinar: Fighting Fraud with Graph Databases
DataStax1.9K views

Similar to Banking Fraud Evolution

nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones by
nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phonesnullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones
nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phonesn|u - The Open Security Community
1.1K views38 slides
Web Security by
Web SecurityWeb Security
Web SecurityBharath Manoharan
80.5K views57 slides
Hacking Explained and How to Safeguard Our Applications by
Hacking Explained and How to Safeguard Our ApplicationsHacking Explained and How to Safeguard Our Applications
Hacking Explained and How to Safeguard Our ApplicationsTuan Yang
160 views29 slides
Cant touch this: cloning any Android HCE contactless card by
Cant touch this: cloning any Android HCE contactless cardCant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardSlawomir Jasek
432 views94 slides
On Database for Mobile Phones Ownership by
On Database for Mobile Phones OwnershipOn Database for Mobile Phones Ownership
On Database for Mobile Phones OwnershipColdbeans Software
1.1K views12 slides
Internet Banking Attacks (Karel Miko) by
Internet Banking Attacks (Karel Miko)Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)DCIT, a.s.
3.4K views36 slides

Similar to Banking Fraud Evolution(20)

nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones by n|u - The Open Security Community
nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phonesnullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones
nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones
n|u - The Open Security Community1.1K views
Web Security by Bharath Manoharan
Web SecurityWeb Security
Web Security
Bharath Manoharan80.5K views
Hacking Explained and How to Safeguard Our Applications by Tuan Yang
Hacking Explained and How to Safeguard Our ApplicationsHacking Explained and How to Safeguard Our Applications
Hacking Explained and How to Safeguard Our Applications
Tuan Yang160 views
Cant touch this: cloning any Android HCE contactless card by Slawomir Jasek
Cant touch this: cloning any Android HCE contactless cardCant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless card
Slawomir Jasek432 views
On Database for Mobile Phones Ownership by Coldbeans Software
On Database for Mobile Phones OwnershipOn Database for Mobile Phones Ownership
On Database for Mobile Phones Ownership
Coldbeans Software1.1K views
Internet Banking Attacks (Karel Miko) by DCIT, a.s.
Internet Banking Attacks (Karel Miko)Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)
DCIT, a.s.3.4K views
Social Engineering in Banking Trojans: attacking the weakest link by Jose Miguel Esparza
Social Engineering in Banking Trojans: attacking the weakest linkSocial Engineering in Banking Trojans: attacking the weakest link
Social Engineering in Banking Trojans: attacking the weakest link
Jose Miguel Esparza800 views
Network security by Ali Kamil
Network securityNetwork security
Network security
Ali Kamil932 views
091209 Mc Afee Roundtable by Harvard PR
091209 Mc Afee Roundtable091209 Mc Afee Roundtable
091209 Mc Afee Roundtable
Harvard PR406 views
2012 Accumulate Mobile Everywhere - Standard Product Description by Szymon Dowgwillowicz-Nowicki
2012 Accumulate Mobile Everywhere - Standard Product Description2012 Accumulate Mobile Everywhere - Standard Product Description
2012 Accumulate Mobile Everywhere - Standard Product Description
Szymon Dowgwillowicz-Nowicki677 views
NFTs - Common Use Cases and Legal Considerations (Japan) by Joerg Schmidt
NFTs - Common Use Cases and Legal Considerations (Japan)NFTs - Common Use Cases and Legal Considerations (Japan)
NFTs - Common Use Cases and Legal Considerations (Japan)
Joerg Schmidt495 views
Axiom protect-2.0-with-one identity by Vikram Sareen
Axiom protect-2.0-with-one identityAxiom protect-2.0-with-one identity
Axiom protect-2.0-with-one identity
Vikram Sareen539 views
Operations security (OPSEC) by Mikko Ohtamaa
Operations security (OPSEC)Operations security (OPSEC)
Operations security (OPSEC)
Mikko Ohtamaa1.5K views
Session2 2 김휘강 codegate2(hkkim) by Korea University
Session2 2 김휘강 codegate2(hkkim)Session2 2 김휘강 codegate2(hkkim)
Session2 2 김휘강 codegate2(hkkim)
Korea University1.3K views
CSI2008 Gunter Ollmann Man-in-the-browser by guestb1956e
CSI2008 Gunter Ollmann Man-in-the-browserCSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browser
guestb1956e11.5K views
Cyber security by Samsil Arefin
Cyber securityCyber security
Cyber security
Samsil Arefin1.7K views
How the Stolen Credit Card Black Market Works by Tripwire
How the Stolen Credit Card Black Market WorksHow the Stolen Credit Card Black Market Works
How the Stolen Credit Card Black Market Works
Tripwire3.9K views
Operations Security - SF Bitcoin Hackday March 2015 by Mikko Ohtamaa
Operations Security - SF Bitcoin Hackday March 2015Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015
Mikko Ohtamaa1.1K views
SOTP_Introduction by Johnson Wu
SOTP_IntroductionSOTP_Introduction
SOTP_Introduction
Johnson Wu255 views
Workshop on Cyber security and investigation by Mehedi Hasan
Workshop on Cyber security and investigationWorkshop on Cyber security and investigation
Workshop on Cyber security and investigation
Mehedi Hasan432 views

More from Source Conference

Million Browser Botnet by
Million Browser BotnetMillion Browser Botnet
Million Browser BotnetSource Conference
2.4K views56 slides
iBanking - a botnet on Android by
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference
2.6K views29 slides
I want the next generation web here SPDY QUIC by
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICSource Conference
1.4K views56 slides
From DNA Sequence Variation to .NET Bits and Bobs by
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsSource Conference
1.2K views54 slides
Extracting Forensic Information From Zeus Derivatives by
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesSource Conference
3.4K views47 slides
How to Like Social Media Network Security by
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network SecuritySource Conference
1K views71 slides

More from Source Conference(20)

Million Browser Botnet by Source Conference
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
Source Conference2.4K views
iBanking - a botnet on Android by Source Conference
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
Source Conference2.6K views
I want the next generation web here SPDY QUIC by Source Conference
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
Source Conference1.4K views
From DNA Sequence Variation to .NET Bits and Bobs by Source Conference
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
Source Conference1.2K views
Extracting Forensic Information From Zeus Derivatives by Source Conference
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
Source Conference3.4K views
How to Like Social Media Network Security by Source Conference
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
Source Conference1K views
Wfuzz para Penetration Testers by Source Conference
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
Source Conference8.1K views
Security Goodness with Ruby on Rails by Source Conference
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
Source Conference2.5K views
Securty Testing For RESTful Applications by Source Conference
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
Source Conference15.2K views
Esteganografia by Source Conference
EsteganografiaEsteganografia
Esteganografia
Source Conference1.4K views
Men in the Server Meet the Man in the Browser by Source Conference
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
Source Conference1.1K views
Advanced Data Exfiltration The Way Q Would Have Done It by Source Conference
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
Source Conference751 views
Adapting To The Age Of Anonymous by Source Conference
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
Source Conference904 views
Are Agile And Secure Development Mutually Exclusive? by Source Conference
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
Source Conference2.4K views
Advanced (persistent) binary planting by Source Conference
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary planting
Source Conference1.2K views
Legal/technical strategies addressing data risks as perimeter shifts to Cloud by Source Conference
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Source Conference2K views
Who should the security team hire next? by Source Conference
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?
Source Conference838 views
The Latest Developments in Computer Crime Law by Source Conference
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
Source Conference1.5K views
JSF Security by Source Conference
JSF SecurityJSF Security
JSF Security
Source Conference5.3K views
How To: Find The Right Amount Of Security Spend by Source Conference
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
Source Conference1.1K views

Recently uploaded

Design Driven Network Assurance by
Design Driven Network AssuranceDesign Driven Network Assurance
Design Driven Network AssuranceNetwork Automation Forum
15 views42 slides
PRODUCT PRESENTATION.pptx by
PRODUCT PRESENTATION.pptxPRODUCT PRESENTATION.pptx
PRODUCT PRESENTATION.pptxangelicacueva6
14 views1 slide
HTTP headers that make your website go faster - devs.gent November 2023 by
HTTP headers that make your website go faster - devs.gent November 2023HTTP headers that make your website go faster - devs.gent November 2023
HTTP headers that make your website go faster - devs.gent November 2023Thijs Feryn
22 views151 slides
virtual reality.pptx by
virtual reality.pptxvirtual reality.pptx
virtual reality.pptxG036GaikwadSnehal
11 views15 slides
Future of Indian ConsumerTech by
Future of Indian ConsumerTechFuture of Indian ConsumerTech
Future of Indian ConsumerTechKapil Khandelwal (KK)
21 views68 slides
PRODUCT LISTING.pptx by
PRODUCT LISTING.pptxPRODUCT LISTING.pptx
PRODUCT LISTING.pptxangelicacueva6
14 views1 slide

Recently uploaded(20)

Design Driven Network Assurance by Network Automation Forum
Design Driven Network AssuranceDesign Driven Network Assurance
Design Driven Network Assurance
Network Automation Forum15 views
PRODUCT PRESENTATION.pptx by angelicacueva6
PRODUCT PRESENTATION.pptxPRODUCT PRESENTATION.pptx
PRODUCT PRESENTATION.pptx
angelicacueva614 views
HTTP headers that make your website go faster - devs.gent November 2023 by Thijs Feryn
HTTP headers that make your website go faster - devs.gent November 2023HTTP headers that make your website go faster - devs.gent November 2023
HTTP headers that make your website go faster - devs.gent November 2023
Thijs Feryn22 views
virtual reality.pptx by G036GaikwadSnehal
virtual reality.pptxvirtual reality.pptx
virtual reality.pptx
G036GaikwadSnehal11 views
Future of Indian ConsumerTech by Kapil Khandelwal (KK)
Future of Indian ConsumerTechFuture of Indian ConsumerTech
Future of Indian ConsumerTech
Kapil Khandelwal (KK)21 views
PRODUCT LISTING.pptx by angelicacueva6
PRODUCT LISTING.pptxPRODUCT LISTING.pptx
PRODUCT LISTING.pptx
angelicacueva614 views
SAP Automation Using Bar Code and FIORI.pdf by Virendra Rai, PMP
SAP Automation Using Bar Code and FIORI.pdfSAP Automation Using Bar Code and FIORI.pdf
SAP Automation Using Bar Code and FIORI.pdf
Virendra Rai, PMP23 views
Democratising digital commerce in India-Report by Kapil Khandelwal (KK)
Democratising digital commerce in India-ReportDemocratising digital commerce in India-Report
Democratising digital commerce in India-Report
Kapil Khandelwal (KK)15 views
SUPPLIER SOURCING.pptx by angelicacueva6
SUPPLIER SOURCING.pptxSUPPLIER SOURCING.pptx
SUPPLIER SOURCING.pptx
angelicacueva615 views
Microsoft Power Platform.pptx by Uni Systems S.M.S.A.
Microsoft Power Platform.pptxMicrosoft Power Platform.pptx
Microsoft Power Platform.pptx
Uni Systems S.M.S.A.53 views
Powerful Google developer tools for immediate impact! (2023-24) by wesley chun
Powerful Google developer tools for immediate impact! (2023-24)Powerful Google developer tools for immediate impact! (2023-24)
Powerful Google developer tools for immediate impact! (2023-24)
wesley chun10 views
Zero to Automated in Under a Year by Network Automation Forum
Zero to Automated in Under a YearZero to Automated in Under a Year
Zero to Automated in Under a Year
Network Automation Forum15 views
20231123_Camunda Meetup Vienna.pdf by Phactum Softwareentwicklung GmbH
20231123_Camunda Meetup Vienna.pdf20231123_Camunda Meetup Vienna.pdf
20231123_Camunda Meetup Vienna.pdf
Phactum Softwareentwicklung GmbH41 views
Future of AR - Facebook Presentation by ssuserb54b561
Future of AR - Facebook PresentationFuture of AR - Facebook Presentation
Future of AR - Facebook Presentation
ssuserb54b56114 views
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ... by Jasper Oosterveld
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
Jasper Oosterveld18 views
Five Things You SHOULD Know About Postman by Postman
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About Postman
Postman33 views
Evolving the Network Automation Journey from Python to Platforms by Network Automation Forum
Evolving the Network Automation Journey from Python to PlatformsEvolving the Network Automation Journey from Python to Platforms
Evolving the Network Automation Journey from Python to Platforms
Network Automation Forum13 views
Vertical User Stories by Moisés Armani Ramírez
Vertical User StoriesVertical User Stories
Vertical User Stories
Moisés Armani Ramírez14 views
Info Session November 2023.pdf by AleksandraKoprivica4
Info Session November 2023.pdfInfo Session November 2023.pdf
Info Session November 2023.pdf
AleksandraKoprivica412 views
Special_edition_innovator_2023.pdf by WillDavies22
Special_edition_innovator_2023.pdfSpecial_edition_innovator_2023.pdf
Special_edition_innovator_2023.pdf
WillDavies2217 views

Banking Fraud Evolution

  • 1. [ Banking Fraud Evolution ] New techniques in real fraud cases Jose Miguel Esparza
  • 2. [ Agenda ] • Banking trojans • Tatanga: a new actor emerges • Anatomy of an e-banking fraud incident • The eternal game of cat and mouse • Real e-banking fraud incidents • Conclusions
  • 3. [ Banking trojans ] • … • ZeuS • Sinowal (Torpig) • Gozi • SpyEye • Carberp • Feodo • …
  • 4. [ Banking trojans ] Source: abuse.ch
  • 5. [ Banking trojans ] • Binaries functionalities – Bot – Configuration update – Binary update – HTML injection – Redirection
  • 6. [ Banking trojans ] • Binaries functionalities – Screenshots – Capture virtual keyboards – Credentials theft – Certificates theft – System corruption (KillOS)
  • 7. [ Banking trojans ] • Binaries functionalities – Screenshots – Capture virtual keyboards Information theft – Credentials theft – Certificates theft – System corruption (KillOS)
  • 8. [ Tatanga ] • Discovered by S21sec in February 2011 • Very low detection • MarioForever (2008) evolution? • C++ • No packers • Modular design • Anti-VM, anti-debugging • 64bits support
  • 9. [ Tatanga ] • Proxys to distribute binaries • Weak encrypted communication with C&C • HTML injection • Man in the Browser • Records video!!
  • 10. [ Tatanga ] • Proxys to distribute binaries • Weak encrypted communication with C&C • HTML injection • Man in the Browser • Records video!!
  • 11. [ Tatanga ] • Modules: XOR + BZIP2 – HTTPTrafficLogger – Comm – ModDynamicInjection – ModEmailGrabber – ModAVTrafficBlocker – ModCrashGuard
  • 12. [ Tatanga ] • Modules: XOR + BZIP2 – ModMalwareRemover
  • 13. [ Tatanga ] • Modules: XOR + BZIP2 – SSL Decrypt – FilePatcher – IMSender – HTTPSender – Coredb – SmartHTTPDoser
  • 14. [ Tatanga ] • Control panel – Statistics: country, browser, OS, AV, injections, honeypots – Injections and drops management – Storing dumps of banking webpages – Classified versions of droppers and modules – Dependencies between modules – DDoS – FTP iframer –…
  • 24. [ Anatomy of an e-fraud incident ] • Infection • Configuration file update/download • Interaction with the user Social engineering!! HTML injection, Mit(B|M|Mo), Pharming, Phishing… • Banking credentials theft
  • 25. [ Anatomy of an e-fraud incident ] • Account spying – Manual / Automatic – Getting balance to choose the victim • Fraudulent transaction – Manual Mules – Automatic Man in the Browser (MitB) • Money laundering
  • 26. [ The game of cat and mouse ] Virtual keyboard Code card ID + Password 2FA OTP Token SMS : mTAN
  • 27. [ The game of cat and mouse ] Virtual keyboard screen/video capturing…
  • 28. [ The game of cat and mouse ] Code card pharming, phishing, injection…
  • 29. [ The game of cat and mouse ] Token mTAN …MITM, code injection
  • 30. [ The game of cat and mouse ] SCREEN-CAPTURING Virtual keyboard PHARMING PHISHING KEYLOGGING Code card ID + Password MITM FORM GRABBING OTP Token CODE INJECTION SMS : mTAN
  • 31. [ Real e-banking fraud incidents ] • SpyEye MitB, October 2010 • Automatic fraudulent transfer – Session of the legit user – Balance request – Account selection based on balance – Getting mules from the server – Social engineering password request – Automatic transaction – Modification of balance and operations
  • 32. [ Real e-banking fraud incidents ] • Tatanga MitB, February 2011 • Automatic fraudulent transfer using OTP – Session of the legit user – Balance request – Account selection based on balance – Getting mules from the server – Social engineering password request – Social engineering OTP request – Automatic transaction – Modification of balance and operations
  • 33. [ Real e-banking fraud incidents ] • Tatanga MitB, February 2011
  • 34. [ Real e-banking fraud incidents ] • ZeuS Man in the Mobile (MitMo) – September 2010, Spain – February 2011, Poland
  • 35. [ ZeuS Man in the Mobile ]
  • 36. [ ZeuS Man in the Mobile ] Each day we try to improve your security. Lately we have noticed many mobile SIM cloning attacks that result in fraudulent transfers. Due to the increase of these incidents, we have implemented a new mobile identification method, using a digital certificate. The certificate works in smartphones and is an additional method of protection. This application ensures that only you can access your online account. Please click here to start the installation
  • 37. [ ZeuS Man in the Mobile ] Source: http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/
  • 38. [ ZeuS Man in the Mobile ] Please choose your mobile manufacturer and model and add your mobile number. The digital certificate installation link will be sent via SMS. Please download and install the application
  • 39. [ ZeuS Man in the Mobile ] Source: http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/
  • 40. [ ZeuS Man in the Mobile ] The certificate installation program link will be sent by SMS. Once received, please download and install the aplication.
  • 41. [ ZeuS Man in the Mobile ] Spoofed SMS Sender ID ID Token (remember this for later!)
  • 42. [ ZeuS Man in the Mobile ] Serial Number: BF43000100230353FF7915 9EF3B3 Revocation Date: Sep 28 08:26:26 2010 GMT Serial Number: 61F1000100235BC2794380 405E52 Revocation Date: Sep 28 08:26:26 2010 GMT
  • 43. [ ZeuS Man in the Mobile ] http://dtarasov.ru/smsmonitor_lite.html
  • 44. [ ZeuS Man in the Mobile ] Spoofed SMS Sender ID ID Token (remember this for later! It is important) …sent to a UK mobile phone.
  • 45. [ ZeuS Man in the Mobile ] ON / OFF SET ADMIN ADD SENDER ALL REM SET …sent from the “bad guy” mobile phone.
  • 46. [ ZeuS Man in the Mobile ]
  • 47. [ ZeuS Man in the Mobile ]
  • 48. [ ZeuS Man in the Mobile ] if ($urlPathExt == ’sis') { $oGate->addHeader('Content-Type: application/vnd.symbian.install'); if ($data['mobile_os_type'] == OS_SYMBIAN_78) $oGate->outputFile('./symbian/cert_78.sis.txt'); else if ($data['mobile_os_type'] ==OS_SYMBIAN_9) $oGate->outputFile('./symbian/cert_9.sis.txt');} if ($urlPathExt == 'cab') { $oGate->addHeader('Content-Type: application/cab'); if ($data['mobile_os_type']==OS_WINDOWS_MOBILE_2K) $oGateoutputFile('./wm/cert_uncompress.cab.txt');else if ($data['mobile_os_type']=OS_WINDOWS_MOBILE_GR5) $oGate->outputFile('./wm/cert_compress.cab.txt'); if ($urlPathExt == ’cod') {$oGate->addHeader('Content-Type: application/vnd.rim.cod');if ($data['mobile_os_type'] == OS_BLACKBERRY_41) $oGate->outputFile('./blackberry/cert_41.cod.txt'); else if ($data['mobile_os_type'] == OS_BLACKBERRY_GR44)
  • 49. [ ZeuS Man in the Mobile ] Remember the token ? mysql_unbuffered_query(“ UPDATE sms_list SET mobile_os_version=$mobile_os_version, is_downloaded='YES', ts_downloaded=$ts_downloaded WHERE token='$token'");
  • 50. [ ZeuS Man in the Mobile ] ZeuS infected
  • 51. [ ZeuS Man in the Mobile ] ZeuS infected
  • 52. [ ZeuS Man in the Mobile ] ID + PASSWORD ZeuS infected
  • 53. [ ZeuS Man in the Mobile ] ID + PASSWORD ZeuS infected Mitmo Infected
  • 54. [ ZeuS Man in the Mobile ] ID + PASSWORD ZeuS infected COMMANDS Mitmo Infected
  • 55. [ ZeuS Man in the Mobile ] ID + PASSWORD ZeuS infected COMMANDS Mitmo Infected
  • 56. [ ZeuS Man in the Mobile ] ID + PASSWORD ZeuS infected COMMANDS Mitmo Infected
  • 57. [ ZeuS Man in the Mobile ] ID + PASSWORD ZeuS infected OTP: 0023424 COMMANDS Mitmo Infected
  • 58. [ ZeuS Man in the Mobile ] ID + PASSWORD GAME OVER ZeuS infected OTP: 0023424 COMMANDS Mitmo Infected
  • 60. [ Conclusions ] • Successful attacks: not binary dependent • Social engineering – HTML injections + extras • Innovation • Underground market – User dependent • Monitoring injections • Sharing information
  • 62. [ Thank You!! ] Jose Miguel Esparza jesparza s21sec.com @eternaltodo