Banking Fraud Evolution

2,718 views

Published on

SOURCE Seattle 2011 - Jose Miguel Esparza

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,718
On SlideShare
0
From Embeds
0
Number of Embeds
49
Actions
Shares
0
Downloads
90
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Banking Fraud Evolution

  1. 1. [ Banking Fraud Evolution ] New techniques in real fraud cases Jose Miguel Esparza
  2. 2. [ Agenda ]• Banking trojans• Tatanga: a new actor emerges• Anatomy of an e-banking fraud incident• The eternal game of cat and mouse• Real e-banking fraud incidents• Conclusions
  3. 3. [ Banking trojans ]• …• ZeuS• Sinowal (Torpig)• Gozi• SpyEye• Carberp• Feodo• …
  4. 4. [ Banking trojans ] Source: abuse.ch
  5. 5. [ Banking trojans ]• Binaries functionalities – Bot – Configuration update – Binary update – HTML injection – Redirection
  6. 6. [ Banking trojans ]• Binaries functionalities – Screenshots – Capture virtual keyboards – Credentials theft – Certificates theft – System corruption (KillOS)
  7. 7. [ Banking trojans ]• Binaries functionalities – Screenshots – Capture virtual keyboards Information theft – Credentials theft – Certificates theft – System corruption (KillOS)
  8. 8. [ Tatanga ]• Discovered by S21sec in February 2011• Very low detection• MarioForever (2008) evolution?• C++• No packers• Modular design• Anti-VM, anti-debugging• 64bits support
  9. 9. [ Tatanga ]• Proxys to distribute binaries• Weak encrypted communication with C&C• HTML injection• Man in the Browser• Records video!!
  10. 10. [ Tatanga ]• Proxys to distribute binaries• Weak encrypted communication with C&C• HTML injection• Man in the Browser• Records video!!
  11. 11. [ Tatanga ]• Modules: XOR + BZIP2 – HTTPTrafficLogger – Comm – ModDynamicInjection – ModEmailGrabber – ModAVTrafficBlocker – ModCrashGuard
  12. 12. [ Tatanga ]• Modules: XOR + BZIP2 – ModMalwareRemover
  13. 13. [ Tatanga ]• Modules: XOR + BZIP2 – SSL Decrypt – FilePatcher – IMSender – HTTPSender – Coredb – SmartHTTPDoser
  14. 14. [ Tatanga ]• Control panel – Statistics: country, browser, OS, AV, injections, honeypots – Injections and drops management – Storing dumps of banking webpages – Classified versions of droppers and modules – Dependencies between modules – DDoS – FTP iframer –…
  15. 15. [ Tatanga ]
  16. 16. [ Tatanga ]
  17. 17. [ Tatanga ]
  18. 18. [ Tatanga ]
  19. 19. [ Tatanga ]
  20. 20. [ Tatanga ]
  21. 21. [ Tatanga ]
  22. 22. [ Tatanga ]
  23. 23. [ Tatanga ]
  24. 24. [ Anatomy of an e-fraud incident ]• Infection• Configuration file update/download• Interaction with the user Social engineering!! HTML injection, Mit(B|M|Mo), Pharming, Phishing…• Banking credentials theft
  25. 25. [ Anatomy of an e-fraud incident ]• Account spying – Manual / Automatic – Getting balance to choose the victim• Fraudulent transaction – Manual Mules – Automatic Man in the Browser (MitB)• Money laundering
  26. 26. [ The game of cat and mouse ] Virtual keyboard Code cardID + Password 2FA OTP Token SMS : mTAN
  27. 27. [ The game of cat and mouse ]Virtual keyboard screen/video capturing…
  28. 28. [ The game of cat and mouse ]Code card pharming, phishing, injection…
  29. 29. [ The game of cat and mouse ]Token mTAN …MITM, code injection
  30. 30. [ The game of cat and mouse ] SCREEN-CAPTURING Virtual keyboard PHARMING PHISHINGKEYLOGGING Code cardID + Password MITM FORM GRABBING OTP Token CODE INJECTION SMS : mTAN
  31. 31. [ Real e-banking fraud incidents ]• SpyEye MitB, October 2010• Automatic fraudulent transfer – Session of the legit user – Balance request – Account selection based on balance – Getting mules from the server – Social engineering password request – Automatic transaction – Modification of balance and operations
  32. 32. [ Real e-banking fraud incidents ]• Tatanga MitB, February 2011• Automatic fraudulent transfer using OTP – Session of the legit user – Balance request – Account selection based on balance – Getting mules from the server – Social engineering password request – Social engineering OTP request – Automatic transaction – Modification of balance and operations
  33. 33. [ Real e-banking fraud incidents ]• Tatanga MitB, February 2011
  34. 34. [ Real e-banking fraud incidents ]• ZeuS Man in the Mobile (MitMo) – September 2010, Spain – February 2011, Poland
  35. 35. [ ZeuS Man in the Mobile ]
  36. 36. [ ZeuS Man in the Mobile ]Each day we try to improve your security. Lately we havenoticed many mobile SIM cloning attacks that result infraudulent transfers. Due to the increase of these incidents,we have implemented a new mobile identification method,using a digital certificate. The certificate works insmartphones and is an additional method of protection.This application ensures that only you can access youronline account.Please click here to start the installation
  37. 37. [ ZeuS Man in the Mobile ] Source: http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/
  38. 38. [ ZeuS Man in the Mobile ] Please choose your mobile manufacturer and model and add your mobile number. The digital certificate installation link will be sent via SMS. Please download and install the application
  39. 39. [ ZeuS Man in the Mobile ] Source: http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/
  40. 40. [ ZeuS Man in the Mobile ] The certificate installation program link will be sent by SMS. Once received, please download and install the aplication.
  41. 41. [ ZeuS Man in the Mobile ] Spoofed SMS Sender IDID Token (remember this for later!)
  42. 42. [ ZeuS Man in the Mobile ]Serial Number:BF43000100230353FF79159EF3B3Revocation Date:Sep 28 08:26:26 2010 GMTSerial Number:61F1000100235BC2794380405E52Revocation Date:Sep 28 08:26:26 2010 GMT
  43. 43. [ ZeuS Man in the Mobile ] http://dtarasov.ru/smsmonitor_lite.html
  44. 44. [ ZeuS Man in the Mobile ] Spoofed SMS Sender IDID Token (rememberthis for later! It isimportant) …sent to a UK mobile phone.
  45. 45. [ ZeuS Man in the Mobile ]ON / OFFSET ADMINADD SENDER ALLREMSET …sent from the “bad guy” mobile phone.
  46. 46. [ ZeuS Man in the Mobile ]
  47. 47. [ ZeuS Man in the Mobile ]
  48. 48. [ ZeuS Man in the Mobile ]if ($urlPathExt == ’sis) {$oGate->addHeader(Content-Type:application/vnd.symbian.install);if ($data[mobile_os_type] == OS_SYMBIAN_78) $oGate->outputFile(./symbian/cert_78.sis.txt);else if ($data[mobile_os_type] ==OS_SYMBIAN_9) $oGate->outputFile(./symbian/cert_9.sis.txt);}if ($urlPathExt == cab) {$oGate->addHeader(Content-Type: application/cab);if ($data[mobile_os_type]==OS_WINDOWS_MOBILE_2K)$oGateoutputFile(./wm/cert_uncompress.cab.txt);else if($data[mobile_os_type]=OS_WINDOWS_MOBILE_GR5) $oGate->outputFile(./wm/cert_compress.cab.txt);if ($urlPathExt == ’cod) {$oGate->addHeader(Content-Type:application/vnd.rim.cod);if ($data[mobile_os_type] == OS_BLACKBERRY_41)$oGate->outputFile(./blackberry/cert_41.cod.txt); else if($data[mobile_os_type] == OS_BLACKBERRY_GR44)
  49. 49. [ ZeuS Man in the Mobile ]Remember the token ?mysql_unbuffered_query(“UPDATE sms_list SETmobile_os_version=$mobile_os_version,is_downloaded=YES,ts_downloaded=$ts_downloaded WHEREtoken=$token");
  50. 50. [ ZeuS Man in the Mobile ]ZeuS infected
  51. 51. [ ZeuS Man in the Mobile ]ZeuS infected
  52. 52. [ ZeuS Man in the Mobile ] ID + PASSWORDZeuS infected
  53. 53. [ ZeuS Man in the Mobile ] ID + PASSWORDZeuS infectedMitmo Infected
  54. 54. [ ZeuS Man in the Mobile ] ID + PASSWORDZeuS infected COMMANDSMitmo Infected
  55. 55. [ ZeuS Man in the Mobile ] ID + PASSWORDZeuS infected COMMANDSMitmo Infected
  56. 56. [ ZeuS Man in the Mobile ] ID + PASSWORDZeuS infected COMMANDSMitmo Infected
  57. 57. [ ZeuS Man in the Mobile ] ID + PASSWORDZeuS infected OTP: 0023424 COMMANDSMitmo Infected
  58. 58. [ ZeuS Man in the Mobile ] ID + PASSWORD GAME OVERZeuS infected OTP: 0023424 COMMANDSMitmo Infected
  59. 59. [ DEMO TIME!! ]
  60. 60. [ Conclusions ]• Successful attacks: not binary dependent• Social engineering – HTML injections + extras • Innovation • Underground market – User dependent• Monitoring injections• Sharing information
  61. 61. [ Questions? ]
  62. 62. [ Thank You!! ] Jose Miguel Esparza jesparza s21sec.com @eternaltodo

×