SlideShare a Scribd company logo

Banking Fraud Evolution - New techniques in real fraud cases

J
Jose Miguel Esparza

New techniques in banking fraud are applied not only to malicious binaries, but also to how different cybercriminal groups use these binaries. Criminals always attempt to make the most of their malicious software. An example of this is the broad possibilities offered by HTML code injection. The latest injections discovered in both ZeuS and SpyEye show, once again, their continuous struggle to adapt to the changes and measures put in place to counter them. In the case of ZeuS, one of the latest strategies involves rendering useless the two-factor authentication used in numerous on-line banking operations.Similarly, in a campaign for distributing SpyEye, the group responsible for the malware injected code designed to automatically make fraudulent transfers after dynamically obtaining the destination accounts (mules) from a server. Therefore, the impact of campaigns to spread malware depends not only on the dangerousness of the malicious software itself, but also on how this software is used and the creativity of its criminal owners.

TechnologyBusiness
1 of 62
[ Banking Fraud Evolution ] New techniques in real fraud cases Jose Miguel Esparza
[ Agenda ] • Banking trojans • Tatanga: a new actor emerges • Anatomy of an e-banking fraud incident • The eternal game of cat and mouse • Real e-banking fraud incidents • Conclusions
[ Banking trojans ] • … • ZeuS • Sinowal (Torpig) • Gozi • SpyEye • Carberp • Feodo • …
[ Banking trojans ] Source: abuse.ch
[ Banking trojans ] • Binaries functionalities – Bot – Configuration update – Binary update – HTML injection – Redirection
[ Banking trojans ] • Binaries functionalities – Screenshots – Capture virtual keyboards – Credentials theft – Certificates theft – System corruption (KillOS)
[ Banking trojans ] • Binaries functionalities – Screenshots – Capture virtual keyboards – Credentials theft – Certificates theft – System corruption (KillOS) Information theft
[ Tatanga ] • Discovered by S21sec in February 2011 • Very low detection • MarioForever (2008) evolution? • C++ • No packers • Modular design • Anti-VM, anti-debugging • 64bits support
[ Tatanga ] • Proxys to distribute binaries • Weak encrypted communication with C&C • HTML injection • Man in the Browser • Records video!!
[ Tatanga ] • Proxys to distribute binaries • Weak encrypted communication with C&C • HTML injection • Man in the Browser • Records video!!
[ Tatanga ] • Modules: XOR + BZIP2 – HTTPTrafficLogger – Comm – ModDynamicInjection – ModEmailGrabber – ModAVTrafficBlocker – ModCrashGuard
[ Tatanga ] • Modules: XOR + BZIP2 – ModMalwareRemover
[ Tatanga ] • Modules: XOR + BZIP2 – SSL Decrypt – FilePatcher – IMSender – HTTPSender – Coredb – SmartHTTPDoser
[ Tatanga ] • Control panel – Statistics: country, browser, OS, AV, injections, honeypots – Injections and drops management – Storing dumps of banking webpages – Classified versions of droppers and modules – Dependencies between modules – DDoS – FTP iframer – …
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Anatomy of an e-fraud incident ] • Infection • Configuration file update/download • Interaction with the user Social engineering!! HTML injection, Mit(B|M|Mo), Pharming, Phishing… • Banking credentials theft
[ Anatomy of an e-fraud incident ] • Account spying – Manual / Automatic – Getting balance to choose the victim • Fraudulent transaction – Manual Mules – Automatic Man in the Browser (MitB) • Money laundering
[ The game of cat and mouse ] Virtual keyboard Code card OTP Token SMS : mTAN PasswordID + 2FA
[ The game of cat and mouse ] Virtual keyboard screen/video capturing…
[ The game of cat and mouse ] Code card pharming, phishing, injection…
[ The game of cat and mouse ] Token mTAN …MITM, code injection
[ The game of cat and mouse ] Virtual keyboard Code card OTP Token SMS : mTAN PasswordID + SCREEN-CAPTURING PHISHING MITM CODE INJECTION FORM GRABBING KEYLOGGING PHARMING
[ Real e-banking fraud incidents ] • SpyEye MitB, October 2010 • Automatic fraudulent transfer – Session of the legit user – Balance request – Account selection based on balance – Getting mules from the server – Social engineering password request – Automatic transaction – Modification of balance and operations
[ Real e-banking fraud incidents ] • Tatanga MitB, February 2011 • Automatic fraudulent transfer using OTP – Session of the legit user – Balance request – Account selection based on balance – Getting mules from the server – Social engineering password request – Social engineering OTP request – Automatic transaction – Modification of balance and operations
[ Real e-banking fraud incidents ] • Tatanga MitB, February 2011
[ Real e-banking fraud incidents ] • ZeuS Man in the Mobile (MitMo) – September 2010, Spain – February 2011, Poland
[ ZeuS Man in the Mobile ]
[ ZeuS Man in the Mobile ] Each day we try to improve your security. Lately we have noticed many mobile SIM cloning attacks that result in fraudulent transfers. Due to the increase of these incidents, we have implemented a new mobile identification method, using a digital certificate. The certificate works in smartphones and is an additional method of protection. This application ensures that only you can access your online account. Please click here to start the installation
[ ZeuS Man in the Mobile ] Source: http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/
[ ZeuS Man in the Mobile ] Please choose your mobile manufacturer and model and add your mobile number. The digital certificate installation link will be sent via SMS. Please download and install the application
[ ZeuS Man in the Mobile ] Source: http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/
[ ZeuS Man in the Mobile ] The certificate installation program link will be sent by SMS. Once received, please download and install the aplication.
[ ZeuS Man in the Mobile ] Spoofed SMS Sender ID ID Token (remember this for later!)
[ ZeuS Man in the Mobile ] Serial Number: BF43000100230353FF7915 9EF3B3 Revocation Date: Sep 28 08:26:26 2010 GMT Serial Number: 61F1000100235BC2794380 405E52 Revocation Date: Sep 28 08:26:26 2010 GMT
[ ZeuS Man in the Mobile ] http://dtarasov.ru/smsmonitor_lite.html
[ ZeuS Man in the Mobile ] Spoofed SMS Sender ID ID Token (remember this for later! It is important) …sent to a UK mobile phone.
[ ZeuS Man in the Mobile ] ON / OFF SET ADMIN ADD REM SET …sent from the “bad guy” mobile phone. SENDER ALL
[ ZeuS Man in the Mobile ]
[ ZeuS Man in the Mobile ]
[ ZeuS Man in the Mobile ] if ($urlPathExt == ’sis') { $oGate->addHeader('Content-Type: application/vnd.symbian.install'); if ($data['mobile_os_type'] == OS_SYMBIAN_78) $oGate->outputFile('./symbian/cert_78.sis.txt'); else if ($data['mobile_os_type'] ==OS_SYMBIAN_9) $oGate->outputFile('./symbian/cert_9.sis.txt');} if ($urlPathExt == 'cab') { $oGate->addHeader('Content-Type: application/cab'); if ($data['mobile_os_type']==OS_WINDOWS_MOBILE_2K) $oGateoutputFile('./wm/cert_uncompress.cab.txt');else if ($data['mobile_os_type']=OS_WINDOWS_MOBILE_GR5) $oGate->outputFile('./wm/cert_compress.cab.txt'); if ($urlPathExt == ’cod') {$oGate->addHeader('Content-Type: application/vnd.rim.cod');if ($data['mobile_os_type'] == OS_BLACKBERRY_41) $oGate->outputFile('./blackberry/cert_41.cod.txt'); else if ($data['mobile_os_type'] == OS_BLACKBERRY_GR44)
[ ZeuS Man in the Mobile ] Remember the token ? mysql_unbuffered_query(“ UPDATE sms_list SET mobile_os_version=$mobile_os_version, is_downloaded='YES', ts_downloaded=$ts_downloaded WHERE token='$token'");
[ ZeuS Man in the Mobile ] ZeuS infected
[ ZeuS Man in the Mobile ] ZeuS infected
[ ZeuS Man in the Mobile ] ZeuS infected ID + PASSWORD
[ ZeuS Man in the Mobile ] ZeuS infected ID + PASSWORD Mitmo Infected
[ ZeuS Man in the Mobile ] ZeuS infected ID + PASSWORD Mitmo Infected COMMANDS
[ ZeuS Man in the Mobile ] ZeuS infected ID + PASSWORD Mitmo Infected COMMANDS
[ ZeuS Man in the Mobile ] ZeuS infected ID + PASSWORD Mitmo Infected COMMANDS
[ ZeuS Man in the Mobile ] OTP: 0023424 COMMANDS ZeuS infected ID + PASSWORD Mitmo Infected
[ ZeuS Man in the Mobile ] ZeuS infected ID + PASSWORD Mitmo Infected GAME OVER OTP: 0023424 COMMANDS
[ DEMO TIME!! ]
[ Conclusions ] • Successful attacks: not binary dependent • Social engineering – HTML injections + extras • Innovation • Underground market – User dependent • Monitoring injections • Sharing information
[ Questions? ]
[ Thank You!! ] Jose Miguel Esparza jesparza s21sec.com @eternaltodo

Recommended

TheGRID
TheGRIDTheGRID
TheGRIDe-Lock Corporation
 
Cybercrime
CybercrimeCybercrime
Cybercrimedeepika28g
 
Banking Fraud Evolution
Banking Fraud EvolutionBanking Fraud Evolution
Banking Fraud EvolutionSource Conference
 
A-Z of Banking Fraud 2016
A-Z of Banking Fraud 2016A-Z of Banking Fraud 2016
A-Z of Banking Fraud 2016NetGuardians
 
David Talby, SVP Engineering, Atigeo at MLconf ATL - 9/18/15
David Talby, SVP Engineering, Atigeo at MLconf ATL - 9/18/15David Talby, SVP Engineering, Atigeo at MLconf ATL - 9/18/15
David Talby, SVP Engineering, Atigeo at MLconf ATL - 9/18/15MLconf
 
[Ai in finance] AI in regulatory compliance, risk management, and auditing
[Ai in finance] AI in regulatory compliance, risk management, and auditing[Ai in finance] AI in regulatory compliance, risk management, and auditing
[Ai in finance] AI in regulatory compliance, risk management, and auditingNatalino Busa
 
Indian banking
Indian bankingIndian banking
Indian bankingRakhul Nahar
 
Mobile banking project
Mobile banking projectMobile banking project
Mobile banking projectArfan Afzal
 

Recommended

TheGRID
TheGRIDTheGRID
TheGRIDe-Lock Corporation
 
Cybercrime
CybercrimeCybercrime
Cybercrimedeepika28g
 
Banking Fraud Evolution
Banking Fraud EvolutionBanking Fraud Evolution
Banking Fraud EvolutionSource Conference
 
A-Z of Banking Fraud 2016
A-Z of Banking Fraud 2016A-Z of Banking Fraud 2016
A-Z of Banking Fraud 2016NetGuardians
 
David Talby, SVP Engineering, Atigeo at MLconf ATL - 9/18/15
David Talby, SVP Engineering, Atigeo at MLconf ATL - 9/18/15David Talby, SVP Engineering, Atigeo at MLconf ATL - 9/18/15
David Talby, SVP Engineering, Atigeo at MLconf ATL - 9/18/15MLconf
 
[Ai in finance] AI in regulatory compliance, risk management, and auditing
[Ai in finance] AI in regulatory compliance, risk management, and auditing[Ai in finance] AI in regulatory compliance, risk management, and auditing
[Ai in finance] AI in regulatory compliance, risk management, and auditingNatalino Busa
 
Indian banking
Indian bankingIndian banking
Indian bankingRakhul Nahar
 
Mobile banking project
Mobile banking projectMobile banking project
Mobile banking projectArfan Afzal
 
nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones
nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phonesnullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones
nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phonesn|u - The Open Security Community
 
Web Security
Web SecurityWeb Security
Web SecurityBharath Manoharan
 
Cant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardCant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardSlawomir Jasek
 
Hacking Explained and How to Safeguard Our Applications
Hacking Explained and How to Safeguard Our ApplicationsHacking Explained and How to Safeguard Our Applications
Hacking Explained and How to Safeguard Our ApplicationsTuan Yang
 
How the Stolen Credit Card Black Market Works
How the Stolen Credit Card Black Market WorksHow the Stolen Credit Card Black Market Works
How the Stolen Credit Card Black Market WorksTripwire
 
On Database for Mobile Phones Ownership
On Database for Mobile Phones OwnershipOn Database for Mobile Phones Ownership
On Database for Mobile Phones OwnershipColdbeans Software
 
091209 Mc Afee Roundtable
091209 Mc Afee Roundtable091209 Mc Afee Roundtable
091209 Mc Afee RoundtableHarvard PR
 
Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)DCIT, a.s.
 
CSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserCSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserguestb1956e
 
Cybercrimes against the korean online banking systems 1227 eng_slideshare
Cybercrimes against the korean online banking systems 1227 eng_slideshareCybercrimes against the korean online banking systems 1227 eng_slideshare
Cybercrimes against the korean online banking systems 1227 eng_slideshareYoungjun Chang
 
2012 Accumulate Mobile Everywhere - Standard Product Description
2012 Accumulate Mobile Everywhere - Standard Product Description2012 Accumulate Mobile Everywhere - Standard Product Description
2012 Accumulate Mobile Everywhere - Standard Product DescriptionSzymon Dowgwillowicz-Nowicki
 
Network security
Network securityNetwork security
Network securityAli Kamil
 
(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013STO STRATEGY
 
Isn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android MalwareIsn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android MalwareJimmy Shah
 
Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Mikko Ohtamaa
 
Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Halo Metrics
 
Operations security (OPSEC)
Operations security (OPSEC)Operations security (OPSEC)
Operations security (OPSEC)Mikko Ohtamaa
 
Zsun
ZsunZsun
ZsunHai Nguyen
 
micro payments using coin
micro payments using coinmicro payments using coin
micro payments using coinNaga Dinesh
 
The Rise and Rise of Web Fraud
The Rise and Rise of Web FraudThe Rise and Rise of Web Fraud
The Rise and Rise of Web FraudDavid Jones
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 

More Related Content

Similar to Banking Fraud Evolution - New techniques in real fraud cases

nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones
nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phonesnullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones
nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phonesn|u - The Open Security Community
 
Cant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardCant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardSlawomir Jasek
 
Hacking Explained and How to Safeguard Our Applications
Hacking Explained and How to Safeguard Our ApplicationsHacking Explained and How to Safeguard Our Applications
Hacking Explained and How to Safeguard Our ApplicationsTuan Yang
 
How the Stolen Credit Card Black Market Works
How the Stolen Credit Card Black Market WorksHow the Stolen Credit Card Black Market Works
How the Stolen Credit Card Black Market WorksTripwire
 
On Database for Mobile Phones Ownership
On Database for Mobile Phones OwnershipOn Database for Mobile Phones Ownership
On Database for Mobile Phones OwnershipColdbeans Software
 
091209 Mc Afee Roundtable
091209 Mc Afee Roundtable091209 Mc Afee Roundtable
091209 Mc Afee RoundtableHarvard PR
 
Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)DCIT, a.s.
 
CSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserCSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserguestb1956e
 
Cybercrimes against the korean online banking systems 1227 eng_slideshare
Cybercrimes against the korean online banking systems 1227 eng_slideshareCybercrimes against the korean online banking systems 1227 eng_slideshare
Cybercrimes against the korean online banking systems 1227 eng_slideshareYoungjun Chang
 
2012 Accumulate Mobile Everywhere - Standard Product Description
2012 Accumulate Mobile Everywhere - Standard Product Description2012 Accumulate Mobile Everywhere - Standard Product Description
2012 Accumulate Mobile Everywhere - Standard Product DescriptionSzymon Dowgwillowicz-Nowicki
 
Network security
Network securityNetwork security
Network securityAli Kamil
 
(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013STO STRATEGY
 
Isn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android MalwareIsn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android MalwareJimmy Shah
 
Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Mikko Ohtamaa
 
Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Halo Metrics
 
Operations security (OPSEC)
Operations security (OPSEC)Operations security (OPSEC)
Operations security (OPSEC)Mikko Ohtamaa
 
micro payments using coin
micro payments using coinmicro payments using coin
micro payments using coinNaga Dinesh
 
The Rise and Rise of Web Fraud
The Rise and Rise of Web FraudThe Rise and Rise of Web Fraud
The Rise and Rise of Web FraudDavid Jones
 

Similar to Banking Fraud Evolution - New techniques in real fraud cases (20)

nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones
nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phonesnullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones
nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones
 
Web Security
Web SecurityWeb Security
Web Security
 
Cant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardCant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless card
 
Hacking Explained and How to Safeguard Our Applications
Hacking Explained and How to Safeguard Our ApplicationsHacking Explained and How to Safeguard Our Applications
Hacking Explained and How to Safeguard Our Applications
 
How the Stolen Credit Card Black Market Works
How the Stolen Credit Card Black Market WorksHow the Stolen Credit Card Black Market Works
How the Stolen Credit Card Black Market Works
 
On Database for Mobile Phones Ownership
On Database for Mobile Phones OwnershipOn Database for Mobile Phones Ownership
On Database for Mobile Phones Ownership
 
091209 Mc Afee Roundtable
091209 Mc Afee Roundtable091209 Mc Afee Roundtable
091209 Mc Afee Roundtable
 
Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)
 
CSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserCSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browser
 
Cybercrimes against the korean online banking systems 1227 eng_slideshare
Cybercrimes against the korean online banking systems 1227 eng_slideshareCybercrimes against the korean online banking systems 1227 eng_slideshare
Cybercrimes against the korean online banking systems 1227 eng_slideshare
 
2012 Accumulate Mobile Everywhere - Standard Product Description
2012 Accumulate Mobile Everywhere - Standard Product Description2012 Accumulate Mobile Everywhere - Standard Product Description
2012 Accumulate Mobile Everywhere - Standard Product Description
 
Network security
Network securityNetwork security
Network security
 
(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013
 
Isn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android MalwareIsn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android Malware
 
Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015
 
Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!
 
Operations security (OPSEC)
Operations security (OPSEC)Operations security (OPSEC)
Operations security (OPSEC)
 
Zsun
ZsunZsun
Zsun
 
micro payments using coin
micro payments using coinmicro payments using coin
micro payments using coin
 
The Rise and Rise of Web Fraud
The Rise and Rise of Web FraudThe Rise and Rise of Web Fraud
The Rise and Rise of Web Fraud
 

Recently uploaded

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 

Recently uploaded (20)

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 

Banking Fraud Evolution - New techniques in real fraud cases

  • 1. [ Banking Fraud Evolution ] New techniques in real fraud cases Jose Miguel Esparza
  • 2. [ Agenda ] • Banking trojans • Tatanga: a new actor emerges • Anatomy of an e-banking fraud incident • The eternal game of cat and mouse • Real e-banking fraud incidents • Conclusions
  • 3. [ Banking trojans ] • … • ZeuS • Sinowal (Torpig) • Gozi • SpyEye • Carberp • Feodo • …
  • 4. [ Banking trojans ] Source: abuse.ch
  • 5. [ Banking trojans ] • Binaries functionalities – Bot – Configuration update – Binary update – HTML injection – Redirection
  • 6. [ Banking trojans ] • Binaries functionalities – Screenshots – Capture virtual keyboards – Credentials theft – Certificates theft – System corruption (KillOS)
  • 7. [ Banking trojans ] • Binaries functionalities – Screenshots – Capture virtual keyboards – Credentials theft – Certificates theft – System corruption (KillOS) Information theft
  • 8. [ Tatanga ] • Discovered by S21sec in February 2011 • Very low detection • MarioForever (2008) evolution? • C++ • No packers • Modular design • Anti-VM, anti-debugging • 64bits support
  • 9. [ Tatanga ] • Proxys to distribute binaries • Weak encrypted communication with C&C • HTML injection • Man in the Browser • Records video!!
  • 10. [ Tatanga ] • Proxys to distribute binaries • Weak encrypted communication with C&C • HTML injection • Man in the Browser • Records video!!
  • 11. [ Tatanga ] • Modules: XOR + BZIP2 – HTTPTrafficLogger – Comm – ModDynamicInjection – ModEmailGrabber – ModAVTrafficBlocker – ModCrashGuard
  • 12. [ Tatanga ] • Modules: XOR + BZIP2 – ModMalwareRemover
  • 13. [ Tatanga ] • Modules: XOR + BZIP2 – SSL Decrypt – FilePatcher – IMSender – HTTPSender – Coredb – SmartHTTPDoser
  • 14. [ Tatanga ] • Control panel – Statistics: country, browser, OS, AV, injections, honeypots – Injections and drops management – Storing dumps of banking webpages – Classified versions of droppers and modules – Dependencies between modules – DDoS – FTP iframer – …
  • 24. [ Anatomy of an e-fraud incident ] • Infection • Configuration file update/download • Interaction with the user Social engineering!! HTML injection, Mit(B|M|Mo), Pharming, Phishing… • Banking credentials theft
  • 25. [ Anatomy of an e-fraud incident ] • Account spying – Manual / Automatic – Getting balance to choose the victim • Fraudulent transaction – Manual Mules – Automatic Man in the Browser (MitB) • Money laundering
  • 26. [ The game of cat and mouse ] Virtual keyboard Code card OTP Token SMS : mTAN PasswordID + 2FA
  • 27. [ The game of cat and mouse ] Virtual keyboard screen/video capturing…
  • 28. [ The game of cat and mouse ] Code card pharming, phishing, injection…
  • 29. [ The game of cat and mouse ] Token mTAN …MITM, code injection
  • 30. [ The game of cat and mouse ] Virtual keyboard Code card OTP Token SMS : mTAN PasswordID + SCREEN-CAPTURING PHISHING MITM CODE INJECTION FORM GRABBING KEYLOGGING PHARMING
  • 31. [ Real e-banking fraud incidents ] • SpyEye MitB, October 2010 • Automatic fraudulent transfer – Session of the legit user – Balance request – Account selection based on balance – Getting mules from the server – Social engineering password request – Automatic transaction – Modification of balance and operations
  • 32. [ Real e-banking fraud incidents ] • Tatanga MitB, February 2011 • Automatic fraudulent transfer using OTP – Session of the legit user – Balance request – Account selection based on balance – Getting mules from the server – Social engineering password request – Social engineering OTP request – Automatic transaction – Modification of balance and operations
  • 33. [ Real e-banking fraud incidents ] • Tatanga MitB, February 2011
  • 34. [ Real e-banking fraud incidents ] • ZeuS Man in the Mobile (MitMo) – September 2010, Spain – February 2011, Poland
  • 35. [ ZeuS Man in the Mobile ]
  • 36. [ ZeuS Man in the Mobile ] Each day we try to improve your security. Lately we have noticed many mobile SIM cloning attacks that result in fraudulent transfers. Due to the increase of these incidents, we have implemented a new mobile identification method, using a digital certificate. The certificate works in smartphones and is an additional method of protection. This application ensures that only you can access your online account. Please click here to start the installation
  • 37. [ ZeuS Man in the Mobile ] Source: http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/
  • 38. [ ZeuS Man in the Mobile ] Please choose your mobile manufacturer and model and add your mobile number. The digital certificate installation link will be sent via SMS. Please download and install the application
  • 39. [ ZeuS Man in the Mobile ] Source: http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/
  • 40. [ ZeuS Man in the Mobile ] The certificate installation program link will be sent by SMS. Once received, please download and install the aplication.
  • 41. [ ZeuS Man in the Mobile ] Spoofed SMS Sender ID ID Token (remember this for later!)
  • 42. [ ZeuS Man in the Mobile ] Serial Number: BF43000100230353FF7915 9EF3B3 Revocation Date: Sep 28 08:26:26 2010 GMT Serial Number: 61F1000100235BC2794380 405E52 Revocation Date: Sep 28 08:26:26 2010 GMT
  • 43. [ ZeuS Man in the Mobile ] http://dtarasov.ru/smsmonitor_lite.html
  • 44. [ ZeuS Man in the Mobile ] Spoofed SMS Sender ID ID Token (remember this for later! It is important) …sent to a UK mobile phone.
  • 45. [ ZeuS Man in the Mobile ] ON / OFF SET ADMIN ADD REM SET …sent from the “bad guy” mobile phone. SENDER ALL
  • 46. [ ZeuS Man in the Mobile ]
  • 47. [ ZeuS Man in the Mobile ]
  • 48. [ ZeuS Man in the Mobile ] if ($urlPathExt == ’sis') { $oGate->addHeader('Content-Type: application/vnd.symbian.install'); if ($data['mobile_os_type'] == OS_SYMBIAN_78) $oGate->outputFile('./symbian/cert_78.sis.txt'); else if ($data['mobile_os_type'] ==OS_SYMBIAN_9) $oGate->outputFile('./symbian/cert_9.sis.txt');} if ($urlPathExt == 'cab') { $oGate->addHeader('Content-Type: application/cab'); if ($data['mobile_os_type']==OS_WINDOWS_MOBILE_2K) $oGateoutputFile('./wm/cert_uncompress.cab.txt');else if ($data['mobile_os_type']=OS_WINDOWS_MOBILE_GR5) $oGate->outputFile('./wm/cert_compress.cab.txt'); if ($urlPathExt == ’cod') {$oGate->addHeader('Content-Type: application/vnd.rim.cod');if ($data['mobile_os_type'] == OS_BLACKBERRY_41) $oGate->outputFile('./blackberry/cert_41.cod.txt'); else if ($data['mobile_os_type'] == OS_BLACKBERRY_GR44)
  • 49. [ ZeuS Man in the Mobile ] Remember the token ? mysql_unbuffered_query(“ UPDATE sms_list SET mobile_os_version=$mobile_os_version, is_downloaded='YES', ts_downloaded=$ts_downloaded WHERE token='$token'");
  • 50. [ ZeuS Man in the Mobile ] ZeuS infected
  • 51. [ ZeuS Man in the Mobile ] ZeuS infected
  • 52. [ ZeuS Man in the Mobile ] ZeuS infected ID + PASSWORD
  • 53. [ ZeuS Man in the Mobile ] ZeuS infected ID + PASSWORD Mitmo Infected
  • 54. [ ZeuS Man in the Mobile ] ZeuS infected ID + PASSWORD Mitmo Infected COMMANDS
  • 55. [ ZeuS Man in the Mobile ] ZeuS infected ID + PASSWORD Mitmo Infected COMMANDS
  • 56. [ ZeuS Man in the Mobile ] ZeuS infected ID + PASSWORD Mitmo Infected COMMANDS
  • 57. [ ZeuS Man in the Mobile ] OTP: 0023424 COMMANDS ZeuS infected ID + PASSWORD Mitmo Infected
  • 58. [ ZeuS Man in the Mobile ] ZeuS infected ID + PASSWORD Mitmo Infected GAME OVER OTP: 0023424 COMMANDS
  • 60. [ Conclusions ] • Successful attacks: not binary dependent • Social engineering – HTML injections + extras • Innovation • Underground market – User dependent • Monitoring injections • Sharing information
  • 62. [ Thank You!! ] Jose Miguel Esparza jesparza s21sec.com @eternaltodo