Man-in-the-Browser Attacks

Mário Almeida Umit BuyuksahinEmmanouil Dimogerontakis Aras Tarhan

December 20, 2011

Contents

1 Background 2

2 Introduction 32.1 The Risk in Man-in-the-Browser Attack . . . . . . . . . . . . 42.2 Global Threat of Man-in-the-Browser . . . . . . . . . . . . . . 42.3 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.4 Point of Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 6

3 Background & Overview of the Method of Attack 83.1 The Method of Attack . . . . . . . . . . . . . . . . . . . . . . 10

3.1.1 Phase 1: Infection . . . . . . . . . . . . . . . . . . . . 103.1.2 Phase 2: Transaction Takeover . . . . . . . . . . . . . 11

3.2 Banking Malware Example . . . . . . . . . . . . . . . . . . . 13

4 Banking Trojans 144.1 Banking trojans capabilities . . . . . . . . . . . . . . . . . . . 154.2 Anatomy of an e-fraud incident . . . . . . . . . . . . . . . . . 164.3 Zeus configuration files . . . . . . . . . . . . . . . . . . . . . . 164.4 Domain Generation Algorithms . . . . . . . . . . . . . . . . . 174.5 P2P botnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184.6 Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . 184.7 Man-In-The-Mobile . . . . . . . . . . . . . . . . . . . . . . . . 194.8 Tatanga . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194.9 Banking trojans statistics . . . . . . . . . . . . . . . . . . . . 21

5 Counter Measures 235.1 Active . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235.2 Passive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245.3 Combination of Active and Passive counter Measures . . . . . 25

1

Chapter 1

Background

Initially, online Fraudsters (phishers) used social engineering techniques totry to get personal information of customer by sending emails in order tosteal money from their Internet banking account. These information can bepasswords or bank account details, could be further used for other criminalactivities. For example, the fraudsters may intend to leave the victims informationbehind after they have successfully committed the crime. Therefore policescan suspect the visible evidence which belongs to victims as a suspiciouscriminal. Fraudsters are using newer and more advanced methods to targetonline customers. One of the latest and most dangerous methods beingdeveloped and deployed is the use of Trojans to launch man-in-the-Browser(MITB) attacks. Shortly, a Man-in-the- Browser attack occurs when maliciouscode infects an Internet browser. The code modifies actions performed by thecomputer user and, in some cases, is able to initiate actions independentlyof the customer. When a customer logs onto their bank account, using aninfected Internet browser is enough to trigger illicit transactions that resultin online theft.

2

Chapter 2

Introduction

Firstly, online fraudulences have been introduced as a use of social engineeringtechnique in which potential victims are persuaded to obtain their confidentialinformation, such as usernames, passwords, and bank account details, to areturn email. General type of this attack is extended by creating fraudulentweb pages to convince the customers to believe that they are on the legitimatewebsites of banking. When information of customer has been submittedthrough the form provided fraudulent web pages, these information is beensent to the online fraudsters. There are some kind of spying techniques thatare used to monitor the customers banking information claimed such as :

• screenshot and video capture

• code injection of fraudulent pages or form fields

• redirecting website

• keystroke logging

Sometimes, in order to obtain customers information can be combined withmultiple penetrating techniques; for instance, by using the screenshot andvideo capture to monitor the users activity and using the keystroke loggingto record passwords or information.

Subsequently, on of the latest and more dangerous approach of onlinefraudulences technology such as a Trojan horse has been released. It operatesby becoming embedded in a users Internet browser and later steals confidentialinformation and sends it back to the online fraudsters.

A number of Trojan families are used to conduct Man-in-the-Browserattacks including Zeus, Adrenaline, Sinowal, and Silent Banker. Some MITBTrojans are so advanced that they have streamlined the process for committingfraud, programmed with functionality to fully automate the process frominfection to cash out.

Man-in-the-Browser and Man-in-the-Middle Attacks: Although Man-in-the-Middle attacks (MitM) and man-in-the-Browser (MitB) attacks have

3

same idea based on controlling the Internet traffic between client and server,these attacks use different ways to carry out the attack. Unlike Man-in-the-Middle attack, man-in-the-Browser attacks placed customers browser andmanipulate the outgoing and ingoing traffic after the authentication processof customers processes.

2.1 The Risk in Man-in-the-Browser Attack

The most obvious and most dangerous properties of Man-in-the-Browser isthat hard to detect and, in many cases, succeed in causing damage completelysurreptitiously.

Following are some of reasons why MITB attacks pose high risk:

• Computers can be infected easily : Especially, while customers are browsingor downloading media and other files, they are encouraged to installupdated versions of software. These requests are so common, thatmany clients automatically accept and customers do not notice finedifferences between malware program and normal program. Thus, theymay download malware and their computers unknowingly are infected.

• Detection is hard : Since malwares are produced by using some kindof toolkit that support variation of malicious code , they are hard todetect .

• Traditional Strong Authentication is inadequate: Traditional Strongauthentication validates that a person logging on to an online resourceis indeed who he or she claims to be. When the customer wants tomake an online transaction, the infected browser carries out illicittransactions covertly - neither the customer, nor the bank, are awarethat anything irregular is happening.

• Traditional Anti-Fraud Mechanisms are Not Effective: Since risk-basedanti-fraud tools just focus on user authentication and transaction validation,they do not detect whether a transaction was initiated by malware ornot, there is a high risk.

2.2 Global Threat of Man-in-the-Browser

MitB attacks are not contained to one region or geography; They are aglobal threat, affecting all regions of the world. However, they are especiallyprevalent in areas where two-factor authentication is densely deployed. Today,MitB attacks are increasing in their deployment and scale:

• In the United Kingdom, banks are suffering an increasing numberof MITB attacks. One financial institution alone reported a loss of

4

600,000 pounds as a result of a single attack by the PSP2-BBB Trojan.3European countries such as Germany, the Netherlands, Spain, France,and Poland have deployed two-factor authentication in the last fewyears, which have attracted a rise in the numbers of MITB attacks inthese regions. Germany has been particularly hard hit by an abundanceof MITB attacks as it is one of the few successful paths to commit onlinebanking fraud in the country. Banking innovations such as the SingleEuro Payments Area (SEPA) and pressure to deliver faster paymentshave also increased exposure to transaction fraud. The increased easeand speed of moving money is advantageous for legitimate transactions,but reduces the flexibility to investigate and prevent suspicious transactions.

• In U.S. financial institutions are attacked by MITB; however, thethreat has been mainly confined to commercial banking or high networth customers. Because one-time password authentication is notvery common amongst consumers in the U.S., MITB attacks againstthe general consumer public are less common compared to the volumeexperienced by consumers in Europe. However, as security defensesincrease and the ability to infect more machines with MITB Trojansincreases the expected number of attacks on US retail banking institutionsis also expected to rise.

• Financial institutions in Australia, Asia and Latin America are increasinglydeploying two-factor authentication for their online banking users, andas a result, have experienced an increasing number of MITB attacks.

2.3 Evaluation

Man in the browser is also called a proxy Trojan or a password pinchingTrojan. It combines the use of online fraudulences approaches with a Trojanhorse technology, put in a customers browser, to modify, capture, and/oradd an additional information on web pages without the customers and thehosts knowledge.

Man-in-the-Browser Trojans commonly perform what is known as sessionhijacking abusing a legitimate users session with the site being accessedwhile the user is logged into their account. By hijacking a session in thisway, all actions performed by the Trojan actually become part of the userslegitimate session such as conducting a malicious activity (i.e., a fraudulentmoney transfer, changing a postal address) or even injecting JavaScript codethat can then perform this automatically. The basic flow of a MITB attackis as follows:

1. A consumer gets infected with a Trojan capable of launching an MITBattack.

5

2. Upon the initiation of a legitimate online transaction, the Trojan istriggered into action and launches its MITB functionalities

3. The user passes all authentication stages, including any two-factorauthentication when needed. The Trojan wait silently for successfullogin and/or transaction authorization.

4. The Trojan manipulates the transaction details payee, and sometimesthe amount. In most cases the legitimate payee account is replacedwith a mule account that the fraudsters can use.

5. By using social engineering techniques the user is unaware that theyare being impacted. The Trojan displays fake pages to the user, whichmay show the transaction details as originally entered by the user.If additional authentication is necessary to complete the transaction,the Trojan will interact with the user and ask the user to enter theirauthentication credentials in real-time to approve the transaction.

2.4 Point of Attacks

It is known that Online Fraudsters can successfully target to Firefox, InternetExplorer and Opera , on the Windows, Linux and MacOS X Platform byusing Trojans.The trojans can do the following:

In the Man-in-the-Browser attacks, Trojans uses some kind of propertiesof Internet web browsers for this purpose:

• Browser Helper Objects: These are dynamically-loaded libraries (dll)loaded by Internet Explorer(IE) upon start-up. They run inside IE, andhave full access to IE and full access to the DOM tree, etc. DevelopingBHOs is very easy.

• Extensions: It is similar to Browser Helper Objects for other Browserssuch as Firefox (hereafter, both will be referred to as extensions).Developing Extensions is easy. UserScripts Scripts that are running inthe browser (Firefox/Greasemonkey+Opera). Developing UserScriptsis very easy.

• API-Hooking: This technique is a Man-in-the-Middle attack betweenthe application (.exe) and the dlls that are loaded up, both for applicationspecific dlls such as extensions and Operating System dlls. For exampleif the SSL engine of the browser is a separate dll, then API-Hookingcan be used to modify all communication between the browser and theSSL engine. Developing API Hooks is difficult.

6

Figure 2.1: A good example this type of attack is the breach of PaulMcCartneys fan page. In April 2009, the site was hacked for two days andall visitors were silently infected with a variant of a MITB Trojan.

7

Chapter 3

Background & Overview of theMethod of Attack

The fraudulent transaction is done from victims computer. It is made duringthe time the victim works with the related site. It is done silently withoutasking the victim for anything. Man-in-the-browser also sometimes called aproxy Trojan operates from within the Web browser by:

• hooking key Operating System and Web browser APIs,

– When the Internet Explorer opens a connection to the Internet, itwill call a function named InternetConnect which resides withinthe wininet.dll module that every Windows installation has MITBTrojans will now just hook into this first call between the InternetExplorer Application and the Windows System, so that the Trojanget full control over everything that is transmitted in this call.

– On Mac, If a web browser is using the system API to manage itsInternet connections, then malware simply needs to hook CFReadStreamOpen(),CFReadStreamRead() or CFReadStreamWrite() in a similar wayto the one described above.

– Hooking method works as follows; it jumps to its own codebase sothat, the malicious code is executed. It needs to make sure thatthe original code is called. Otherwise, no internet connectionwould be established.

• inserting advanced HTML/JavaScript Injections and utilising commonfacilities provided to enhance browser capabilities

– Firefox extensions provide functionality to capture and edit HTTP/Sforms data when submitted to and received from the web server.An attacker can change the values of form elements without knowledgeof the user. Even when the HTTPS protocol is used, an extensions

8

code can change the secured fields of a form before encryptionand after decryption of data. This allows Man-in-the-Browserattack possible through malicious Firefox extensions. When a usersubmits a form, an extension can intercept the form submissionand change its values. When a response arrives from the server,again extension can intercept the response and can change it asrequired. It do not make any difference whether the securedchannel is used or not, whether form request is POST or GET.Since, the changes are made by the extension in the browser bothduring request and response, it is not observable by a user anddifficult to detect. Examples below are some operations that canbe done through HTML/JavaScript Injections

– Persistent Storage: Persistent storage can be used if you want tosave the current account balance for later use. Internet Exploreractually provides a nice interface for localStorage and globalStoragethat can be used for exactly this purpose.If thats not possible(e.g. if you run Firefox), then they simply create a new contentelement (thats a <DIV> element called customStorage) wherethey store the information.Access to the persistent store is donevia a JavaScript function where you can specify whether you wantto read, write or delete the name and the value of the informationto be stored together with an expiry.

– Getting the actual cash balance for the current account.

– Replacing the login button with a malicious login button.

– Change account balance display (to remove fraudulent transactionamount. JavaScript will get the fraudulent amount from localstorage into a variable. The correct HTML of the fake amount(obviously the current balance plus the fraudulent amount) willbe written to the HTML.

– Remember the last login date and replace the "real" last login datewith a fake one. When called, this will walk through the contentelements and find the paragraph that contains last login. It willthen convert the date and time into a JavaScript variable. Thefirst time, it just store this information in the persistent storage.The second time, it will replace the real date with the saved onefrom the persistent storage.

– Change recipient details on form submission. The original recipientdetails will be saved and the wire transfer form will be located. Allthese details will be stored in the local storage. The login number,the account number, the amount and the bank identification numberwill be sent to the server, who will in turn reply with the moneymule account details. Then the function will be called which

9

will change the recipient details on the transaction. With all therelevant information at hand, malware will search for the wiretransfer form and put the money mule details received into thelocal storage for later use. Malware makes sure that this wiretransfer is executed immediately. Now the recipient details arechanged to the money mule details and finally the form will besubmitted and the wire transfer executed

– One-Time-Password token stealing: For an authentication pagewhere the user has to provide a OTP, maware will hook into theonSubmit of the Sign on button. It will save all values (includingthe OTP) and then simulate the look and feel of a new pageloading. This new page says that the token password has expiredand the user should please enter another one. The page loadingwill be stretched to get a new OTP! All content elements willbe made invisible (via CSS) and the page loading time will be asimulated for a certain time. With a timeout function, the contentelements keep appearing one by one (exactly how it looks if a pageloads slowly).They check all input parameters (including e.g. thatthe OTP is different than the old one)

Briefly, Man-in-the-Browser malware which is virtually undetecable tovirus scanning software allows the attacker:

• not to have to worry about encryption since SSL/TLS happens outsidethe browser

• to inspect any content sent or received by the browser

• to inject and manipulate any content before rendering within the Webbrowser

• and to create dynamically additional GET/POST/PUT/etc. to anydestination.

3.1 The Method of Attack

3.1.1 Phase 1: Infection

The first phase of an MITB attack is the infection of a target computer3.1.A number of techniques have proven to be effective, typically relying onsocial engineering to trick a user into doing something unwise, but sometimesexploiting other browser or network vulnerabilities.

1. User is manipulated by means of phishing e-mails necessary videocodec, pirated software package, interesting PDF document etc. todownload malware-infected software or a patch to exploit browser vulnerability.

10

Figure 3.1:

2. At some later time, the user restarts the browser.

3. The trojan installs an extension into the browser configuration.

4. The browser loads the extension.

5. The extension registers a handler for every page-load.

3.1.2 Phase 2: Transaction Takeover

Figure 3.2:

11

1. Monitors all of the user’s activities.

2. Whenever a page is loaded, the URL of the page is searched by theextension against a list of known sites targeted for attack.

3. When a targeted site is loaded, it registers a button event handler.

4. Extracts all data through the DOM (Document Object Model, a cross-platform and language-independent convention for representing andinteracting with objects in HTML, XHTML and XML documents)interface in the browser and modifies them, then continues to submit.

5. The browser sends the form including the modified values to the server.

Figure 3.3:

6. The server cannot differentiate between the original values and themodified values, or detect the changes and receives the modified valuesin the form as a normal request.

7. The server performs the transaction and generates a receipt. Thebrowser receives the receipt for the modified transaction.

8. Then the extension detects the targeted URL and replaces the modifieddata int the receipt with the original. The browser displays the modifiedreceipt with the original details. Finally, the user thinks that theoriginal transaction was received by the server intact and authorizedcorrectly.

12

Figure 3.4:

3.2 Banking Malware Example

The user passes all authentication stages, including any two-factor authenticationwhen needed. The Trojan waits silently for successful login and/or transactionauthorization. The Trojan manipulates the transaction details payee, andsometimes the amount. In most cases the legitimate payee account is replacedwith a mule account that the fraudster can use. By using social engineeringtechniques the user is unaware that they are being impacted. The Trojandisplays fake pages to the user, which may show the transaction details asoriginally entered by the user. If additional authentication is necessary tocomplete the transaction, the Trojan will interact with the user and askthe user to enter their authentication credentials in real-time to approve thetransaction.

What makes MITB attacks difficult to detect is that any activity performedseems as if it is originating from the legitimate users browser. Characteristicssuch as the HTTP headers and the IP address will appear the same as theusers real data. This creates a challenge in distinguishing between genuineand malicious transactions.

13

Chapter 4

Banking Trojans

Banking trojans commonly perform what is known as session hijacking abusinga legitimate users session with the site being accessed while the user is loggedinto their account. They steal data from infected computers via web browsersand protected storage. Once infected, the computer sends the stolen data toa bot command and control (C& C) server, where the data is stored.

Some MITB Trojans are so advanced that they have streamlined theprocess for committing fraud, programmed with functionality to fully automatethe process from infection to cash out.

The banking trojans are generally composed by a Command and Controlwebserver(C& C) and a botnet. They generally come with a configurationfile in XML that specifies specific attack methodologies

(i.e.: \texttt{^^url_monitored1~~url_monitored2||code_to_change_in_original_page

|| injected_code})

and web injections, as well as the specific builder.A number of Trojan families are used to conduct MITB attacks:

• Zeus

• Sinowal (Torpig)

• SpyEye

• Carberp

• Feodo

• Tatanga

• ...

14

4.1 Banking trojans capabilities

The banking trojan families have different capabilities. The most commonare the following:

• Bot - An infected computer can perform actions demanded by the C& C. This bots can be organized in different ways to work as proxies,to provide the spreading of new configurations, etc.

• Configuration update - It is possible to update the configuration filesafter infection.

• Binary update - Some of this trojans have a modular design thatallows them to update the binary functionalities or even add newfunctionalities (Ex: Tatanga).

• HTML injection (check previous sections)

• Redirection (check previous sections)

• Screenshots / record video

• Capture virtual keyboards

• Credentials / Certificates / Information theft

• System corruption (KillOS) - The C & C allows the sending of commandthat will corrupt the target system in a way that it will be difficult totraceback the origin of the attacks.

Before going into deeper detail with some techniques used by Zeus andTatanga, lets focus on this specific banking e-fraud, how it works and itsmain aspects. In order to perform an e-fraud, the banking trojans have tobe work in a transparent way, updating themselves and sometimes trick theclients so they will install new software. This introduces three importantconcepts:

• Social engineering - is the art of manipulating people into performingactions or divulging confidential information. Consists of applyingdeception for the purpose of information gathering, fraud, or computersystem access.

• Real-time integration - the trojans are updated with mule accountdatabases to aid in the automated transfer of money.

• Circumvention of various 2FA systems - Some banking trojanseven provide techniques to circunvent two phase authentication systems.

15

4.2 Anatomy of an e-fraud incident

Although similar methodologies have been described for generic MITB attackswe will revisit some of its aspects and mention the typical anatomy of ane-fraud incident to understand how the previous concepts relate with it:

1. Infection

2. Configuration file update/download

3. Interaction with the user (Social engineering) with: HTML injection,Mit(B|M|Mo), Pharming, Phishing...

4. Banking credentials theft

5. Account spying

6. Fraudulent transaction

• Manual Mules

• Automatic Man in the Browser (MitB)

7. Money laundering

• P2P Digital Currency.

• The informal value transfer system called Hawala.

• Mules + Western Union (most usual).

The infection process was already described so lets start by how theupdate of the configuration file is done. The following sections will be basedon one of the most popular banking trojans, Zeus.

4.3 Zeus configuration files

An important fact to mention is that typically, the bot itself is merelya framework that hooks itself into the system and hides there effectivelythrough the use of rootkits. The logics that drives behavior of the bot iscontained in its configuration file.

The configuration file of Zeus is similar to a definitions database foran antivirus product. Without it, it’s pretty much useless. The logicscontained in the configuration contains the list of banking institutions thatthe bot targets, URLs of the additional components that the bots relies onto download commands and updates, the lists of questions and the list of thefields that the bot injects into Internet banking websites to steal personaldetails/credentials, etc.

16

This configuration is never stored in open text. It is encrypted analthough previous generation of Zeus used a hard-coded encryption mechanismfor its configuration, the new generations already encrypt it with a key that isunique for and is stored inside the bot executable for which this configurationfile exists. This way, configuration file of one bot sample will not workfor another bot sample, even if both samples are generated with the samebuilder.

4.4 Domain Generation Algorithms

Since this configuration files need to be updated, the attackers had to comeup with a way to distribute them without compromising the Zeus botnetcontrollers. One of the first alternatives they came up with was DGA, thedomain generation algorithm that used date and salt to generate the domainsthe bots should contact.

Zeus bots can cycle through a new list of 1,020 domains every day tocall to see which one is hosting the live C & C server. It tries to connect tothe domains in random order and once a file is downloaded and executed, itstops checking.

Figure 4.1:

After a while, security researchers started to be able to predict andregister domains that will be used by Zbots ahead of time to learn aboutthe bots activities. So new generations of Zeus are using new alternatives,for example Peer-to-Peer botnets.

17

4.5 P2P botnets

This paradigm of updating configuration files through P2P networks opensnew alternatives for dynamically changing the bot network and applying newtechniques to hide the origin of the configuration files.

Figure 4.2:

4.6 Social Engineering

Now that we have described how the configuration of Zeus and its botnetswork, lets finally talk of how the social engineering has an important role onthe stealing of confidential information.

Nowadays banks make use of multiple-factor authentication mechanismssuch as mobile sms tokens. The idea is to use evidences which have separaterange of attack vectors (e.g. logical, physical) leading to more complex attackscenario and consequently, lower risk.

Although the initial idea of this mechanisms was to secure the authenticationprocess, we will see there are techniques that can workaround them. Thefollowing image shows, for each type of authentication mechanism, the respectivetechnique that can be used to steal the information.

For the simplest login mechanism that consists of a form with usernameand password, we can use keylogging or form grabbing to intercept theircontent. This can even be done through pharming that consists of redirectingthe traffic to another website, this can be done by exploiting vunerabilities

18

Figure 4.3:

in DNS protocols. The virtual keyboard password can be captured usingscreen or video capturing. The one time passwords (OTP) such has codecards, sms tokens and mobile transaction authentication numbers (mTAN)can also be attacked. If through some code injection all the code card digitsare asked, then the attacker will have all the code card data. This could bedone in a more transparent way though, either through pharming or phishinguntil a big percentage of the code card digits has been stolen. The mTAN orthe sms tokens can also be stolen through code injection and in some cases,through Man-In-The-Mobile attacks.

4.7 Man-In-The-Mobile

1. The attacker steals both the online username and password using amalware (ZeuS 2.x).

2. The attacker infects the user’s mobile device by forcing him to installa malicious application (he sends a SMS with a link to the maliciousmobile application)_4.4.

3. The attacker logs in with the stolen credentials using the user’s pc asa socks/proxy and performs an operation_4.5.

4. An SMS is sent to the user’s mobile device with the authenticationcode. The malicious software running in the device forwards the SMSto other terminal controlled by the attacker.

5. The attacker fills in the authentication code and completes the operation.

4.8 Tatanga

To provide new evidence of the banking trojan evolution, we will describeanother trojan called Tatanga that was discovered by S21sec in February

19

Figure 4.4:

Figure 4.5:

2011. Tatanga has MITB functionalities and affected banks in Spain, UnitedKingdom, Germany and Portugal. It is capable of realizing bank transfersautomatically, obtaining "mules" from a server and faking the real balanceand money movements of the victims.

Some characteristics of Tatanga include:

• Very low detection

• C++

• No packers

• Modular design

• Anti-VM, anti-debugging

• Proxys to distribute binaries

• Records video!

One of the major aspects of Tatanga is its modular design that allowsthe addition of new binary functionalities. This modules are ciphered usingXOR and BZIP2 and are deciphered into memory when the injection is donein the browsers to avoid AV detection.

Some of this modules are described bellow:

20

• HTTPTrafficLogger

• Comm (Handles ciphering between trojan and control panel)

• ModDynamicInjection (Performs code injecton)

• ModEmailGrabber (Collects email info)

• ModAVTrafficBlocker (Blocks AVs)

• ModMalwareRemove (Removes other malwares, ex: Zeus)

• FilePatcher (Propagation)

• Coredb (Manages the configuration files - 3DES ciphering)

• SmartHTTPDose

• ...

4.9 Banking trojans statistics

To conclude this banking trojan section we will provide some statistics ofZeus infections to show that this a large scale problem with millions ofinfected machines.

Figure 4.6:

Old statistics report over 160 million attempted losses and an actual lossof 50 million euros!

21

Figure 4.7:

22

Chapter 5

Counter Measures

As MITB attacks are still in process of evolving there is not a global approachto defend against them. There are, though, combinations of counter measureswhich can effectively resist against certain kinds of attacks. In this section weare going to review a big number of known counter measures and commenton their efficiency against MITB attacks. Our final goal is to provide a set ofcounter measures which can effectively provide a defense mechanism againsta generic MITMB attack.

We can differentiate the counter measures in two wide categories: activeand passive.

5.1 Active

Active counter measures involve the user in some additional authenticatingsteps, at login time, transaction execution time, or both.

Username and password, biometrics: Techniques applied generallyfor user authentication like and are not effective because the malware canintercept or wait until user is past this challenge before taking over.OTP based: Techniques mostly used by banks for user authentication basedon One Time Passcode tokens. Out-of-Band OTP is an OTP delivered froman alternative channel of communication, like cellular networks (i.e. GSM).EMV-CAP OTP is consisted of an electronic physical reader which provideda users chip-enabled bank card can generate OTP’s. All the OTP basedmeasures are not effective because the malware can intercept or wait untiluser is past this challenge before taking over.OTP based with Signature: Some forms of OTP tokens can also be usedto electronically sign transaction details, if they are equipped with a smallnumeric keypad; user is prompted to enter transaction details on the smallkeypad, then a signature code is calculated by the token. This method canalso be used with EMV-CAP OTP. This techniques can be effective againstMitB attack. User enters the transaction details so is aware of the specifics,

23

and the banking site can detect if malware attempts to change them. Thissolution, though, is inconvenient because usability on the token screen andkeyboard is weak, and the user could be confused and special hardware mustbe deployed.Out-of-Band OTP with Transaction Details: Enhanced Out-of-BandOTP which contains also information about the transaction so the user canbe able to verify that the right transaction is being performed. This measurecan be trully effective is simple MitB attack but can be vulnerable when theattack is combined with a Man-in-the-Mobile attack.Smart Cards with Digital Certificate: PKI digital certificate storedon a smart card or USB cryptographic token; credential used to performclient authentication via SSL. This technique is not functional against MitBattacks as well because he malware can intercept or wait until user is pastthis challenge before taking over.Anti-Virus or Anti-Malware: This solution could be effective, but takinginto account that malware is changing so rapidly that client software ishaving trouble keeping up; signature-based detection models are increasinglyineffective and other models are still improving.Separate Computer Used Solely for Online-Banking, Live-CDs:This solution can be effective at a good level but is not convenient toimplement. Malware is less likely to be installed if the computer is notused for other things but it is not a user-friendly solution.Hardened Browser on a USB Drive: A hardened browser is shippedto end-users on a USB drive and hard-coded to only connect to the targetbanks Web site; sometimes there is also a PKI credential stored on theUSB device, and used for authentication. This measure can be effectivebut many organizations have disabled USB drives or, at least, have disabledautorun capability for external media, making deployment of this solutionmore challenging. Moreover browser updates can also become problematic.

5.2 Passive

Passive counter measures are invisible to the user, yet help identify the useror flag suspicious activity. These techniques are attractive because theydo not impact the user experience in any way and, as a result, are easilydeployed to protect all customers, even those who do not wish to see visiblesecurity measures..

IP-Geolocation: Based on the end-users computer IP address, thistechnique determines the users geographic location and compares it to typicallocations used by this user. This solution could be effective when credentialsare stolen and used elsewhere, these techniques fail against MITB becausethe malware is in the users regular browser, at the users typical location.

24

Although in cases where credentials are stolen and sold to third persons thistechnique could be helpful.Device-Profiling: A snapshot of the users browser configuration is taken(via Javascript and HTTP headers) to determine if the user is visiting fromtheir usual Web browser; in a PC browser environment this technique is quiteeffective at uniquely identifying a computer with no interaction from the user.It can be effective under the same circumstances with IP-Geolocation.Transactional Fraud Detection: The online-banking application is modifiedto make calls to the fraud detection service at every point an organizationthinks may be relevant to fraud. This is typically only done at initial logonand at specific monetary transaction points where the fraud engine looksat transactions and compares them to what would be termed normal forthat user or group of users; patterns are detected and warnings raised ifappropriate. It is essential to perform the analysis in real-time, becausethe transactions are nowadays processed automatically and are completed insmall amount of time.Monitor User Behavior: Users Web traffic data is captured and analyzedfrom the moment they log on to the moment they complete their session.Analysis from a single user session, multiple sessions for the same user andmultiple sessions for multiple users, gives the system a complete view of howthe banking application is being used and, more importantly, abused.

5.3 Combination of Active and Passive counter Measures

As we saw before, most of the classical counter measure techniques are notable to protect users from MitB attacks. The solutions who work seem toneed though a lot of recourses in order to provide accurate results. Wehave to consider also the rapid evolution of the MitB browser techniquesused. Concluding we will suggest a solution that we think is best, which isassembled by a combination of working active and passive solutions.

The following combination can provide a high level of security against ageneric MitB attack:

• Active: Out-of-band transaction detail confirmation, followed by one-time-passcode generation: this technique leverages devices such asmobile phones that are already being carried by the intended end-users, and enables review of transaction details outside the influenceof malware on the user’s PC.

• Passive: Fraud detection that monitors user behavior: this server-side monitoring of a user’s movement through a banking Web site,inclusive of transaction execution steps as well as the steps leadingthere, provides flexibility for financial institutions to adapt to constantly

25

evolving malware features, and detect suspicious patterns of activityfor immediate intervention.

The combination of flexible authentication technology enabling easystep-up authentication when risk levels dictate along with ongoing userbehavior monitoring provides a layered defense against malware threats.

26

Bibliography

[1] Nattakant Utakrit, "A Review of Browser Extensions, a Man-in-the-Browser Phishing Techniques Targeting Bank Customers"

[2] Philipp Gühring, "Concepts against Man-in-the-Browser Attacks"

[3] http://securityblog.s21sec.com/

[4] "Evolution of Zeus botnet", http://www.symantec.com/connect/

blogs/evolution-zeus-botnet

[5] "How trojan.Zbot.B!inf uses crypto api" http://www.symantec.com/

connect/blogs/how-trojanzbotbinf-uses-crypto-api

[6] RSA Labs, "MAKING SENSE OF MAN-IN-THE-BROWSERATTACKS", http://www.rsa.com/products/consumer/whitepapers/

10459_MITB_WP_0611.pdf

[7] Frank Kim and Ed Skoudis, "Protecting Your Web Apps",http://www.sans.org/reading_room/application_security/

protecting_web_apps.pdf

[8] Prajwol Kumar Nakarmi & Sajjad Rizvi, "Man in the Browser Attack"

[9] Karel Miko, "Internet Banking Attacks"

[10] http://www.cacert.at/svn/sourcerer/CAcert/SecureClient.pdf

27