rsa 090617 webcast slides
TRANSCRIPT
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 1/47
Online Fraud Trends in 2009 and Beyond
Featured Presenter:
Sean Brady, Senior Product Marketing Manager, RSA
Where does RSA see fraud going?
The Trends:
Phishing Fast-Flux
Trojans
Blend of Phishing and Trojans
Fraud as a Service (FaaS)
Attack on Multi-Factor/OTP Authentication
Resolution?
Agenda:
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 2/47
Where Does RSA See Fraud Going?
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 3/47
The Fraud Trends
Phishing
Risk
Sophistication
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 4/47
An Ongoing Problem
Phishing continues essentially unabated
The number of phishing attacks detected by RSA in 2008grew 66% over 2007
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 5/47
The Fraud Trends
Phishing
Fast-Flux
Risk
Sophistication
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 6/47
Proprietary proxy networkreplaced with Asprox
Fast-flux: Investing In the Infrastructure
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 7/47
Mother ship movedto new bulletproof
hosting
Fast-flux: Investing In the Infrastructure
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 8/47
User’s machines alsoinfected by malware
Fast-flux: Investing In the Infrastructure
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 9/47
The Fraud Trends
Phishing
Risk
Sophistication
Fast-Flux
Trojans
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 10/47
Trojans Are Here to Stay
No differently than any pieceof software, Trojans and
Trojan kits continue to evolve Infrastructure will improve,
similar to phishing
Automated Command &
Control failover Easy evasion of Anti-Virus
Can even now “grab
balances” so fraudsters don’thave to manually checkbalances
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 11/47
The Fraud Trends
Phishing
Risk
Sophistication
Fast-Flux
Trojans
Blend of Phishing & Trojans
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 12/47
Trojan Ecosystems and Infrastructure
Command & ControlBot-Herder
Infection / Update Drop Zone
Victim’s PC
Less than 25% of infectedPCs are protected by AVapplications. Even lesseffectively protected against
the specific threat.
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 13/47
Blend of Phishing and Crimeware
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 14/47
Blend of Phishing and Crimeware
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 15/47
Blend of Phishing and Crimeware
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 16/47
The Fraud Trends
Phishing
Risk
Sophistication
Fast-Flux
Trojans
Blend of Phishing & Trojans
Fraud-As-A-Service (FaaS)
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 17/47
Growth in Outsourcing
Centralized Trojan Infection Services
Ready-made procurement of Trojan packagesHTML Injection Kits
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 18/47
Infection Services Get Widespread
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 19/47
Infection Services Get Widespread
Non Exclusive Infection$23 per 1k infections
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 20/47
Infection Services Get Widespread
Exclusive Infection$130-270 per 1k infections
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 21/47
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 22/47
Use Only Reviewed Trojans
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 23/47
Easy to Use
Use Only Reviewed Trojans
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 24/47
Customer service was
outstanding
Use Only Reviewed Trojans
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 25/47
Downside: control panelIn Russian
Use Only Reviewed Trojans
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 26/47
Product 9/10
Service 9/10
Use Only Reviewed Trojans
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 27/47
Phone Banking Fraud is Live and Kicking
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 28/47
Fraud as a Service
Trojan Hosting Infection
OUT
Harvesting
Fraudster
IN
$299 per monthSaaS Subscription
CredentialsMy
AccountReports
User Name Password
Beatles60 abc123
Abba70 bcd234
Queen80 cde345
Everyone in the room can do itWho in the room can do it?
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 29/47
The Fraud Trends
Phishing
Risk
Sophistication
Fast-Flux
Trojans
Blend of Phishing & Trojans
Fraud-As-A-Service (FaaS)
Attack on Multi-Factor/ OTP Authentication
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 30/47
Attacking Multi-Factor Authentication
Static Methods(older
approaches) Target token
serial numbers
Strong socialengineering
aspect Collection of
event-based andscratch cardmethods (iTan,for example)
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 31/47
Trojan uses a combination of techniques in order tocircumvent strong authentication:
HTML injection Blocking user traffic to the bank’s website
A proxy installed on the victim's PC
How the attack works Attacker steals information required for the transaction
authentication, using HTML injection
Attacker can choose to use/not use the victim’s PC as aproxy to perform the transaction.
Trojan MITB without Session Hijacking
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 32/47
Page Injection
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 33/47
Page Injection
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 34/47
Trojan MITB with Session Hijacking – Zeus (WSNPoem)
Javascript injected using HTML injection
S
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 35/47
Trojan MITB with Session Hijacking – Zeus (WSNPoem)
Javascript injected using HTML injection
MITB transfer to a static money mule
T j MITB i h S i Hij ki
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 36/47
Trojan MITB with Session Hijacking – Zeus (WSNPoem)
Javascript injected using HTML injection
MITB transfer to a static money mule
MITB transfer to a dynamic mule
T j MITB ith S i Hij ki
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 37/47
Trojan MITB with Session Hijacking – Zeus (WSNPoem)
Javascript injected using HTML injection
MITB transfer to a static money mule
MITB transfer to a dynamic mule
MITB transfer completed – No service message displayed
T j MITB ith S i Hij ki
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 38/47
Trojan MITB with Session Hijacking – Zeus (WSNPoem)
Javascript injected using HTML injection
MITB transfer to a static money mule
MITB transfer to a dynamic mule
MITB transfer completed – No service message displayed
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 39/47
Mule Accounts Recovery
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 40/47
Mule Accounts Recovery
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 41/47
Mule Accounts Recovery
M l A R
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 42/47
Mule Accounts Recovery
M l A t R
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 43/47
Mule Accounts Recovery
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 44/47
Resolutions?
Phishing
Risk
Sophistication
Fast-Flux
TrojansBlend of Phishing & Trojans
Fraud-As-A-Service (FaaS)
Attack on Multi-Factor/ OTP Authentication
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 45/47
Technical
Infrastructure
Cash OutFraudster
Layers of Security
Harvesting
Fraudster
Operational
Infrastructure
CommunicationFraud forum / chat room
User Account
Tools Hosting Delivery Mules Drops Monetizing
TransactionMonitoring
IdentityVerification
Authentication
AntiPhishing/
Trojan
Detection
Shut Down
Blocking
Intelligence
E l Ri k f A i i
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 46/47
Dynamically adjusted security based on:
Real time risk assessment (multiple fraud predictors, deviations user profile,Fraud Network matching and link analysis)
Organization’s risk policies
Evaluate Risk of Activity
F M I f ti
8/8/2019 RSA 090617 Webcast Slides
http://slidepdf.com/reader/full/rsa-090617-webcast-slides 47/47
For More Information
RSA Special Online Fraud Report: What to Expect in 2009 and Beyond
RSA Online Fraud Intelligence Report: May 2009Subscribe to the RSA Monthly Online Fraud Report
Resources