of 50
8/14/2019 Thomas Ralph Slides
1/50
FIRST 2007 - SevilleCyber Fraud Trends and Mitigation
Verisign iDefense Security Intelligence ServicesRalph Thomas - Malcode Operations Director
June 21, 2007
8/14/2019 Thomas Ralph Slides
2/50
8/14/2019 Thomas Ralph Slides
3/50
3
Traditional Phishing
Home
User
Banking Web Server
Faked BankingWeb Server
http://65.40.13.173:122/ unicaja.es .html
8/14/2019 Thomas Ralph Slides
4/50
4
Traditional Phishing
HomeUser
Banking Web Server
https://www.unicaja.es
Faked BankingWeb Server
http://65.40.13.173:122/ unicaja.es .html
8/14/2019 Thomas Ralph Slides
5/50
5
Traditional Phishing
HomeUser
Banking WebServer
Bad Guy
https://www.unicaja.es
8/14/2019 Thomas Ralph Slides
6/50
6
Traditional Phishing
+ Measures against Phishing: Prevent users from being phished
EV certs
Passmark system .bank TLD initiative Prevent stolen credentials from being misused
Stronger authentication (2FA, nFA)
Fraud detection system
+ But of course:
If you deploy 2FA the bad guys will steal your second factor!
8/14/2019 Thomas Ralph Slides
7/50
7
Phishing the second factor
8/14/2019 Thomas Ralph Slides
8/50
8
MetaFisher Overview
HomeUser
Banking WebServer
Exploits WMFVulnerability
Installs BHO in IE
InitialCompromise
8/14/2019 Thomas Ralph Slides
9/50
9
Browser Helper Objects
HomeUser
Exploits WMFVulnerability
Installs BHO in IE
InitialCompromise
+ DLL modules designed as a plug-in forMicrosoft's IE to provide added functionality.
+ Introduced in October 1997
+ Loaded once by each new instance of Internet Explorer.
+ Loaded for each instance of the WindowsFile Explorer
+ Examples: Adobe Acrobat, Alexa Toolbar,Google Toolbar
+ The BHO API provides access to theDocument Object Model (DOM)
+ No Reasonable Prevention
+ DLL modules designed as a plug-in forMicrosoft's IE to provide added functionality.
+ Introduced in October 1997
+ Loaded once by each new instance of Internet Explorer.
+ Loaded for each instance of the WindowsFile Explorer
+ Examples: Adobe Acrobat, Alexa Toolbar,Google Toolbar
+ The BHO API provides access to theDocument Object Model (DOM)
+ No Reasonable Prevention
8/14/2019 Thomas Ralph Slides
10/50
10
Browser Help Object Add-on Manager
XP SP2
IE
Tools
MangeAdd-ons
XP SP2
IE
Tools
MangeAdd-ons
8/14/2019 Thomas Ralph Slides
11/50
11
BHO Process Injection
+ Browser Help Object: METAFISHER 'Plugin' for Microsoft Internet Explorer Runs in the process space of IE Has complete control over what IE does SSL transfer is seen in cleartext by BHO any sort of MITM attack is possible every piece of information that is send to the internet or received from the net
can be intercepted and modified, data integrity, confidentiality and accessibility
are at risk
BHO loaded into Internet Explorer
C:\> tasklist /M ipsec6mon.dll
Image Name PID Modules========================= ====== =======
IEXPLORE.EXE 1632 ipsec6mon.dll
8/14/2019 Thomas Ralph Slides
12/50
12
Network Injection (Case Study)
+ HTML Injection and phishing against Spanish Banks: Metafisher
The Metafisher Trojan is able to use HTML injection in a man-in-the-middle phishingattack against a list of Spanish banks that is supplied by the C&C server. At the time
of this writing the following institutions are being targeted:
Banco Bilbao Vizcaya Argentaria S.A. (bbvanet.com, bbvanetoffice.com) Caja de Ahorros y Monte de Piedad de Madrid (cajamadrid.es,
cajamadridempresas.es) Montes de Piedad y Caja de Ahorros de Ronda Cadiz Almeria Malaga y
Antequera (unicaja.es) Caixa D`Estalvis de Catalunya (caixacatalunya.es)
Banco Espanol de Credito S.A. (banesto.es) Banco Popular Espanol S.A. (bancopopular.es) Deutsche Bank Sociedad Anonima Espanola (deutsche-bank.es)
8/14/2019 Thomas Ralph Slides
13/50
13
Network Injection (Case Study)
+ HTML injection and phishing against Spanish banks: Metafisher
8/14/2019 Thomas Ralph Slides
14/50
14
MetaFisher Overview
HomeUser
Banking WebServer
Exploits WMFVulnerability
Installs BHO in IE
Unique Directory Name by
Country & Computer
InitialCompromise
FTPDrop
Servers
8/14/2019 Thomas Ralph Slides
15/50
15
MetaFisher Overview
HomeUser
Banking WebServer
Exploits WMFVulnerability
Installs BHO in IE
HTTP not IRC
ObfuscatedC&CCommands
Unique Directory Name by
Country & Computer
InitialCompromise
FTPDrop
Servers
Command andControl Servers
8/14/2019 Thomas Ralph Slides
16/50
16
MetaFisher Command & Control
HomeUser
HTTP not IRC
ObfuscatedC&CCommands
Command andControl Servers
8/14/2019 Thomas Ralph Slides
17/50
17
MetaFisher Configuration Page - Bots
8/14/2019 Thomas Ralph Slides
18/50
18
MetaFisher Configuration Page - Exploits
8/14/2019 Thomas Ralph Slides
19/50
19
MetaFisher Configuration Page - Multiple Users
8/14/2019 Thomas Ralph Slides
20/50
20
MetaFisher Configuration Page - Zombies
8/14/2019 Thomas Ralph Slides
21/50
21
MetaFisher Configuration Page - FTP Login
8/14/2019 Thomas Ralph Slides
22/50
22
MetaFisher Configuration Page - TANS
TransactionNumbers
(TAN)s
One Time pads
Indexed TANs
Mobile TANs
TransactionNumbers
(TAN)s
One Time pads
Indexed TANs
Mobile TANs
8/14/2019 Thomas Ralph Slides
23/50
M Fi h C fi i P S i i
8/14/2019 Thomas Ralph Slides
24/50
24
MetaFisher Configuration Page - Statistics
M Fi h S i i
8/14/2019 Thomas Ralph Slides
25/50
25
MetaFisher Statistics
M t Fi h R t D l t
8/14/2019 Thomas Ralph Slides
26/50
26
MetaFisher Recent Developments
Home User
Exploits WMFVulnerability
Installs BHO in IE
HTTP not IRC
ObfuscatedC&CCommands
Unique Directory Name byCountry & Computer
Initial Compromise
FTP DropServers
Command and Control Servers+ Evidence of activity in the US
+ Evidence of Russian BusinessNetwork and Rock Phish
+ Auto-deposits for Sparkasse andPostbank ($3000)
+ American Express single Sign-onmodules
+ Disables Firefox
+ Trojan toolkit and Web server toolkitsold on Russian Underground ($6K)
M t fi h f S l !
8/14/2019 Thomas Ralph Slides
27/50
27
Metafisher for Sale!
More Trojans (Russian Toolkits)
8/14/2019 Thomas Ralph Slides
28/50
28
More Trojans (Russian Toolkits)
+ Metafisher/Agent.dq/BZub/Tanspy/Cimuz/Nurech
+ Torpig/Sinowal/Anserin
+ OrderGun/Gozi/Ursniff/Snifula/Zlobotka
+ Snatch
+ Corpse NuclearGrabber + Corpse A-311 Death (Haxdoor)
+ NetHell
+ VisualBriz
+ Apophis
+ Pinch/Xinch
+ Limbo
+ Power Grabber
+ 'Matryoshka'
+ 'Banker.CMB'
+ 'Developer'
More Trojans (Russian Toolkits)
8/14/2019 Thomas Ralph Slides
29/50
29
More Trojans (Russian Toolkits)
New Tactics & Techniques
8/14/2019 Thomas Ralph Slides
30/50
30
New Tactics & Techniques
+ Key Logging Add trigger (e.g. application title)
+ Generic Form Grabbing More selective to data being transferred by user Add context ( manage dump)
+ IE Stored Passwords and Auto-Complete Fields (!)
Victim's life is stolen: MySpace, eMail, Retailer, Fraudster sees systematic behind usernames/passwords
+ Targeted Approaches Add more context ( manage dump) Circumvent specific security measures
virtual keypads, TANs, instant defraud (vs. collecting credentials)
Recent Developments 'Rogue' ISPs
8/14/2019 Thomas Ralph Slides
31/50
31
Recent Developments Rogue ISPs
AS | IP | CC | AS Name
17992 | 203.223.159.78 | MY | AIMS-AP Applied Information Management Serv
14361 | 209.160.64.214 | US | HOPONE-GLOBAL - HopOne Internet Corporation
25532 | 217.16.27.160 | RU | MASTERHOST-AS .masterhost autonomous system
40989 | 81.95.148.23 | RU | RBN-AS RBusiness Network
2706 | 58.65.232.34 | HK | HKSUPER-HK-AP Pacific Internet (Hong Kong)
8/14/2019 Thomas Ralph Slides
32/50
One Time Password
8/14/2019 Thomas Ralph Slides
33/50
33
One Time Password
ayvdh5zw
fjsbguiy
c3kwchi8
v85wv8v4
un2e5ie5pfuiabim
tdsx8nnz
as6zs6cv
va92k3jm
qiai35vz
One Time Passwords Do not Mitigate
8/14/2019 Thomas Ralph Slides
34/50
34
One Time Passwords Do not Mitigate
HomeUser
Banking WebServer
InitialCompromise
BHO
One Time Passwords Do not Mitigate
8/14/2019 Thomas Ralph Slides
35/50
35
One Time Passwords Do not Mitigate
HomeUser
InitialCompromise
Captures Account Information
Inject HTMLLocally
BHO
Error Message: OTP is invalid try another
One Time Passwords Do Not Mitigate
8/14/2019 Thomas Ralph Slides
36/50
36
One Time Passwords Do Not Mitigate
HomeUser
Banking WebServer
InitialCompromise
FTPDrop
ServersBHO
Mitigation Techniques
8/14/2019 Thomas Ralph Slides
37/50
37
t gat o ec ques
+ Browser Help Object Management
+ Enterprise A/V Solutions
+ High Assurance Certificates
+ Fraud Detection
+ Authentication Schemes One Time Passwords (scratch pads, TAN) Indexed One Time Passwords (iTAN) Timed One Time Passwords Indexed Out of Band One Time Passwords (mTAN)
Token Based Two Factor Authentication
Indexed One Time Passwords Mitigate Some
8/14/2019 Thomas Ralph Slides
38/50
38
HomeUser
Banking WebServer
Indexed One Time Passwords Mitigate Some
8/14/2019 Thomas Ralph Slides
39/50
39
HomeUser
InitialCompromise
Inject HTMLLocally
BHO
Banking WebServer
CapturesAccountInformation
Inject HTMLLocally
Error Message: OTPis invalid tryanother
Indexed One Time Passwords Mitigate Some
8/14/2019 Thomas Ralph Slides
40/50
40
HomeUser
Banking WebServer
FTPDrop
ServersBHO
Mitigation Techniques
8/14/2019 Thomas Ralph Slides
41/50
41
g q
+ Browser Help Object Management
+ Enterprise A/V Solutions
+ High Assurance Certificates
+ Fraud Detection
+ Authentication Schemes One Time Passwords (scratch pads, TAN) Indexed One Time Passwords (iTAN) Timed One Time Passwords Indexed Out of Band One Time Passwords (mTAN)
Token Based Two Factor Authentication
Mitigation Techniques
8/14/2019 Thomas Ralph Slides
42/50
42
+ Browser Help Object Management
+ Enterprise A/V Solutions
+ High Assurance Certificates
+ Fraud Detection
+ Authentication Schemes One Time Passwords Indexed One Time Passwords Timed One Time Passwords Indexed Out of Band One Time Passwords
Token Based Two Factor Authentication
Indexed Out of Band One Time Passwords Complete Mitigation
8/14/2019 Thomas Ralph Slides
43/50
43
HomeUser
Banking WebServer
Mitigation Techniques
8/14/2019 Thomas Ralph Slides
44/50
44
+ Browser Help Object Management
+ Enterprise A/V Solutions
+ High Assurance Certificates
+ Fraud Detection
+ Authentication Schemes One Time Passwords Indexed One Time Passwords Timed One Time Passwords Indexed Out of Band One Time Passwords
Token Based Two Factor Authentication
Token Based Two Factor Authentication Some Mitigation
8/14/2019 Thomas Ralph Slides
45/50
45
HomeUser
InitialCompromise
Banking WebServer
BHO
CapturesTokenInformation
Inject HTMLLocally
Error Message: OTPis invalid tryanother
Token Based Two Factor Authentication Some Mitigation
8/14/2019 Thomas Ralph Slides
46/50
46
HomeUser Banking Web
Server
Second
Bank
BHO
Mitigation Techniques Verdict
8/14/2019 Thomas Ralph Slides
47/50
47
+ Browser Help Object Management+ Enterprise A/V Solutions
+ High Assurance Certificates
+ Fraud Detection
+ Authentication Schemes One Time Passwords Indexed One Time Passwords Timed One Time Passwords Indexed Out of Band One Time Passwords
Token Based Two Factor Authentication
Credit Card Fraud
8/14/2019 Thomas Ralph Slides
48/50
48
Credit Card Fraud
8/14/2019 Thomas Ralph Slides
49/50
49
8/14/2019 Thomas Ralph Slides
50/50
Q and A
Ralph Thomas
VeriSign iDefense Security Intelligence Services