DOCSLIB.ORG

Exploring, Expanding and Evaluating Usable Security in Online Banking

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Exploring, Expanding and Evaluating Usable Security in Online Banking Exploring, Expanding and Evaluating Usable Security in Online Banking Sven Kiljan Copyright c 2017 Sven Kiljan ISBN: 978-94-6233-648-3 NUR: 965 Typeset using LATEX 2ε (MiKTEX) LATEX template by Pim Vullers (https://github.com/pimvullers/phd_thesis) Printed by Gildeprint (https://www.gildeprint.nl) This research is part of the Dutch Research Program on Safety and Security of Online Banking, also known by its Dutch title: Kennisprogramma Veiligheid Digitaal Betalingsverkeer (KVDB). The PhD program it hosted was coordinated by Open University of the Netherlands. The author of this thesis was employed at Open University of the Netherlands from September, 2015 to August, 2016. KVDB was funded by the Dutch banking sector (represented by the Dutch Banking Association) and the Dutch National Police (represented by the Police Academy of the Netherlands). The work on which this thesis is based was performed at NHL University of Applied Sciences and Radboud University. The author of this thesis was employed at NHL University of Applied Sciences from September, 2012 until August, 2015. This work is licensed under the Creative Commons Attribution-ShareAlike 4.0 International license. To view a copy of this license, please visit http://creativecommons.org/licenses/by-sa/4.0/. Exploring, Expanding and Evaluating Usable Security in Online Banking Proefschrift ter verkrijging van de graad van doctor aan de Open Universiteit op gezag van de rector magnificus prof. mr. A. Oskamp ten overstaan van een door het College voor promoties ingestelde commissie in het openbaar te verdedigen op vrijdag 9 juni 2017 te Heerlen om 10:30 precies door Sven Zdenjek Kiljan geboren op 2 oktober 1985 te Alkmaar Promotoren Prof. dr. M.C.J.D. (Marko) van Eekelen Open Universiteit Radboud Universiteit Prof. dr. W.Ph. (Wouter) Stol Open Universiteit Co-promotor Dr. ir. H.P.E. (Harald) Vranken Open Universiteit Radboud Universiteit Overige leden beoordelingscommissie Prof. dr. S. (Sjouke) Mauw Universiteit van Luxemburg Dr. K. (Karen) Renaud Universiteit van Glasgow, Verenigd Koninkrijk Prof. dr. G.C. (Gerrit) van der Veer Open Universiteit Vrije Universiteit Amsterdam Prof. dr. T.E.J. (Tanja) Vos Open Universiteit Deze scriptie is opgedragen aan mijn dierbare moeder. Preface vii Preface This thesis symbolizes the closure of a four year experience. All other parts of it are dedicated to the products of the research that was conducted in this period. Despite my name as the author of this book, each part has been thoroughly examined, adjusted, reviewed, and rewritten with the support of numerous people. Due to the high level of specialization, the fieldwork often feels like a lonely endeavor, but I was never alone. To explain my feelings in the purest way possible, this preface is written solely by me. Consider it a letter dedicated to everyone who contributed directly or indirectly to my work and the final result that is this thesis. First, let me thank all of you who I cannot refer to directly. Non-disclosure, limited space... Whatever the reason might be, know that I thought of you and that I appreciated the time and effort you spend to support my work. Professional support for my research came from the Dutch Research Program on Safety and Security of Online Banking (in Dutch: Kennisprogramma Veiligheid Digitaal Betalingsverkeer, KVDB). While the program financed the work, I consider my colleagues as the most valuable resource this program provided. It is rare to meet a group that is both witty and silly, knowledgeable and practical, independent and cooperative, and stubborn and supportive. For some, the day that they meet such people would be the most important day of their lives. But for me, it was Tuesday. Many Tuesdays, actually. On this day of the week, I often traveled to the NHL University of Applied Sciences where my direct colleagues within the research program conducted their work. A single trip by car took two hours, and some would consider it silly to spend so much time on the road to meet others of which their work does not fully align with their own. I can honestly say that I have never regretted any second of the journey to see my fellow researchers and close friends. Sanne Boes, Jurjen Jansen and Rutger Leukfeldt, I thank you for the many laughs and cries that we shared in our office at NHL. Mariëtte van Kuik, while the period we shared in the program was short, our time is not any less appreciated. Since I am now writing about NHL, there are those who were not part of the program but who cannot go unmentioned. Joyce, Marja, Renske, Sander, and all the others of lectoraat Cybersafety, to you I wish the best of luck with the new Cyber Science Center. Nicolien Kop, Evert Stamhuis, Wouter Stol, due to your shared efforts as initiat- ors, I was able to join a research program in which I could extend my knowledge and experience to an unimaginable degree. For this I thank you. I want to give a special mention to Marko van Eekelen. It is true that you are an initiator and supervisor of the program. It is also true that you carry the formal role of being my coordinating ix promotor. However, the most important truth is that you were the best daily super- visor a PhD could ask for. Many afternoons were spend in your office in which we talked, debated and even had heated arguments about the direction of the research, the methods to apply and the importance of the almost infinite aspects that we had to keep track of. I cannot say that we always fully agreed with each other, but do not consider that a negative point. The alternative views you gave me were a fuel source that recharged my motivation and inspiration. These are aspects which PhD candidates often struggle with over the years, but you gave me plenty whenever I was running on empty. I cannot thank you enough for this. Although formally not part of KVDB, I do consider my co-promotor Harald Vranken an essential part of the program. Where Marko guided my research from a higher level, you supplemented the lower level with indispensable in-depth tech- nical advice. Harald, do not consider your contribution and my gratitude any less compared to my other colleagues. Two other direct contributors to my work are Hugo Jonker (Open University of the Netherlands) and Rolando Trujillo Rasua (University of Luxembourg). They gave me insight in formal protocol analysis, a field that is not my own and which I touched briefly on while writing this thesis. Your willingness to examine my sugges- tions and to give good advice on how to model it in Scyther gave me a needed push in the right direction. Another contributor was Safet Acifovic, a former student of Radboud University. He assisted by formally verifying an earlier part of my work. Safet, thank you for your time spend with ProVerif to let Marko and me know what could be improved. I wish you good luck with your career. In addition, I would like to thank Sung-Shik Jongmans. Your investment in time to evaluate all those authentication methods is highly appreciated. There are also those who contributed indirectly to my work, but not any less significantly. To talk about them, I have to start from the beginning. The first day of my four year PhD course started on Monday 3 September 2012 at my daily workplace for my PhD program, which was in the Digital Security research group of Radboud University in Nijmegen. There I shared rooms and knowledge with some of the brightest minds in the area of technical and information security. Some of those worked directly for Radboud University while others were like me, guest researchers from Open University of the Netherlands. Wherever these fine folk came from, there are simply too many of them to thank by name. However, I cannot skip over a few important and honorable mentions. Let me start with Bernard van Gastel, with which I shared office rooms in different periods. The technical conversations we had will never be forgotten, and I am glad that I was able to introduce and partially convert you to Arch Linux. I hope it will serve you well. For a while I also shared rooms with some of the members of the Privacy & Identity Lab. The nature of my research never focused much on privacy, but this was very much compensated by the talks we had. Merel Koning and Michael Colesky, thank you for tolerating my presence every time I performed the role of the devil’s advocate. Time just flew by whenever we discussed something from the news or a potential new concept that popped in one of our minds, and it was time well spend. Never give up the good fight. Two of the most influential persons I met at Radboud University are Anna x Krasnova and Markus Klinik. Your characters and humor lifted up my spirit whenever I was feeling down, and this extended well beyond the work floor into my personal life. For me, our friendship is as valuable as close family bonds. It is why I invited each of you to fulfill the role of paranymph for my thesis defense, and I appreciate it deeply that we can share this day together. Whereas Anna and Markus touched my heart, someone else from Radboud Uni- versity managed to capture it. Manxia Liu, it was at the start of the third year of my research program that you changed my life, but only in good ways. You supported me throughout the second half of my PhD course as my friend and partner.
Load more

Recommended publications
  • Identifying Threats Associated with Man-In-The-Middle Attacks During Communication Between a Mobile Device and the Back End Server in Mobile Banking Applications
    IOSR Journal of Computer Engineering (IOSR-JCE) e-ISSN: 2278-0661, p- ISSN: 2278-8727Volume 16, Issue 2, Ver. IX (Mar-Apr. 2014), PP 35-42 www.iosrjournals.org Identifying Threats Associated With Man-In-The-Middle Attacks during Communication between a Mobile Device and the Back End Server in Mobile Banking Applications Anthony Luvanda1,*Dr Stephen Kimani1 Dr Micheal Kimwele1 1. School of Computing and Information Technology, Jomo Kenyatta University of Agriculture and Technology, PO Box 62000-00200 Nairobi Kenya Abstract: Mobile banking, sometimes referred to as M-Banking, Mbanking or SMS Banking, is a term used for performing balance checks, account transactions, payments, credit applications and other banking transactions through a mobile device such as a mobile phone or Personal Digital Assistant (PDA). Mobile banking has until recently most often been performed via SMS or the Mobile Web. Apple's initial success with iPhone and the rapid growth of phones based on Google's Android (operating system) have led to increasing use of special client programs, called apps, downloaded to the mobile device hence increasing the number of banking applications that can be made available on mobile phones . This in turn has increased the popularity of mobile device use in regards to personal banking activities. Due to the characteristics of wireless medium, limited protection of the nodes, nature of connectivity and lack of centralized managing point, wireless networks tend to be highly vulnerable and more often than not they become subjects of attack. This paper proposes to identify potential threats associated with communication between a mobile device and the back end server in mobile banking applications.
    [Show full text]
  • Recent Developments in Cybersecurity Melanie J
    American University Business Law Review Volume 2 | Issue 2 Article 1 2013 Fiddling on the Roof: Recent Developments in Cybersecurity Melanie J. Teplinsky Follow this and additional works at: http://digitalcommons.wcl.american.edu/aublr Part of the Law Commons Recommended Citation Teplinsky, Melanie J. "Fiddling on the Roof: Recent Developments in Cybersecurity." American University Business Law Review 2, no. 2 (2013): 225-322. This Article is brought to you for free and open access by the Washington College of Law Journals & Law Reviews at Digital Commons @ American University Washington College of Law. It has been accepted for inclusion in American University Business Law Review by an authorized administrator of Digital Commons @ American University Washington College of Law. For more information, please contact [email protected]. ARTICLES FIDDLING ON THE ROOF: RECENT DEVELOPMENTS IN CYBERSECURITY MELANIE J. TEPLINSKY* TABLE OF CONTENTS Introduction .......................................... ..... 227 I. The Promise and Peril of Cyberspace .............. ........ 227 II. Self-Regulation and the Challenge of Critical Infrastructure ......... 232 III. The Changing Face of Cybersecurity: Technology Trends ............ 233 A. Mobile Technology ......................... 233 B. Cloud Computing ........................... ...... 237 C. Social Networking ................................. 241 IV. The Changing Face of Cybersecurity: Cyberthreat Trends ............ 244 A. Cybercrime ................................. ..... 249 1. Costs of Cybercrime
    [Show full text]
  • Alcatel-Lucent Security Advisory Sa0xx
    Alcatel-Lucent Security Advisory No. SA0053 Ed. 04 Information about Poodle vulnerability Summary POODLE stands for Padding Oracle On Downgraded Legacy Encryption. The POODLE has been reported in October 14th 2014 allowing a man-in-the-middle attacker to decrypt ciphertext via a padding oracle side-channel attack. The severity is not considered as the same for Heartbleed and/or bash shellshock vulnerabilities. The official risk is currently rated Medium. The classification levels are: Very High, High, Medium, and Low. The SSLv3 protocol is only impacted while TLSv1.0 and TLSv1.2 are not. This vulnerability is identified CVE- 2014-3566. Alcatel-Lucent Enterprise voice products using protocol SSLv3 are concerned by this security alert. Openssl versions concerned by the vulnerability: OpenSSL 1.0.1 through 1.0.1i (inclusive) OpenSSL 1.0.0 through 1.0.0n (inclusive) OpenSSL 0.9.8 through 0.9.8zb (inclusive) The Alcatel-Lucent Enterprise Security Team is currently investigating implications of this security flaw and working on a corrective measure, for OpenTouch 2.1.1 planned in Q4 2015, to prevent using SSLv3 that must be considered as vulnerable. This note is for informational purpose about the padding-oracle attack identified as “POODLE”. References CVE-2014-3566 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 Advisory severity CVSS Base score : 4.3 (MEDIUM) - AV:N/AC:M/Au:N/C:P/I:N/A:N https://www.openssl.org/news/secadv_20141015.txt https://www.openssl.org/~bodo/ssl-poodle.pdf Description of the vulnerabilities Information about Poodle vulnerability (CVE-2014-3566).
    [Show full text]
  • Internet Security Threat Report VOLUME 21, APRIL 2016 TABLE of CONTENTS 2016 Internet Security Threat Report 2
    Internet Security Threat Report VOLUME 21, APRIL 2016 TABLE OF CONTENTS 2016 Internet Security Threat Report 2 CONTENTS 4 Introduction 21 Tech Support Scams Go Nuclear, 39 Infographic: A New Zero-Day Vulnerability Spreading Ransomware Discovered Every Week in 2015 5 Executive Summary 22 Malvertising 39 Infographic: A New Zero-Day Vulnerability Discovered Every Week in 2015 8 BIG NUMBERS 23 Cybersecurity Challenges For Website Owners 40 Spear Phishing 10 MOBILE DEVICES & THE 23 Put Your Money Where Your Mouse Is 43 Active Attack Groups in 2015 INTERNET OF THINGS 23 Websites Are Still Vulnerable to Attacks 44 Infographic: Attackers Target Both Large and Small Businesses 10 Smartphones Leading to Malware and Data Breaches and Mobile Devices 23 Moving to Stronger Authentication 45 Profiting from High-Level Corporate Attacks and the Butterfly Effect 10 One Phone Per Person 24 Accelerating to Always-On Encryption 45 Cybersecurity, Cybersabotage, and Coping 11 Cross-Over Threats 24 Reinforced Reassurance with Black Swan Events 11 Android Attacks Become More Stealthy 25 Websites Need to Become Harder to 46 Cybersabotage and 12 How Malicious Video Messages Could Attack the Threat of “Hybrid Warfare” Lead to Stagefright and Stagefright 2.0 25 SSL/TLS and The 46 Small Business and the Dirty Linen Attack Industry’s Response 13 Android Users under Fire with Phishing 47 Industrial Control Systems and Ransomware 25 The Evolution of Encryption Vulnerable to Attacks 13 Apple iOS Users Now More at Risk than 25 Strength in Numbers 47 Obscurity is No Defense
    [Show full text]
  • Mobile Financial Fraud April 2013
    White Paper: Mobile Financial Fraud April 2013 Mobile Threats and the Underground Marketplace Principal Investigator and Corresponding Author Jart Armin Contributing Researchers Andrey Komarov, Mila Parkour, Raoul Chiesa, Bryn Thompson, Will Rogofsky Panel & Review Dr. Ray Genoe (UCD), Robert McArdle (Trend Micro), Dave Piscitello (ICANN), Foy Shiver (APWG), Edgardo Montes de Oca (Montimage), Peter Cassidy (APWG) APWG Mobile Fraud web site http://ecrimeresearch.org/wirelessdevice/Fraud/ Table of Contents Abstract ..................................................................................................................................... 2 Introduction and Starting Position ........................................................................................ 2 A Global Overview .................................................................................................................. 3 Vulnerabilities Overview ....................................................................................................... 3 The Underground Mobile Market ....................................................................................... 13 Mobile DNS & Traffic ........................................................................................................... 15 iBots & the Pocket Botnet ..................................................................................................... 18 Mobile Intrusion ...................................................................................................................
    [Show full text]
  • Combat Top Security Vulnerabilities: HPE Tippingpoint Intrusion
    Business white paper Combat top security vulnerabilities HPE TippingPoint intrusion prevention system Business white paper Page 2 The year 2014 marked a new pinnacle for hackers. Vulnerabilities were uncovered in some of the most widely deployed software in the world—some of it in systems actually intended to make you more secure. HPE TippingPoint next-generation intrusion prevention system (IPS) and next-generation firewall (NGFW) customers rely on us to keep their networks safe. And when it comes to cyber threats, every second matters. So how did HPE TippingPoint do? This brief highlights the top security vulnerabilities of 2014—the ones that sent corporate security executives scrambling to protect their businesses. And it describes how HPE TippingPoint responded to keep our customers safe. Heartbleed—HPE TippingPoint intrusion prevention system stops blood flow early Any vulnerability is concerning, but when a vulnerability is discovered in software designed to assure security, it leaves businesses exposed and vulnerable. That was the case with the Heartbleed vulnerability disclosed by the OpenSSL project on April 7, 2014. They found the vulnerability in versions of OpenSSL—the open-source cryptographic library widely used to encrypt Internet traffic. Heartbleed grew from a coding error that allowed remote attackers to read information from process memory by sending heartbeat packets that trigger a buffer over-read. As a demonstration of the vulnerability, the OpenSSL Project created a sample exploit that successfully stole private cryptography keys, user names and passwords, instant messages, emails, and business-critical documents and communications. We responded within hours to protect TippingPoint customers. On April 8, we released a custom filter package to defend against the vulnerability.
    [Show full text]
  • IBM X-Force Threat Intelligence Quarterly, 1Q 2015
    IBM Security Systems March 2015 IBM X-Force Threat Intelligence Quarterly, 1Q 2015 Explore the latest security trends—from “designer vulns” to mutations in malware— based on 2014 year-end data and ongoing research 2 IBM X-Force Threat Intelligence Quarterly 1Q 2015 Contents Executive overview 2 Executive overview When we look back in history to review and understand the past year, you can be assured it will be remembered as a year of 4 Roundup of security incidents in 2014 significant change. 11 Citadel, the financial malware that continues to adapt In early January 2014, companies large and small scrambled to Are mobile application developers for Android putting their 14 better understand and analyze a major retail breach that left users at risk? them asking whether or not their own security measures would 17 Shaking the foundation: Vulnerability disclosures in 2014 survive the next storm. Before spring was barely in motion, we had our first taste of the “designer vuln”—a critical 21 About X-Force vulnerability that not only proved lethal for targeted attacks, 22 Contributors but also had a cleverly branded logo, website and call-name (or handle) that would forever identify the disclosure. 22 For more information 23 Footnotes These designer vulns appeared within long-held foundational frameworks used by the majority of websites, and they continued throughout 2014, garnering catchy name after catchy name—Heartbleed, Shellshock, POODLE, and into 2015, Ghost and FREAK. This in and of itself raises the question of what it takes for a vulnerability to merit a marketing push, PR and logo design, while the other thousands discovered throughout the year do not.
    [Show full text]
  • Kaspersky Security Bulletin 2020. Statistics Kaspersky Security Bulletin 2020
    Kaspersky Security Bulletin 2020. Statistics Kaspersky Security Bulletin 2020. Statistics Contents Figures of the year 3 Financial threats 4 Number of users attacked by banking malware 4 Attack geography 5 Top 10 financial malware families 6 Ransomware programs 7 Number of users attacked by ransomware Trojans 7 Attack geography 8 Miners 10 Number of users attacked by miners 10 Attack geography 11 Vulnerable applications used by cybercriminals during cyber attacks 12 Attacks on macOS 14 Threat geography 15 IoT attacks 17 IoT threat statistics 17 Threats loaded into traps 19 Attacks via web resources 20 Countries that are sources of web-based attacks: 20 Countries where users faced the greatest risk of online infection 21 Top 20 malicious programs most actively used in online attacks 22 Local threats 24 Top 20 malicious objects detected on user computers 24 Countries where users faced the highest risk of local infection 25 2 Kaspersky Security Bulletin 2020. Statistics Figures of the year • During the year, 10.18% of Internet user computers worldwide experienced at least one Malware-class attack. • Kaspersky solutions blocked 666,809,967 attacks launched from online resources in various countries across the world. • 173,335,902 unique URLs were recognized as malicious by Web Anti-Virus. • Our Web Anti-Virus blocked 33,412,568 unique malicious objects. • Ransomware attacks were defeated on the computers of 549,301 unique users. • During the reporting period, miners attacked 1,523,148 unique users. • Attempted infections by malware designed to steal money via online access to bank accounts were logged on the devices of 668,619 users.
    [Show full text]
  • TLS Attacks & DNS Security
    IAIK TLS Attacks & DNS Security Information Security 2019 Johannes Feichtner [email protected] IAIK Outline TCP / IP Model ● Browser Issues Application SSLStrip Transport MITM Attack revisited Network Link layer ● PKI Attacks (Ethernet, WLAN, LTE…) Weaknesses HTTP TLS / SSL FLAME FTP DNS Telnet SSH ● Implementation Attacks ... ● Protocol Attacks ● DNS Security IAIK Review: TLS Services All applications running TLS are provided with three essential services Authentication HTTPS FTPS Verify identity of client and server SMTPS ... Data Integrity Detect message tampering and forgery, TLS e.g. malicious Man-in-the-middle TCP IP Encryption Ensure privacy of exchanged communication Note: Technically, not all services are required to be used Can raise risk for security issues! IAIK Review: TLS Handshake RFC 5246 = Establish parameters for cryptographically secure data channel Full handshake Client Server scenario! Optional: ClientHello 1 Only with ServerHello Client TLS! Certificate 2 ServerKeyExchange Certificate CertificateRequest ClientKeyExchange ServerHelloDone CertificateVerify 3 ChangeCipherSpec Finished ChangeCipherSpec 4 Finished Application Data Application Data IAIK Review: Certificates Source: http://goo.gl/4qYsPz ● Certificate Authority (CA) = Third party, trusted by both the subject (owner) of the certificate and the party (site) relying upon the certificate ● Browsers ship with set of > 130 trust stores (root CAs) IAIK Browser Issues Overview Focus: Relationship between TLS and HTTP Problem? ● Attacker wants to access encrypted data ● Browsers also have to deal with legacy websites Enforcing max. security level would „break“ connectivity to many sites Attack Vectors ● SSLStrip ● MITM Attack …and somehow related: Cookie Stealing due to absent „Secure“ flag… IAIK Review: ARP Poisoning How? Attacker a) Join WLAN, ● Sniff data start ARP Poisoning ● Manipulate data b) Create own AP ● Attack HTTPS connections E.g.
    [Show full text]
  • Detecting Botnets Using File System Indicators
    Detecting botnets using file system indicators Master's thesis University of Twente Author: Committee members: Peter Wagenaar Prof. Dr. Pieter H. Hartel Dr. Damiano Bolzoni Frank Bernaards LLM (NHTCU) December 12, 2012 Abstract Botnets, large groups of networked zombie computers under centralised control, are recognised as one of the major threats on the internet. There is a lot of research towards ways of detecting botnets, in particular towards detecting Command and Control servers. Most of the research is focused on trying to detect the commands that these servers send to the bots over the network. For this research, we have looked at botnets from a botmaster's perspective. First, we characterise several botnet enhancing techniques using three aspects: resilience, stealth and churn. We see that these enhancements are usually employed in the network communications between the C&C and the bots. This leads us to our second contribution: we propose a new botnet detection method based on the way C&C's are present on the file system. We define a set of file system based indicators and use them to search for C&C's in images of hard disks. We investigate how the aspects resilience, stealth and churn apply to each of the indicators and discuss countermeasures botmasters could take to evade detection. We validate our method by applying it to a test dataset of 94 disk images, 16 of which contain C&C installations, and show that low false positive and false negative ratio's can be achieved. Approaching the botnet detection problem from this angle is novel, which provides a basis for further research.
    [Show full text]
  • European Cyber Security Perspectives 2015 | 3 Preface
    European Cyber Security Perspectives 2015 | 3 Preface Dear reader, Following the success of last year’s publication, we are proud to present the second edition of our European Cyber Security Perspectives report. Through this collection of articles, we aim to share our different perspectives and insights, the latest developments and achievements in the field of cyber security, cybercrime investigations and cyber resilience. By uniting the expertise of four parties with diverse roles in the cyber security domain, we hope to offer some fresh perspectives on issues and developments that we believe to be relevant for society. Rather than presenting you with bare facts and figures, we describe real-life cases and experiences from our professional practice. Topics include the trends to watch in 2015, responses to high-profile vulnerabilities and advances in the detection and investigation of targeted cyber attacks. Each article in the report can be read independently, allowing you to focus on the topics that interest you most. A central theme in this year’s report is cooperation in cyber security. We strongly believe in the value of uniting cyber security capabilities across public and private organisations and even national borders. In fact, you will see that many of the articles in this publication have been co-authored by specialists from different parties. This reflects the growth in our collaborative projects when addressing the latest cyber security challenges. We aim to foster more of those partnerships in the coming year. We encourage you to build on our work and experiences and hope that this report will inspire further enhancements in cyber security, cybercrime investigations and cyber resilience, both in the Netherlands and abroad.
    [Show full text]
  • The Dridex Swiss Army Knife: Big Data Dissolves the APT & Crime Grey Area
    #RSAC SESSION ID: HT-W10 The Dridex Swiss Army knife: big data dissolves the APT & crime grey area Eward Driehuis Director of product Fox-IT @brakendelama #RSAC Understanding criminal evolution Global visibility Collaboration Investigations Feeds #RSAC May 2014 #RSAC Rewind 9 years… 2006 Slavik launches ZeuS 2009 SpyEye & Carberp compete for market share 2010 Slavik creates ZeuS2 Hands over ZeuS support to the SpyEye guy 2011 ZeuS2 code leaks 2012 Gribodemon & Carberp members arrested In 2009 Slavik had joined JabberZeuS And Evolved to GameOver / P2PZeuS #RSAC The Businessclub Legacy Businesslike Financial guy perfected money laundry Targeted commercial banking Perfected the Hybrid attack / Tokengrabber Perfected ransomware / Cryptolocker Did some “light espionage” #RSAC Business club after Slavik Dyre Businessclub (GameOver ZeuS gang until May 2014) EvilCorp (Dridex crew) #RSAC Dridex: EvilCorp’s Swiss Army knife #RSAC EvilCorp network expands Core businessclub members in EvilCorp & Dridex operators Leveraging existing money laundry networks Branching out: Dridex operators do ransomware, RATs, Credit Cards, high value targets Ties with Anunak / Carbanak #RSAC Dridex Malware Based on Bugat/Cridex/Feodo, since 2014 Speading: scattergun (spam / attachments) Modular architecture P2P, with 3 operating modes: Token Grabber, data mining, inter node comm Using businessclub technology Loader dropping many different malwares #RSAC #RSAC EvilCorp: Dridex Targets 2015 -2017 #RSAC EvilCorp: ”Gucci” accounts Harvesting data from victims Big data techniques
    [Show full text]