The Customer As a Target Risks of Phishing and Trojans

The Customer as a Target Risks of Phishing and Trojans

Gijs Hollestelle | Deloitte Netherlands

January 31, 2012

•1980‟s • First worm: Morris Worm • Phone Phreaking • BBS Hacking boards • Movie: Wargames • Computer hacking was primarily done by people in universities to find out how things worked

•1990‟s: • Real start of computer crime, targeting financial institutions • Succesful hacks of various banks, phone companies, etc • Kevin Mitnick convicted

• 2000‟s / Today • Early 2000‟s examples of „Hobby‟ projects, everyone can be a hacker. I love You/Kournikova Virus • Late 2000‟s Professionalization of computer crime • Internet banking and online shopping become popular, leading to increased incentive to use computer crime for financial gain • Avanced trojans • Shift of hacking companies to hacking consumers • Sophisticated trojans/virusses such as Zeus and Stuxnet

Some recent figures • Dutch Association of Banks (NVB) released information that in 2012 Internet banking fraud was 9.8 mln euro. • In first half of 2011 alone, this has increased to 11.2 mln euro. • In Germany Internet banking fraud is estimated at 17mln euro in 2012 • In the UK 60mln pounds in Internet Crime in 2009

Where are these identities sold?

Source: krebsonsecurity.com

• Stricter regulations such as PCI have forced companies have forced companies to further increase their security measures. • Companies spent a lot of resources increasing their security over the past years.

So if you are an attacker where do you attack?

Advantages for attacking the company: • Very large amount of specific information such as credit card numbers.

Advantages for attacking the customer: • Less security, so easier to attack successfully • Large variety of information (banking passwords, e-bay passwords, credit card numbers, etc). • Less risk of prosecution

• Create an E-mail that looks plausible and send it to a large number of customers…

Quote: Ross Anderson: “ The first thing we did wrong when designing ATM security systems in the early to mid 1980s was to worry about criminals being clever, when we should have worried about our customers being stupid.”

Lets do a quick quiz

• Certain websites (for example banking) are using strong authentication mechanisms (one time password generators). • These can also be easily bypassed using „low-tech‟ methods

Attacker sends an E-mail to a customer Luring them to a fake website that looks like the Bank‟s website

Customer enters their login data into the genuine looking site

Fake Site sends the data Attacker enters the data entered to the attacker Into The real site

• Remember the phishing mail with the E-Ticket attachment? • What was that attachment?

• Zbot / Zeus

Todays trojans are very sophisticated • Employ techniques to avoid detection by virus scanners • Can download custom configuration files to attack specific sites and have automatic update facilities • Use infected computers to infect other computers and can infect corporate environments behind a firewall by first attacking an employee laptop when at home and then spreading to other systems inside the company. • Make computer part of a „bot net‟ and allows the attacker to control the system remotely from a C&C server. • Can perform so called man-in-the-browser attacks to bypass SSL / HTTPS

Examples: Zeus/Zbot, Bugat, Clampi

So we do have to start worrying about the criminals being clever…

• The man-in-the-browser attack works by the Trojan embedding itself into the web-browser (as an evil „plugin‟) • Detects that certain „interesting‟ sites are visited and modifies the HTML content. • Steal login accounts and passwords even from SSL encrypted sites (simple trojans could also do this based on keyboard logging) • Manipulate information on sensitive sites such as banking sites. For example: when the user does internet banking change the account number when the user enters the transaction.

On the confirmation page. The Trojan changes the information back to the original value

POST /transaction.aspx

Target=123456789 Amount=500

Trojan modifies the account number in the HTTP request

Knowing the attack methods what can be done to protect?

Preventive 1. Awareness – Users need to be aware to patch their systems, use firewalls, up to date virus-scanners, not to open attachments from unknown sources, etc. Companies should educate their customers. 2. Technology advances in Operating Systems and browsers to make them more secure. Sandboxing, etc. 3. Improved authentication mechanisms. Not all attacks can be prevented

Detective 1. Companies should monitor for suspicious transactions. Change in user behavior, large transactions. 2. Monitoring by (for example) ISPs to see if customers have been infected by trojans (by observing traffic to known C&C servers).

Corrective 1. Improve response capabilities. 2. Block suspicious transactions before they are completed. 3. Improve laws for customer protection

Risk Services Laan van Kronenburg 2 1183 AS Amstelveen

Gijs Hollestelle The Netherlands Manager Security & Privacy Mobile: +31 62 078 9860 [email protected]

Risk Services Laan van Kronenburg 2 1183 AS Amstelveen

Marko van Zwam The Netherlands Partner Security & Privacy Mobile: +31 62 127 2904 [email protected]

21 © 2012 Deloitte Touche Tohmatsu Disclaimer: Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms.