The Customer As a Target Risks of Phishing and Trojans
Total Page:16
File Type:pdf, Size:1020Kb
The Customer as a Target Risks of Phishing and Trojans Gijs Hollestelle | Deloitte Netherlands January 31, 2012 © 2012 Deloitte Touche Tohmatsu History of Computer Crime (1/2) •1980‟s • First worm: Morris Worm • Phone Phreaking • BBS Hacking boards • Movie: Wargames • Computer hacking was primarily done by people in universities to find out how things worked •1990‟s: • Real start of computer crime, targeting financial institutions • Succesful hacks of various banks, phone companies, etc • Kevin Mitnick convicted • 2000‟s / Today • Early 2000‟s examples of „Hobby‟ projects, everyone can be a hacker. I love You/Kournikova Virus • Late 2000‟s Professionalization of computer crime • Internet banking and online shopping become popular, leading to increased incentive to use computer crime for financial gain • Avanced trojans • Shift of hacking companies to hacking consumers • Sophisticated trojans/virusses such as Zeus and Stuxnet 2 © 2012 Deloitte Touche Tohmatsu History of Computer Crime (2/2) 3 © 2012 Deloitte Touche Tohmatsu The Underground Economy (1/2) Some recent figures • Dutch Association of Banks (NVB) released information that in 2012 Internet banking fraud was 9.8 mln euro. • In first half of 2011 alone, this has increased to 11.2 mln euro. • In Germany Internet banking fraud is estimated at 17mln euro in 2012 • In the UK 60mln pounds in Internet Crime in 2009 4 © 2012 Deloitte Touche Tohmatsu The Underground Economy (2/2) Where are these identities sold? Source: krebsonsecurity.com 5 © 2012 Deloitte Touche Tohmatsu The Logic of the Cyber Criminal • Stricter regulations such as PCI have forced companies have forced companies to further increase their security measures. • Companies spent a lot of resources increasing their security over the past years. So if you are an attacker where do you attack? Advantages for attacking the company: • Very large amount of specific information such as credit card numbers. Advantages for attacking the customer: • Less security, so easier to attack successfully • Large variety of information (banking passwords, e-bay passwords, credit card numbers, etc). • Less risk of prosecution 6 © 2012 Deloitte Touche Tohmatsu Attacking the Customer – Simple Phishing • Create an E-mail that looks plausible and send it to a large number of customers… Quote: Ross Anderson: “ The first thing we did wrong when designing ATM security systems in the early to mid 1980s was to worry about criminals being clever, when we should have worried about our customers being stupid.” Lets do a quick quiz 7 © 2012 Deloitte Touche Tohmatsu Phishing Quiz (1/3) 8 © 2012 Deloitte Touche Tohmatsu Phishing Quiz (2/3) 9 © 2012 Deloitte Touche Tohmatsu Phishing Quiz (3/3) 10 © 2012 Deloitte Touche Tohmatsu One Step Beyond Simple Phishing • Certain websites (for example banking) are using strong authentication mechanisms (one time password generators). • These can also be easily bypassed using „low-tech‟ methods 11 © 2012 Deloitte Touche Tohmatsu The Attack – Step 1 Attacker sends an E-mail to a customer Luring them to a fake website that looks like the Bank‟s website 12 © 2012 Deloitte Touche Tohmatsu The Attack – Step 2 Customer enters their login data into the genuine looking site 13 © 2012 Deloitte Touche Tohmatsu The Attack – Step 3 Fake Site sends the data Attacker enters the data entered to the attacker Into The real site 14 © 2012 Deloitte Touche Tohmatsu More Sophisticated Attacks • Remember the phishing mail with the E-Ticket attachment? • What was that attachment? • Zbot / Zeus 15 © 2012 Deloitte Touche Tohmatsu Advanced Trojans Todays trojans are very sophisticated • Employ techniques to avoid detection by virus scanners • Can download custom configuration files to attack specific sites and have automatic update facilities • Use infected computers to infect other computers and can infect corporate environments behind a firewall by first attacking an employee laptop when at home and then spreading to other systems inside the company. • Make computer part of a „bot net‟ and allows the attacker to control the system remotely from a C&C server. • Can perform so called man-in-the-browser attacks to bypass SSL / HTTPS Examples: Zeus/Zbot, Bugat, Clampi So we do have to start worrying about the criminals being clever… 16 © 2012 Deloitte Touche Tohmatsu Man in The Browser (1/2) • The man-in-the-browser attack works by the Trojan embedding itself into the web-browser (as an evil „plugin‟) • Detects that certain „interesting‟ sites are visited and modifies the HTML content. • Steal login accounts and passwords even from SSL encrypted sites (simple trojans could also do this based on keyboard logging) • Manipulate information on sensitive sites such as banking sites. For example: when the user does internet banking change the account number when the user enters the transaction. 17 © 2012 Deloitte Touche Tohmatsu Man in The Browser (2/2) On the confirmation page. The Trojan changes the information back to the original value POST /transaction.aspx Target=123456789 Amount=500 Trojan modifies the account number in the HTTP request 18 © 2012 Deloitte Touche Tohmatsu Solutions Knowing the attack methods what can be done to protect? Preventive 1. Awareness – Users need to be aware to patch their systems, use firewalls, up to date virus-scanners, not to open attachments from unknown sources, etc. Companies should educate their customers. 2. Technology advances in Operating Systems and browsers to make them more secure. Sandboxing, etc. 3. Improved authentication mechanisms. Not all attacks can be prevented Detective 1. Companies should monitor for suspicious transactions. Change in user behavior, large transactions. 2. Monitoring by (for example) ISPs to see if customers have been infected by trojans (by observing traffic to known C&C servers). Corrective 1. Improve response capabilities. 2. Block suspicious transactions before they are completed. 3. Improve laws for customer protection 19 © 2012 Deloitte Touche Tohmatsu Thank you for your attention – Any Questions? 20 © 2012 Deloitte Touche Tohmatsu Contact Risk Services Laan van Kronenburg 2 1183 AS Amstelveen Gijs Hollestelle The Netherlands Manager Security & Privacy Mobile: +31 62 078 9860 [email protected] Risk Services Laan van Kronenburg 2 1183 AS Amstelveen Marko van Zwam The Netherlands Partner Security & Privacy Mobile: +31 62 127 2904 [email protected] 21 © 2012 Deloitte Touche Tohmatsu Disclaimer: Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms. © 2012 Deloitte Touche Tohmatsu .