Botnet As Platform to Deliver Attacks
Total Page:16
File Type:pdf, Size:1020Kb
Cyber Threats to e-Commerce S.C. Leung CISSP CISA CBCP Who are we? . HKCERT – Established in 2001. Operated by HK Productivity Council – Provide Internet users and SME services (free-of-charge) – Scope of services • Security Monitor and Early Warning • Incident Report Handling • Publication of guideline • Public Awareness – www.hkcert.org – Free subscription of alert information via email and mobile (we pay for the SMS charges) Page . 2 HKCERT CERT Teams in Asia Pacific CERT Teams around the World 亞太區其他協調中心 全球其他協調中心 CERT CERT CERT CERT CERT CERT CERT CERT CERT CERT CERTCERT CERTCERT CERTCERT APCERTAPCERT FIRSTFIRST CERTCERT Security Law Enforcement Research Centre 執法機關 保安研究中心 Local Enterprise & Internet Users 本地企業及互聯網用戶 Internet Infrastructure Software Vendor 互聯網基建機構 軟件供應商 Universities Page . 3 大學 Agenda Cyber Threats to e-Commerce Attackers and the Motives of Attacks Attack Trends Highlight Relevance to e-Commerce Attacks and Counter-attack Strategies Page . 4 Attackers and Motives . Kiddies and Early Hackers: Fame E-Commerce Relevant . Activists: Hacktivism . Cybercriminals: Money – Anonymous, Lulzsec groups – Theft of information –Extortion . State sponsored – Control machine for other purposes – Civilian monitoring • Doubts on R2D2 Trojan in Germany . Unfriendly parties – Attacks to state critical infrastructure or military – Disgruntled employees • Stuxnet - 2010 - loss of reputation via data leakage or scandals • USA drone malware - 2011 – Business competitors •DoS • Theft of business sensitive information, patent, forumla Page . 5 Cybercrime as a Service Products Piracy: theft of CD Keys Theft of Personal Information and Identification (SSN, id, password, cc #.) Services Hosting: Spam relays, phishing web hosting Phishing attacks: paid web hosting Proxy network (so beware of unsolicited open proxy!) Spyware/adware installation: pay per installation Click fraud: pay per click DDoS: extortion or competitor service site attack Blackmail / Ransomware encrypts hard drive data demand ransom Page . 6 Attack Trend Highlights . Attack becomes less visible - uninformed victims . Botnet as platform to deliver attacks . Cybercrime as a Service . Moving up from network attack – to web application attack – to business logic abuse . Exploit points of weak defense . Going Mobile, Going Social, Going Cloud Page . 7 Attacks Becomes Less Visible HKCERT incident report statistics 3500 3109 3000 2815 Virus attack 2500 Security attack 2000 1457 1500 1255 1101 898 948 955 928 1000 805 520 596 527 446 326 500 190 234 260 272 144 0 2001- 2002- 2003- 2004- 2005- 2006- 2007- 2008- 2009- 2010- 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 – Visible mass spreading worms (Blaster, Sasser, Netsky) peaked 2003-2005. – Reports on malware attack dropped significantly. – Security incident reports (hacking, phishing, defacement, botnet and others) increased by 4 folds. Page . 8 How Less Visible Attacks Surfaces . Victim report figure is low. Reporting Party (2010/11) . Compromise becomes visible when victim machine being used 27.84% 27.92% local to participate in phishing, malware hosting or other attacks. overseas proactive discovery 1. Overseas parties reported incidents to HKCERT 44.25% 2. HKCERT use proactive discovery methodologies to find out hacked machines in Hong Kong Page . 9 Botnet (roBot Network) - infrastructure for cybercrime Up: Data Bot Herder Down: Command/Update C&C C&C C&C Up: Data Down: Command/Update bot bot bot bot bot bot bot Spam DDoS attack victim victim Page . 10 Wikipedia not totally correct in “botnet”, Botnet is much more than DDOS platform. Relevance to e-Commerce . Websites – Exploit server to provide launchpad for attacks – For data on server – For money in extortion . Web Users – Targeted for credential, data breach, fraudulent transaction – Man-in-the-Middle (MitM), Man-in-the-Browser (MitB), Man-in-the-Mobile (MitMo) attacks Page . 11 Attacks to Websites Mass injection of osCommerce websites (Jul 2011) . osCommerce is an open source shopping cart using web 2.0 technology . Large scale injection attack since July. Over 2.7M web pages infected globally. Over 45,000 pages in Hong Kong . Inject "<iframe>" and "<script>" pointing to malicious links such as "willysy.com" and "exero.eu“ Page . 13 Page . 14 Multi-stage infection (drive-by download) Web server (injected) Exploit server Web request Redirected to Malware Hosting Exploit server Serve Exploit Page Browser Exploits imported from other servers via iframes, redirectsr e serve Malwar cted to Page When compromised, dropper downloadRedire and install the actual bot malware . 15 are Malw load Down Website Protection Strategies . Plugging security holes – Get security vulnerabilities warnings (available in http://www.hkcert.org) – Regular and Timely Patching . Application Firewall – Block web application attacks . Writing secure web applications is the root – Good coding practice; Minimum privilege of database user account – Code scanning, Vulnerability scanning – HKCERT SQL injection defense guideline • http://www.hkcert.org/english/sguide_faq/sguide/sql_injection_en.pdf – OWASP (Open Web Application Security Project) Top Ten Project • SQL injection, Cross-site scripting, Broken authentication and session management, mis-configuration … – https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Page . 16 Website Protection Strategies . Defense in depth - Separate web server and database server - Encryption - Encrypt web communication - Encrypt sensitive data on server - Plan for contingency - What if website not available ? - Alternate website - Manual procedure? - Backup and Recovery Page . 17 Attacks to Web Users Attacks targeting web users . Attack more sophisticated, targeting two-factor authentication, using Man- in-the-Middle attacks . From getting credential to transfer money on the spot, because piggybacking window is temporary . From phishing (fake site) to fraud on real online site . Targeted, because each online e-commerce site is different . E-Commerce site does not see hacker from access log. They are in the browser carrying the cyber identity of the customer Page . 19 What is Man-in-the-Middle attack? . Hacker sits in the middle of messages sent between the parties . Client and Server NOT AWARE th . It is an ACTIVE attack in the client and server and able stead of passivee existence sniffing of the middle man to read, modify and insert web browser Normal HTTP connection GET http://abc.com G E HTTP/1.0 200 OK T h tt H p :/ T /a MITM hijacked connection T b P c. Page /1 c . o . 20 0 m 2 0 0 O K web server GET http://abc.com attacker HTTP/1.0 200 OK Botnet targeting Banks and e-Commerce . Zeus and SpyEye Botnets – steals banking information by Keylogging and Form Grabbing – features: • Take screenshot (save to html without image) • Fake redirect (redirect to a prepared fake bank webpage) • HTML inject (hijack the login session and inject new field) • Log the visiting information of each banking site, record the input string (text or post URL) Page . 21 Man-in-the-Browser . Hackers’ dream: breaking two factor authentication – Intercept transaction • Install software/plugin inside the browser, hook major OS and web browser APIs and proxying data . Rewrite the screen. Trick user to enter credentials. Change amount and change destination to attacker account . Change the display to user as if his transaction was executed – Calculate the “should be amount” and rewrites the remaining total to screen – store in database in the cloud the amount transacted in user's perspective Source: www.cronto.com Page . 22 Zeus in the Mobile . ZitMo (reported in Sep-2010) – Zeus ver 2.0, with Man-in-the-Mobile (MitMo) feature – Mobile Infection: • Infected PC visit bank website • Zeus inject HTML content into webpage, requesting user to input their mobile phone number and the IMEI # (and phone model) • Hacker sends a new "digital certificate" to the phone • User install the Zeus mobile. – Platforms: Symbian, Android, WinCE and BlackBerry – Sniff the SMS messages when waken up by special SMS • Steal one-time password (OTP) sent via SMS 2011-July . SpyEye go mobile (Apr-2011) using similar techniques Page . 23 Inserting transaction (when login) Shadow Login . Login Trojan kick up shadow login at the back PIN + OTP PIN + OTP Submit Insert a new window PIN + OTP2 Hacker use OTP2 Submit “Not successful. to authenticate a Please retry” transaction Page . 24 Defense at client side . 3 Baseline Defense is necessary but not insufficient – Protection from malware – Personal Firewall – Update patches this is more and more important . Secunia Personal Software Inspector http://secunia.com/vuln erability_scanning/pers onal/ . Install Microsoft Malicious Software Removal Tool (MSRT) Page . 25 Defense at client side . Use newer and secure browsers (Chrome 12, FF 5, IE 9) . The Use separate browsers for casual browsing and transaction based come with new features: URL blocking, sandbox . Avoid installing add-ons (extension, activeX objects …) on the browser Page . 26 Attacks to Business Logics Attacks to Business Logics . When SQL and XSS vulnerabilities are reducing, attackers change focus to vulnerabilities in business logic . Business logic flaws are not software bug. Business logic abuse are not exploits. Attackers are using functionality used by legitimate users. – Web application firewalls has no defense on it. – Quality assurance may overlook this because tests usually test what the code is supposed to do, and not what it can be made to do. Page . 28 Abuse