SlideShare une entreprise Scribd logo

Banking Fraud Evolution

Source Conference
Source Conference

SOURCE Seattle 2011 - Jose Miguel Esparza

TechnologieBusiness
1  sur  62
Télécharger pour lire hors ligne
[ Banking Fraud Evolution ] New techniques in real fraud cases Jose Miguel Esparza
[ Agenda ] • Banking trojans • Tatanga: a new actor emerges • Anatomy of an e-banking fraud incident • The eternal game of cat and mouse • Real e-banking fraud incidents • Conclusions
[ Banking trojans ] • … • ZeuS • Sinowal (Torpig) • Gozi • SpyEye • Carberp • Feodo • …
[ Banking trojans ] Source: abuse.ch
[ Banking trojans ] • Binaries functionalities – Bot – Configuration update – Binary update – HTML injection – Redirection
[ Banking trojans ] • Binaries functionalities – Screenshots – Capture virtual keyboards – Credentials theft – Certificates theft – System corruption (KillOS)
[ Banking trojans ] • Binaries functionalities – Screenshots – Capture virtual keyboards Information theft – Credentials theft – Certificates theft – System corruption (KillOS)
[ Tatanga ] • Discovered by S21sec in February 2011 • Very low detection • MarioForever (2008) evolution? • C++ • No packers • Modular design • Anti-VM, anti-debugging • 64bits support
[ Tatanga ] • Proxys to distribute binaries • Weak encrypted communication with C&C • HTML injection • Man in the Browser • Records video!!
[ Tatanga ] • Proxys to distribute binaries • Weak encrypted communication with C&C • HTML injection • Man in the Browser • Records video!!
[ Tatanga ] • Modules: XOR + BZIP2 – HTTPTrafficLogger – Comm – ModDynamicInjection – ModEmailGrabber – ModAVTrafficBlocker – ModCrashGuard
[ Tatanga ] • Modules: XOR + BZIP2 – ModMalwareRemover
[ Tatanga ] • Modules: XOR + BZIP2 – SSL Decrypt – FilePatcher – IMSender – HTTPSender – Coredb – SmartHTTPDoser
[ Tatanga ] • Control panel – Statistics: country, browser, OS, AV, injections, honeypots – Injections and drops management – Storing dumps of banking webpages – Classified versions of droppers and modules – Dependencies between modules – DDoS – FTP iframer –…
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Anatomy of an e-fraud incident ] • Infection • Configuration file update/download • Interaction with the user Social engineering!! HTML injection, Mit(B|M|Mo), Pharming, Phishing… • Banking credentials theft
[ Anatomy of an e-fraud incident ] • Account spying – Manual / Automatic – Getting balance to choose the victim • Fraudulent transaction – Manual Mules – Automatic Man in the Browser (MitB) • Money laundering
[ The game of cat and mouse ] Virtual keyboard Code card ID + Password 2FA OTP Token SMS : mTAN
[ The game of cat and mouse ] Virtual keyboard screen/video capturing…
[ The game of cat and mouse ] Code card pharming, phishing, injection…
[ The game of cat and mouse ] Token mTAN …MITM, code injection
[ The game of cat and mouse ] SCREEN-CAPTURING Virtual keyboard PHARMING PHISHING KEYLOGGING Code card ID + Password MITM FORM GRABBING OTP Token CODE INJECTION SMS : mTAN
[ Real e-banking fraud incidents ] • SpyEye MitB, October 2010 • Automatic fraudulent transfer – Session of the legit user – Balance request – Account selection based on balance – Getting mules from the server – Social engineering password request – Automatic transaction – Modification of balance and operations
[ Real e-banking fraud incidents ] • Tatanga MitB, February 2011 • Automatic fraudulent transfer using OTP – Session of the legit user – Balance request – Account selection based on balance – Getting mules from the server – Social engineering password request – Social engineering OTP request – Automatic transaction – Modification of balance and operations
[ Real e-banking fraud incidents ] • Tatanga MitB, February 2011
[ Real e-banking fraud incidents ] • ZeuS Man in the Mobile (MitMo) – September 2010, Spain – February 2011, Poland
[ ZeuS Man in the Mobile ]
[ ZeuS Man in the Mobile ] Each day we try to improve your security. Lately we have noticed many mobile SIM cloning attacks that result in fraudulent transfers. Due to the increase of these incidents, we have implemented a new mobile identification method, using a digital certificate. The certificate works in smartphones and is an additional method of protection. This application ensures that only you can access your online account. Please click here to start the installation
[ ZeuS Man in the Mobile ] Source: http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/
[ ZeuS Man in the Mobile ] Please choose your mobile manufacturer and model and add your mobile number. The digital certificate installation link will be sent via SMS. Please download and install the application
[ ZeuS Man in the Mobile ] Source: http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/
[ ZeuS Man in the Mobile ] The certificate installation program link will be sent by SMS. Once received, please download and install the aplication.
[ ZeuS Man in the Mobile ] Spoofed SMS Sender ID ID Token (remember this for later!)
[ ZeuS Man in the Mobile ] Serial Number: BF43000100230353FF7915 9EF3B3 Revocation Date: Sep 28 08:26:26 2010 GMT Serial Number: 61F1000100235BC2794380 405E52 Revocation Date: Sep 28 08:26:26 2010 GMT
[ ZeuS Man in the Mobile ] http://dtarasov.ru/smsmonitor_lite.html
[ ZeuS Man in the Mobile ] Spoofed SMS Sender ID ID Token (remember this for later! It is important) …sent to a UK mobile phone.
[ ZeuS Man in the Mobile ] ON / OFF SET ADMIN ADD SENDER ALL REM SET …sent from the “bad guy” mobile phone.
[ ZeuS Man in the Mobile ]
[ ZeuS Man in the Mobile ]
[ ZeuS Man in the Mobile ] if ($urlPathExt == ’sis') { $oGate->addHeader('Content-Type: application/vnd.symbian.install'); if ($data['mobile_os_type'] == OS_SYMBIAN_78) $oGate->outputFile('./symbian/cert_78.sis.txt'); else if ($data['mobile_os_type'] ==OS_SYMBIAN_9) $oGate->outputFile('./symbian/cert_9.sis.txt');} if ($urlPathExt == 'cab') { $oGate->addHeader('Content-Type: application/cab'); if ($data['mobile_os_type']==OS_WINDOWS_MOBILE_2K) $oGateoutputFile('./wm/cert_uncompress.cab.txt');else if ($data['mobile_os_type']=OS_WINDOWS_MOBILE_GR5) $oGate->outputFile('./wm/cert_compress.cab.txt'); if ($urlPathExt == ’cod') {$oGate->addHeader('Content-Type: application/vnd.rim.cod');if ($data['mobile_os_type'] == OS_BLACKBERRY_41) $oGate->outputFile('./blackberry/cert_41.cod.txt'); else if ($data['mobile_os_type'] == OS_BLACKBERRY_GR44)
[ ZeuS Man in the Mobile ] Remember the token ? mysql_unbuffered_query(“ UPDATE sms_list SET mobile_os_version=$mobile_os_version, is_downloaded='YES', ts_downloaded=$ts_downloaded WHERE token='$token'");
[ ZeuS Man in the Mobile ] ZeuS infected
[ ZeuS Man in the Mobile ] ZeuS infected
[ ZeuS Man in the Mobile ] ID + PASSWORD ZeuS infected
[ ZeuS Man in the Mobile ] ID + PASSWORD ZeuS infected Mitmo Infected
[ ZeuS Man in the Mobile ] ID + PASSWORD ZeuS infected COMMANDS Mitmo Infected
[ ZeuS Man in the Mobile ] ID + PASSWORD ZeuS infected COMMANDS Mitmo Infected
[ ZeuS Man in the Mobile ] ID + PASSWORD ZeuS infected COMMANDS Mitmo Infected
[ ZeuS Man in the Mobile ] ID + PASSWORD ZeuS infected OTP: 0023424 COMMANDS Mitmo Infected
[ ZeuS Man in the Mobile ] ID + PASSWORD GAME OVER ZeuS infected OTP: 0023424 COMMANDS Mitmo Infected
[ DEMO TIME!! ]
[ Conclusions ] • Successful attacks: not binary dependent • Social engineering – HTML injections + extras • Innovation • Underground market – User dependent • Monitoring injections • Sharing information
[ Questions? ]
[ Thank You!! ] Jose Miguel Esparza jesparza s21sec.com @eternaltodo

Recommandé

A-Z of Banking Fraud 2016
A-Z of Banking Fraud 2016A-Z of Banking Fraud 2016
A-Z of Banking Fraud 2016NetGuardians
 
Banking Fraud Evolution - New techniques in real fraud cases
Banking Fraud Evolution - New techniques in real fraud casesBanking Fraud Evolution - New techniques in real fraud cases
Banking Fraud Evolution - New techniques in real fraud casesJose Miguel Esparza
 
Hurtado diaz doraliza
Hurtado diaz doralizaHurtado diaz doraliza
Hurtado diaz doralizaMatematica2APV
 
Denis Gorchakov, Olga Kochetova. SMS Banking Fraud.
Denis Gorchakov, Olga Kochetova. SMS Banking Fraud.Denis Gorchakov, Olga Kochetova. SMS Banking Fraud.
Denis Gorchakov, Olga Kochetova. SMS Banking Fraud.Positive Hack Days
 
Рositive Hack Days V. Противодействие платёжному фроду на сети оператора связи
Рositive Hack Days V. Противодействие платёжному фроду на сети оператора связиРositive Hack Days V. Противодействие платёжному фроду на сети оператора связи
Рositive Hack Days V. Противодействие платёжному фроду на сети оператора связиDenis Gorchakov
 
ISM ppt October 2014_final
ISM ppt October 2014_finalISM ppt October 2014_final
ISM ppt October 2014_finalAudrius Sapola
 
Gestione dei rischi: analisi di un modello semplificato per le PMI
Gestione dei rischi: analisi di un modello semplificato per le PMIGestione dei rischi: analisi di un modello semplificato per le PMI
Gestione dei rischi: analisi di un modello semplificato per le PMIStefano Bendandi
 
David Talby, SVP Engineering, Atigeo at MLconf ATL - 9/18/15
David Talby, SVP Engineering, Atigeo at MLconf ATL - 9/18/15David Talby, SVP Engineering, Atigeo at MLconf ATL - 9/18/15
David Talby, SVP Engineering, Atigeo at MLconf ATL - 9/18/15MLconf
 

Recommandé

A-Z of Banking Fraud 2016
A-Z of Banking Fraud 2016A-Z of Banking Fraud 2016
A-Z of Banking Fraud 2016NetGuardians
 
Banking Fraud Evolution - New techniques in real fraud cases
Banking Fraud Evolution - New techniques in real fraud casesBanking Fraud Evolution - New techniques in real fraud cases
Banking Fraud Evolution - New techniques in real fraud casesJose Miguel Esparza
 
Hurtado diaz doraliza
Hurtado diaz doralizaHurtado diaz doraliza
Hurtado diaz doralizaMatematica2APV
 
Denis Gorchakov, Olga Kochetova. SMS Banking Fraud.
Denis Gorchakov, Olga Kochetova. SMS Banking Fraud.Denis Gorchakov, Olga Kochetova. SMS Banking Fraud.
Denis Gorchakov, Olga Kochetova. SMS Banking Fraud.Positive Hack Days
 
Рositive Hack Days V. Противодействие платёжному фроду на сети оператора связи
Рositive Hack Days V. Противодействие платёжному фроду на сети оператора связиРositive Hack Days V. Противодействие платёжному фроду на сети оператора связи
Рositive Hack Days V. Противодействие платёжному фроду на сети оператора связиDenis Gorchakov
 
ISM ppt October 2014_final
ISM ppt October 2014_finalISM ppt October 2014_final
ISM ppt October 2014_finalAudrius Sapola
 
Gestione dei rischi: analisi di un modello semplificato per le PMI
Gestione dei rischi: analisi di un modello semplificato per le PMIGestione dei rischi: analisi di un modello semplificato per le PMI
Gestione dei rischi: analisi di un modello semplificato per le PMIStefano Bendandi
 
David Talby, SVP Engineering, Atigeo at MLconf ATL - 9/18/15
David Talby, SVP Engineering, Atigeo at MLconf ATL - 9/18/15David Talby, SVP Engineering, Atigeo at MLconf ATL - 9/18/15
David Talby, SVP Engineering, Atigeo at MLconf ATL - 9/18/15MLconf
 
Risk Management e assicurazioni
Risk Management e assicurazioniRisk Management e assicurazioni
Risk Management e assicurazioniMauro Del Pup
 
Risk Management e gestione dei rischi finanziari
Risk Management e gestione dei rischi finanziariRisk Management e gestione dei rischi finanziari
Risk Management e gestione dei rischi finanziariFondazione CUOA
 
[Ai in finance] AI in regulatory compliance, risk management, and auditing
[Ai in finance] AI in regulatory compliance, risk management, and auditing[Ai in finance] AI in regulatory compliance, risk management, and auditing
[Ai in finance] AI in regulatory compliance, risk management, and auditingNatalino Busa
 
Indian banking
Indian bankingIndian banking
Indian bankingRakhul Nahar
 
Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...
Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...
Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...Dinidu Weeraratne
 
Fraud principles1
Fraud principles1Fraud principles1
Fraud principles1Sevisa Isufaj
 
Fraud Management Solutions
Fraud Management SolutionsFraud Management Solutions
Fraud Management SolutionsSAS Institute India Pvt. Ltd
 
Webinar: Fighting Fraud with Graph Databases
Webinar: Fighting Fraud with Graph DatabasesWebinar: Fighting Fraud with Graph Databases
Webinar: Fighting Fraud with Graph DatabasesDataStax
 
nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones
nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phonesnullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones
nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phonesn|u - The Open Security Community
 
Web Security
Web SecurityWeb Security
Web SecurityBharath Manoharan
 
Hacking Explained and How to Safeguard Our Applications
Hacking Explained and How to Safeguard Our ApplicationsHacking Explained and How to Safeguard Our Applications
Hacking Explained and How to Safeguard Our ApplicationsTuan Yang
 
Cant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardCant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardSlawomir Jasek
 
On Database for Mobile Phones Ownership
On Database for Mobile Phones OwnershipOn Database for Mobile Phones Ownership
On Database for Mobile Phones OwnershipColdbeans Software
 
Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)DCIT, a.s.
 
Social Engineering in Banking Trojans: attacking the weakest link
Social Engineering in Banking Trojans: attacking the weakest linkSocial Engineering in Banking Trojans: attacking the weakest link
Social Engineering in Banking Trojans: attacking the weakest linkJose Miguel Esparza
 
Network security
Network securityNetwork security
Network securityAli Kamil
 
091209 Mc Afee Roundtable
091209 Mc Afee Roundtable091209 Mc Afee Roundtable
091209 Mc Afee RoundtableHarvard PR
 
2012 Accumulate Mobile Everywhere - Standard Product Description
2012 Accumulate Mobile Everywhere - Standard Product Description2012 Accumulate Mobile Everywhere - Standard Product Description
2012 Accumulate Mobile Everywhere - Standard Product DescriptionSzymon Dowgwillowicz-Nowicki
 
NFTs - Common Use Cases and Legal Considerations (Japan)
NFTs - Common Use Cases and Legal Considerations (Japan)NFTs - Common Use Cases and Legal Considerations (Japan)
NFTs - Common Use Cases and Legal Considerations (Japan)Joerg Schmidt
 
Axiom protect-2.0-with-one identity
Axiom protect-2.0-with-one identityAxiom protect-2.0-with-one identity
Axiom protect-2.0-with-one identityVikram Sareen
 
Operations security (OPSEC)
Operations security (OPSEC)Operations security (OPSEC)
Operations security (OPSEC)Mikko Ohtamaa
 
Session2 2 김휘강 codegate2(hkkim)
Session2 2 김휘강 codegate2(hkkim)Session2 2 김휘강 codegate2(hkkim)
Session2 2 김휘강 codegate2(hkkim)Korea University
 

Contenu connexe

En vedette

Risk Management e assicurazioni
Risk Management e assicurazioniRisk Management e assicurazioni
Risk Management e assicurazioniMauro Del Pup
 
Risk Management e gestione dei rischi finanziari
Risk Management e gestione dei rischi finanziariRisk Management e gestione dei rischi finanziari
Risk Management e gestione dei rischi finanziariFondazione CUOA
 
[Ai in finance] AI in regulatory compliance, risk management, and auditing
[Ai in finance] AI in regulatory compliance, risk management, and auditing[Ai in finance] AI in regulatory compliance, risk management, and auditing
[Ai in finance] AI in regulatory compliance, risk management, and auditingNatalino Busa
 
Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...
Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...
Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...Dinidu Weeraratne
 
Webinar: Fighting Fraud with Graph Databases
Webinar: Fighting Fraud with Graph DatabasesWebinar: Fighting Fraud with Graph Databases
Webinar: Fighting Fraud with Graph DatabasesDataStax
 

En vedette (8)

Risk Management e assicurazioni
Risk Management e assicurazioniRisk Management e assicurazioni
Risk Management e assicurazioni
 
Risk Management e gestione dei rischi finanziari
Risk Management e gestione dei rischi finanziariRisk Management e gestione dei rischi finanziari
Risk Management e gestione dei rischi finanziari
 
[Ai in finance] AI in regulatory compliance, risk management, and auditing
[Ai in finance] AI in regulatory compliance, risk management, and auditing[Ai in finance] AI in regulatory compliance, risk management, and auditing
[Ai in finance] AI in regulatory compliance, risk management, and auditing
 
Indian banking
Indian bankingIndian banking
Indian banking
 
Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...
Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...
Banking Frauds - An analysis of Banking Frauds, causes and possible preventiv...
 
Fraud principles1
Fraud principles1Fraud principles1
Fraud principles1
 
Fraud Management Solutions
Fraud Management SolutionsFraud Management Solutions
Fraud Management Solutions
 
Webinar: Fighting Fraud with Graph Databases
Webinar: Fighting Fraud with Graph DatabasesWebinar: Fighting Fraud with Graph Databases
Webinar: Fighting Fraud with Graph Databases
 

Similaire à Banking Fraud Evolution

nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones
nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phonesnullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones
nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phonesn|u - The Open Security Community
 
Hacking Explained and How to Safeguard Our Applications
Hacking Explained and How to Safeguard Our ApplicationsHacking Explained and How to Safeguard Our Applications
Hacking Explained and How to Safeguard Our ApplicationsTuan Yang
 
Cant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardCant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardSlawomir Jasek
 
On Database for Mobile Phones Ownership
On Database for Mobile Phones OwnershipOn Database for Mobile Phones Ownership
On Database for Mobile Phones OwnershipColdbeans Software
 
Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)DCIT, a.s.
 
Social Engineering in Banking Trojans: attacking the weakest link
Social Engineering in Banking Trojans: attacking the weakest linkSocial Engineering in Banking Trojans: attacking the weakest link
Social Engineering in Banking Trojans: attacking the weakest linkJose Miguel Esparza
 
Network security
Network securityNetwork security
Network securityAli Kamil
 
091209 Mc Afee Roundtable
091209 Mc Afee Roundtable091209 Mc Afee Roundtable
091209 Mc Afee RoundtableHarvard PR
 
2012 Accumulate Mobile Everywhere - Standard Product Description
2012 Accumulate Mobile Everywhere - Standard Product Description2012 Accumulate Mobile Everywhere - Standard Product Description
2012 Accumulate Mobile Everywhere - Standard Product DescriptionSzymon Dowgwillowicz-Nowicki
 
NFTs - Common Use Cases and Legal Considerations (Japan)
NFTs - Common Use Cases and Legal Considerations (Japan)NFTs - Common Use Cases and Legal Considerations (Japan)
NFTs - Common Use Cases and Legal Considerations (Japan)Joerg Schmidt
 
Axiom protect-2.0-with-one identity
Axiom protect-2.0-with-one identityAxiom protect-2.0-with-one identity
Axiom protect-2.0-with-one identityVikram Sareen
 
Operations security (OPSEC)
Operations security (OPSEC)Operations security (OPSEC)
Operations security (OPSEC)Mikko Ohtamaa
 
Session2 2 김휘강 codegate2(hkkim)
Session2 2 김휘강 codegate2(hkkim)Session2 2 김휘강 codegate2(hkkim)
Session2 2 김휘강 codegate2(hkkim)Korea University
 
CSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserCSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserguestb1956e
 
How the Stolen Credit Card Black Market Works
How the Stolen Credit Card Black Market WorksHow the Stolen Credit Card Black Market Works
How the Stolen Credit Card Black Market WorksTripwire
 
Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Mikko Ohtamaa
 
SOTP_Introduction
SOTP_IntroductionSOTP_Introduction
SOTP_IntroductionJohnson Wu
 
Workshop on Cyber security and investigation
Workshop on Cyber security and investigationWorkshop on Cyber security and investigation
Workshop on Cyber security and investigationMehedi Hasan
 

Similaire à Banking Fraud Evolution (20)

nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones
nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phonesnullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones
nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones
 
Web Security
Web SecurityWeb Security
Web Security
 
Hacking Explained and How to Safeguard Our Applications
Hacking Explained and How to Safeguard Our ApplicationsHacking Explained and How to Safeguard Our Applications
Hacking Explained and How to Safeguard Our Applications
 
Cant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardCant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless card
 
On Database for Mobile Phones Ownership
On Database for Mobile Phones OwnershipOn Database for Mobile Phones Ownership
On Database for Mobile Phones Ownership
 
Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)
 
Social Engineering in Banking Trojans: attacking the weakest link
Social Engineering in Banking Trojans: attacking the weakest linkSocial Engineering in Banking Trojans: attacking the weakest link
Social Engineering in Banking Trojans: attacking the weakest link
 
Network security
Network securityNetwork security
Network security
 
091209 Mc Afee Roundtable
091209 Mc Afee Roundtable091209 Mc Afee Roundtable
091209 Mc Afee Roundtable
 
2012 Accumulate Mobile Everywhere - Standard Product Description
2012 Accumulate Mobile Everywhere - Standard Product Description2012 Accumulate Mobile Everywhere - Standard Product Description
2012 Accumulate Mobile Everywhere - Standard Product Description
 
NFTs - Common Use Cases and Legal Considerations (Japan)
NFTs - Common Use Cases and Legal Considerations (Japan)NFTs - Common Use Cases and Legal Considerations (Japan)
NFTs - Common Use Cases and Legal Considerations (Japan)
 
Axiom protect-2.0-with-one identity
Axiom protect-2.0-with-one identityAxiom protect-2.0-with-one identity
Axiom protect-2.0-with-one identity
 
Operations security (OPSEC)
Operations security (OPSEC)Operations security (OPSEC)
Operations security (OPSEC)
 
Session2 2 김휘강 codegate2(hkkim)
Session2 2 김휘강 codegate2(hkkim)Session2 2 김휘강 codegate2(hkkim)
Session2 2 김휘강 codegate2(hkkim)
 
CSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserCSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browser
 
Cyber security
Cyber securityCyber security
Cyber security
 
How the Stolen Credit Card Black Market Works
How the Stolen Credit Card Black Market WorksHow the Stolen Credit Card Black Market Works
How the Stolen Credit Card Black Market Works
 
Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015
 
SOTP_Introduction
SOTP_IntroductionSOTP_Introduction
SOTP_Introduction
 
Workshop on Cyber security and investigation
Workshop on Cyber security and investigationWorkshop on Cyber security and investigation
Workshop on Cyber security and investigation
 

Plus de Source Conference

iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICSource Conference
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsSource Conference
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesSource Conference
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network SecuritySource Conference
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration TestersSource Conference
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSource Conference
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserSource Conference
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItSource Conference
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of AnonymousSource Conference
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary plantingSource Conference
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudSource Conference
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?Source Conference
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawSource Conference
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendSource Conference
 

Plus de Source Conference (20)

Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
Esteganografia
EsteganografiaEsteganografia
Esteganografia
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary planting
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
 
JSF Security
JSF SecurityJSF Security
JSF Security
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
 

Dernier

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 

Dernier (20)

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 

Banking Fraud Evolution

  • 1. [ Banking Fraud Evolution ] New techniques in real fraud cases Jose Miguel Esparza
  • 2. [ Agenda ] • Banking trojans • Tatanga: a new actor emerges • Anatomy of an e-banking fraud incident • The eternal game of cat and mouse • Real e-banking fraud incidents • Conclusions
  • 3. [ Banking trojans ] • … • ZeuS • Sinowal (Torpig) • Gozi • SpyEye • Carberp • Feodo • …
  • 4. [ Banking trojans ] Source: abuse.ch
  • 5. [ Banking trojans ] • Binaries functionalities – Bot – Configuration update – Binary update – HTML injection – Redirection
  • 6. [ Banking trojans ] • Binaries functionalities – Screenshots – Capture virtual keyboards – Credentials theft – Certificates theft – System corruption (KillOS)
  • 7. [ Banking trojans ] • Binaries functionalities – Screenshots – Capture virtual keyboards Information theft – Credentials theft – Certificates theft – System corruption (KillOS)
  • 8. [ Tatanga ] • Discovered by S21sec in February 2011 • Very low detection • MarioForever (2008) evolution? • C++ • No packers • Modular design • Anti-VM, anti-debugging • 64bits support
  • 9. [ Tatanga ] • Proxys to distribute binaries • Weak encrypted communication with C&C • HTML injection • Man in the Browser • Records video!!
  • 10. [ Tatanga ] • Proxys to distribute binaries • Weak encrypted communication with C&C • HTML injection • Man in the Browser • Records video!!
  • 11. [ Tatanga ] • Modules: XOR + BZIP2 – HTTPTrafficLogger – Comm – ModDynamicInjection – ModEmailGrabber – ModAVTrafficBlocker – ModCrashGuard
  • 12. [ Tatanga ] • Modules: XOR + BZIP2 – ModMalwareRemover
  • 13. [ Tatanga ] • Modules: XOR + BZIP2 – SSL Decrypt – FilePatcher – IMSender – HTTPSender – Coredb – SmartHTTPDoser
  • 14. [ Tatanga ] • Control panel – Statistics: country, browser, OS, AV, injections, honeypots – Injections and drops management – Storing dumps of banking webpages – Classified versions of droppers and modules – Dependencies between modules – DDoS – FTP iframer –…
  • 24. [ Anatomy of an e-fraud incident ] • Infection • Configuration file update/download • Interaction with the user Social engineering!! HTML injection, Mit(B|M|Mo), Pharming, Phishing… • Banking credentials theft
  • 25. [ Anatomy of an e-fraud incident ] • Account spying – Manual / Automatic – Getting balance to choose the victim • Fraudulent transaction – Manual Mules – Automatic Man in the Browser (MitB) • Money laundering
  • 26. [ The game of cat and mouse ] Virtual keyboard Code card ID + Password 2FA OTP Token SMS : mTAN
  • 27. [ The game of cat and mouse ] Virtual keyboard screen/video capturing…
  • 28. [ The game of cat and mouse ] Code card pharming, phishing, injection…
  • 29. [ The game of cat and mouse ] Token mTAN …MITM, code injection
  • 30. [ The game of cat and mouse ] SCREEN-CAPTURING Virtual keyboard PHARMING PHISHING KEYLOGGING Code card ID + Password MITM FORM GRABBING OTP Token CODE INJECTION SMS : mTAN
  • 31. [ Real e-banking fraud incidents ] • SpyEye MitB, October 2010 • Automatic fraudulent transfer – Session of the legit user – Balance request – Account selection based on balance – Getting mules from the server – Social engineering password request – Automatic transaction – Modification of balance and operations
  • 32. [ Real e-banking fraud incidents ] • Tatanga MitB, February 2011 • Automatic fraudulent transfer using OTP – Session of the legit user – Balance request – Account selection based on balance – Getting mules from the server – Social engineering password request – Social engineering OTP request – Automatic transaction – Modification of balance and operations
  • 33. [ Real e-banking fraud incidents ] • Tatanga MitB, February 2011
  • 34. [ Real e-banking fraud incidents ] • ZeuS Man in the Mobile (MitMo) – September 2010, Spain – February 2011, Poland
  • 35. [ ZeuS Man in the Mobile ]
  • 36. [ ZeuS Man in the Mobile ] Each day we try to improve your security. Lately we have noticed many mobile SIM cloning attacks that result in fraudulent transfers. Due to the increase of these incidents, we have implemented a new mobile identification method, using a digital certificate. The certificate works in smartphones and is an additional method of protection. This application ensures that only you can access your online account. Please click here to start the installation
  • 37. [ ZeuS Man in the Mobile ] Source: http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/
  • 38. [ ZeuS Man in the Mobile ] Please choose your mobile manufacturer and model and add your mobile number. The digital certificate installation link will be sent via SMS. Please download and install the application
  • 39. [ ZeuS Man in the Mobile ] Source: http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/
  • 40. [ ZeuS Man in the Mobile ] The certificate installation program link will be sent by SMS. Once received, please download and install the aplication.
  • 41. [ ZeuS Man in the Mobile ] Spoofed SMS Sender ID ID Token (remember this for later!)
  • 42. [ ZeuS Man in the Mobile ] Serial Number: BF43000100230353FF7915 9EF3B3 Revocation Date: Sep 28 08:26:26 2010 GMT Serial Number: 61F1000100235BC2794380 405E52 Revocation Date: Sep 28 08:26:26 2010 GMT
  • 43. [ ZeuS Man in the Mobile ] http://dtarasov.ru/smsmonitor_lite.html
  • 44. [ ZeuS Man in the Mobile ] Spoofed SMS Sender ID ID Token (remember this for later! It is important) …sent to a UK mobile phone.
  • 45. [ ZeuS Man in the Mobile ] ON / OFF SET ADMIN ADD SENDER ALL REM SET …sent from the “bad guy” mobile phone.
  • 46. [ ZeuS Man in the Mobile ]
  • 47. [ ZeuS Man in the Mobile ]
  • 48. [ ZeuS Man in the Mobile ] if ($urlPathExt == ’sis') { $oGate->addHeader('Content-Type: application/vnd.symbian.install'); if ($data['mobile_os_type'] == OS_SYMBIAN_78) $oGate->outputFile('./symbian/cert_78.sis.txt'); else if ($data['mobile_os_type'] ==OS_SYMBIAN_9) $oGate->outputFile('./symbian/cert_9.sis.txt');} if ($urlPathExt == 'cab') { $oGate->addHeader('Content-Type: application/cab'); if ($data['mobile_os_type']==OS_WINDOWS_MOBILE_2K) $oGateoutputFile('./wm/cert_uncompress.cab.txt');else if ($data['mobile_os_type']=OS_WINDOWS_MOBILE_GR5) $oGate->outputFile('./wm/cert_compress.cab.txt'); if ($urlPathExt == ’cod') {$oGate->addHeader('Content-Type: application/vnd.rim.cod');if ($data['mobile_os_type'] == OS_BLACKBERRY_41) $oGate->outputFile('./blackberry/cert_41.cod.txt'); else if ($data['mobile_os_type'] == OS_BLACKBERRY_GR44)
  • 49. [ ZeuS Man in the Mobile ] Remember the token ? mysql_unbuffered_query(“ UPDATE sms_list SET mobile_os_version=$mobile_os_version, is_downloaded='YES', ts_downloaded=$ts_downloaded WHERE token='$token'");
  • 50. [ ZeuS Man in the Mobile ] ZeuS infected
  • 51. [ ZeuS Man in the Mobile ] ZeuS infected
  • 52. [ ZeuS Man in the Mobile ] ID + PASSWORD ZeuS infected
  • 53. [ ZeuS Man in the Mobile ] ID + PASSWORD ZeuS infected Mitmo Infected
  • 54. [ ZeuS Man in the Mobile ] ID + PASSWORD ZeuS infected COMMANDS Mitmo Infected
  • 55. [ ZeuS Man in the Mobile ] ID + PASSWORD ZeuS infected COMMANDS Mitmo Infected
  • 56. [ ZeuS Man in the Mobile ] ID + PASSWORD ZeuS infected COMMANDS Mitmo Infected
  • 57. [ ZeuS Man in the Mobile ] ID + PASSWORD ZeuS infected OTP: 0023424 COMMANDS Mitmo Infected
  • 58. [ ZeuS Man in the Mobile ] ID + PASSWORD GAME OVER ZeuS infected OTP: 0023424 COMMANDS Mitmo Infected
  • 60. [ Conclusions ] • Successful attacks: not binary dependent • Social engineering – HTML injections + extras • Innovation • Underground market – User dependent • Monitoring injections • Sharing information
  • 62. [ Thank You!! ] Jose Miguel Esparza jesparza s21sec.com @eternaltodo