SlideShare une entreprise Scribd logo
1  sur  62
[ Banking Fraud Evolution ]
New techniques in real fraud cases
Jose Miguel Esparza
[ Agenda ]
• Banking trojans
• Tatanga: a new actor emerges
• Anatomy of an e-banking fraud incident
• The eternal game of cat and mouse
• Real e-banking fraud incidents
• Conclusions
[ Banking trojans ]
• …
• ZeuS
• Sinowal (Torpig)
• Gozi
• SpyEye
• Carberp
• Feodo
• …
[ Banking trojans ]
Source: abuse.ch
[ Banking trojans ]
• Binaries functionalities
– Bot
– Configuration update
– Binary update
– HTML injection
– Redirection
[ Banking trojans ]
• Binaries functionalities
– Screenshots
– Capture virtual keyboards
– Credentials theft
– Certificates theft
– System corruption (KillOS)
[ Banking trojans ]
• Binaries functionalities
– Screenshots
– Capture virtual keyboards
– Credentials theft
– Certificates theft
– System corruption (KillOS)
Information theft
[ Tatanga ]
• Discovered by S21sec in February 2011
• Very low detection
• MarioForever (2008) evolution?
• C++
• No packers
• Modular design
• Anti-VM, anti-debugging
• 64bits support
[ Tatanga ]
• Proxys to distribute binaries
• Weak encrypted communication with C&C
• HTML injection
• Man in the Browser
• Records video!!
[ Tatanga ]
• Proxys to distribute binaries
• Weak encrypted communication with C&C
• HTML injection
• Man in the Browser
• Records video!!
[ Tatanga ]
• Modules: XOR + BZIP2
– HTTPTrafficLogger
– Comm
– ModDynamicInjection
– ModEmailGrabber
– ModAVTrafficBlocker
– ModCrashGuard
[ Tatanga ]
• Modules: XOR + BZIP2
– ModMalwareRemover
[ Tatanga ]
• Modules: XOR + BZIP2
– SSL Decrypt
– FilePatcher
– IMSender
– HTTPSender
– Coredb
– SmartHTTPDoser
[ Tatanga ]
• Control panel
– Statistics: country, browser, OS, AV, injections,
honeypots
– Injections and drops management
– Storing dumps of banking webpages
– Classified versions of droppers and modules
– Dependencies between modules
– DDoS
– FTP iframer
– …
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Anatomy of an e-fraud incident ]
• Infection
• Configuration file update/download
• Interaction with the user
Social engineering!!
HTML injection, Mit(B|M|Mo), Pharming, Phishing…
• Banking credentials theft
[ Anatomy of an e-fraud incident ]
• Account spying
– Manual / Automatic
– Getting balance to choose the victim
• Fraudulent transaction
– Manual Mules
– Automatic Man in the Browser (MitB)
• Money laundering
[ The game of cat and mouse ]
Virtual keyboard
Code card
OTP Token
SMS : mTAN
PasswordID +
2FA
[ The game of cat and mouse ]
Virtual keyboard
screen/video capturing…
[ The game of cat and mouse ]
Code card
pharming, phishing, injection…
[ The game of cat and mouse ]
Token mTAN
…MITM, code injection
[ The game of cat and mouse ]
Virtual keyboard
Code card
OTP Token
SMS : mTAN
PasswordID +
SCREEN-CAPTURING
PHISHING
MITM
CODE INJECTION
FORM GRABBING
KEYLOGGING
PHARMING
[ Real e-banking fraud incidents ]
• SpyEye MitB, October 2010
• Automatic fraudulent transfer
– Session of the legit user
– Balance request
– Account selection based on balance
– Getting mules from the server
– Social engineering password request
– Automatic transaction
– Modification of balance and operations
[ Real e-banking fraud incidents ]
• Tatanga MitB, February 2011
• Automatic fraudulent transfer using OTP
– Session of the legit user
– Balance request
– Account selection based on balance
– Getting mules from the server
– Social engineering password request
– Social engineering OTP request
– Automatic transaction
– Modification of balance and operations
[ Real e-banking fraud incidents ]
• Tatanga MitB, February 2011
[ Real e-banking fraud incidents ]
• ZeuS Man in the Mobile (MitMo)
– September 2010, Spain
– February 2011, Poland
[ ZeuS Man in the Mobile ]
[ ZeuS Man in the Mobile ]
Each day we try to improve your security. Lately we have
noticed many mobile SIM cloning attacks that result in
fraudulent transfers. Due to the increase of these incidents,
we have implemented a new mobile identification method,
using a digital certificate. The certificate works in
smartphones and is an additional method of protection.
This application ensures that only you can access your
online account.
Please click here to start the installation
[ ZeuS Man in the Mobile ]
Source: http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/
[ ZeuS Man in the Mobile ]
Please choose your mobile manufacturer and model
and add your mobile number.
The digital certificate installation link will be sent via
SMS. Please download and install the application
[ ZeuS Man in the Mobile ]
Source: http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/
[ ZeuS Man in the Mobile ]
The certificate installation program link will be sent
by SMS. Once received, please download and
install the aplication.
[ ZeuS Man in the Mobile ]
Spoofed SMS Sender ID
ID Token
(remember this for later!)
[ ZeuS Man in the Mobile ]
Serial Number:
BF43000100230353FF7915
9EF3B3
Revocation Date:
Sep 28 08:26:26 2010 GMT
Serial Number:
61F1000100235BC2794380
405E52
Revocation Date:
Sep 28 08:26:26 2010 GMT
[ ZeuS Man in the Mobile ]
http://dtarasov.ru/smsmonitor_lite.html
[ ZeuS Man in the Mobile ]
Spoofed SMS
Sender ID
ID Token (remember
this for later! It is
important)
…sent to a UK mobile phone.
[ ZeuS Man in the Mobile ]
ON / OFF
SET ADMIN
ADD
REM
SET
…sent from the “bad guy” mobile phone.
SENDER ALL
[ ZeuS Man in the Mobile ]
[ ZeuS Man in the Mobile ]
[ ZeuS Man in the Mobile ]
if ($urlPathExt == ’sis') {
$oGate->addHeader('Content-Type:
application/vnd.symbian.install');
if ($data['mobile_os_type'] == OS_SYMBIAN_78)
$oGate->outputFile('./symbian/cert_78.sis.txt');
else if ($data['mobile_os_type'] ==OS_SYMBIAN_9)
$oGate->outputFile('./symbian/cert_9.sis.txt');}
if ($urlPathExt == 'cab') {
$oGate->addHeader('Content-Type: application/cab');
if ($data['mobile_os_type']==OS_WINDOWS_MOBILE_2K)
$oGateoutputFile('./wm/cert_uncompress.cab.txt');else if
($data['mobile_os_type']=OS_WINDOWS_MOBILE_GR5)
$oGate->outputFile('./wm/cert_compress.cab.txt');
if ($urlPathExt == ’cod') {$oGate->addHeader('Content-Type:
application/vnd.rim.cod');if ($data['mobile_os_type'] == OS_BLACKBERRY_41)
$oGate->outputFile('./blackberry/cert_41.cod.txt'); else if
($data['mobile_os_type'] == OS_BLACKBERRY_GR44)
[ ZeuS Man in the Mobile ]
Remember the token ?
mysql_unbuffered_query(“
UPDATE sms_list SET
mobile_os_version=$mobile_os_version,
is_downloaded='YES',
ts_downloaded=$ts_downloaded WHERE
token='$token'");
[ ZeuS Man in the Mobile ]
ZeuS infected
[ ZeuS Man in the Mobile ]
ZeuS infected
[ ZeuS Man in the Mobile ]
ZeuS infected
ID + PASSWORD
[ ZeuS Man in the Mobile ]
ZeuS infected
ID + PASSWORD
Mitmo Infected
[ ZeuS Man in the Mobile ]
ZeuS infected
ID + PASSWORD
Mitmo Infected
COMMANDS
[ ZeuS Man in the Mobile ]
ZeuS infected
ID + PASSWORD
Mitmo Infected
COMMANDS
[ ZeuS Man in the Mobile ]
ZeuS infected
ID + PASSWORD
Mitmo Infected
COMMANDS
[ ZeuS Man in the Mobile ]
OTP: 0023424
COMMANDS
ZeuS infected
ID + PASSWORD
Mitmo Infected
[ ZeuS Man in the Mobile ]
ZeuS infected
ID + PASSWORD
Mitmo Infected
GAME OVER
OTP: 0023424
COMMANDS
[ DEMO TIME!! ]
[ Conclusions ]
• Successful attacks: not binary dependent
• Social engineering
– HTML injections + extras
• Innovation
• Underground market
– User dependent
• Monitoring injections
• Sharing information
[ Questions? ]
[ Thank You!! ]
Jose Miguel Esparza
jesparza s21sec.com
@eternaltodo

Contenu connexe

Similaire à Banking Fraud Evolution - New techniques in real fraud cases

nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones
nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phonesnullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones
nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phonesn|u - The Open Security Community
 
Cant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardCant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardSlawomir Jasek
 
Hacking Explained and How to Safeguard Our Applications
Hacking Explained and How to Safeguard Our ApplicationsHacking Explained and How to Safeguard Our Applications
Hacking Explained and How to Safeguard Our ApplicationsTuan Yang
 
How the Stolen Credit Card Black Market Works
How the Stolen Credit Card Black Market WorksHow the Stolen Credit Card Black Market Works
How the Stolen Credit Card Black Market WorksTripwire
 
On Database for Mobile Phones Ownership
On Database for Mobile Phones OwnershipOn Database for Mobile Phones Ownership
On Database for Mobile Phones OwnershipColdbeans Software
 
091209 Mc Afee Roundtable
091209 Mc Afee Roundtable091209 Mc Afee Roundtable
091209 Mc Afee RoundtableHarvard PR
 
Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)DCIT, a.s.
 
CSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserCSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserguestb1956e
 
Cybercrimes against the korean online banking systems 1227 eng_slideshare
Cybercrimes against the korean online banking systems 1227 eng_slideshareCybercrimes against the korean online banking systems 1227 eng_slideshare
Cybercrimes against the korean online banking systems 1227 eng_slideshareYoungjun Chang
 
2012 Accumulate Mobile Everywhere - Standard Product Description
2012 Accumulate Mobile Everywhere - Standard Product Description2012 Accumulate Mobile Everywhere - Standard Product Description
2012 Accumulate Mobile Everywhere - Standard Product DescriptionSzymon Dowgwillowicz-Nowicki
 
Network security
Network securityNetwork security
Network securityAli Kamil
 
(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013STO STRATEGY
 
Isn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android MalwareIsn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android MalwareJimmy Shah
 
Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Mikko Ohtamaa
 
Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Halo Metrics
 
Operations security (OPSEC)
Operations security (OPSEC)Operations security (OPSEC)
Operations security (OPSEC)Mikko Ohtamaa
 
micro payments using coin
micro payments using coinmicro payments using coin
micro payments using coinNaga Dinesh
 
The Rise and Rise of Web Fraud
The Rise and Rise of Web FraudThe Rise and Rise of Web Fraud
The Rise and Rise of Web FraudDavid Jones
 

Similaire à Banking Fraud Evolution - New techniques in real fraud cases (20)

nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones
nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phonesnullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones
nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones
 
Web Security
Web SecurityWeb Security
Web Security
 
Cant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardCant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless card
 
Hacking Explained and How to Safeguard Our Applications
Hacking Explained and How to Safeguard Our ApplicationsHacking Explained and How to Safeguard Our Applications
Hacking Explained and How to Safeguard Our Applications
 
How the Stolen Credit Card Black Market Works
How the Stolen Credit Card Black Market WorksHow the Stolen Credit Card Black Market Works
How the Stolen Credit Card Black Market Works
 
On Database for Mobile Phones Ownership
On Database for Mobile Phones OwnershipOn Database for Mobile Phones Ownership
On Database for Mobile Phones Ownership
 
091209 Mc Afee Roundtable
091209 Mc Afee Roundtable091209 Mc Afee Roundtable
091209 Mc Afee Roundtable
 
Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)
 
CSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserCSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browser
 
Cybercrimes against the korean online banking systems 1227 eng_slideshare
Cybercrimes against the korean online banking systems 1227 eng_slideshareCybercrimes against the korean online banking systems 1227 eng_slideshare
Cybercrimes against the korean online banking systems 1227 eng_slideshare
 
2012 Accumulate Mobile Everywhere - Standard Product Description
2012 Accumulate Mobile Everywhere - Standard Product Description2012 Accumulate Mobile Everywhere - Standard Product Description
2012 Accumulate Mobile Everywhere - Standard Product Description
 
Network security
Network securityNetwork security
Network security
 
(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013
 
Isn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android MalwareIsn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android Malware
 
Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015
 
Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!
 
Operations security (OPSEC)
Operations security (OPSEC)Operations security (OPSEC)
Operations security (OPSEC)
 
Zsun
ZsunZsun
Zsun
 
micro payments using coin
micro payments using coinmicro payments using coin
micro payments using coin
 
The Rise and Rise of Web Fraud
The Rise and Rise of Web FraudThe Rise and Rise of Web Fraud
The Rise and Rise of Web Fraud
 

Dernier

UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4DianaGray10
 
UiPath Studio Web workshop series - Day 1
UiPath Studio Web workshop series  - Day 1UiPath Studio Web workshop series  - Day 1
UiPath Studio Web workshop series - Day 1DianaGray10
 
Keep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveKeep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveIES VE
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0DanBrown980551
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Muhammad Tiham Siddiqui
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingMAGNIntelligence
 
Novo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNovo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNeo4j
 
Automation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projectsAutomation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projectsDianaGray10
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfTejal81
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfInfopole1
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxKaustubhBhavsar6
 
My key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIMy key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIVijayananda Mohire
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FESTBillieHyde
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInThousandEyes
 
20140402 - Smart house demo kit
20140402 - Smart house demo kit20140402 - Smart house demo kit
20140402 - Smart house demo kitJamie (Taka) Wang
 
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxEmil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxNeo4j
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationKnoldus Inc.
 
Graphene Quantum Dots-Based Composites for Biomedical Applications
Graphene Quantum Dots-Based Composites for  Biomedical ApplicationsGraphene Quantum Dots-Based Composites for  Biomedical Applications
Graphene Quantum Dots-Based Composites for Biomedical Applicationsnooralam814309
 

Dernier (20)

UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4
 
UiPath Studio Web workshop series - Day 1
UiPath Studio Web workshop series  - Day 1UiPath Studio Web workshop series  - Day 1
UiPath Studio Web workshop series - Day 1
 
Keep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveKeep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES Live
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced Computing
 
Novo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNovo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4j
 
Automation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projectsAutomation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projects
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdf
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptx
 
My key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIMy key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAI
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FEST
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
 
20140402 - Smart house demo kit
20140402 - Smart house demo kit20140402 - Smart house demo kit
20140402 - Smart house demo kit
 
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxEmil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its application
 
Graphene Quantum Dots-Based Composites for Biomedical Applications
Graphene Quantum Dots-Based Composites for  Biomedical ApplicationsGraphene Quantum Dots-Based Composites for  Biomedical Applications
Graphene Quantum Dots-Based Composites for Biomedical Applications
 

Banking Fraud Evolution - New techniques in real fraud cases

  • 1. [ Banking Fraud Evolution ] New techniques in real fraud cases Jose Miguel Esparza
  • 2. [ Agenda ] • Banking trojans • Tatanga: a new actor emerges • Anatomy of an e-banking fraud incident • The eternal game of cat and mouse • Real e-banking fraud incidents • Conclusions
  • 3. [ Banking trojans ] • … • ZeuS • Sinowal (Torpig) • Gozi • SpyEye • Carberp • Feodo • …
  • 4. [ Banking trojans ] Source: abuse.ch
  • 5. [ Banking trojans ] • Binaries functionalities – Bot – Configuration update – Binary update – HTML injection – Redirection
  • 6. [ Banking trojans ] • Binaries functionalities – Screenshots – Capture virtual keyboards – Credentials theft – Certificates theft – System corruption (KillOS)
  • 7. [ Banking trojans ] • Binaries functionalities – Screenshots – Capture virtual keyboards – Credentials theft – Certificates theft – System corruption (KillOS) Information theft
  • 8. [ Tatanga ] • Discovered by S21sec in February 2011 • Very low detection • MarioForever (2008) evolution? • C++ • No packers • Modular design • Anti-VM, anti-debugging • 64bits support
  • 9. [ Tatanga ] • Proxys to distribute binaries • Weak encrypted communication with C&C • HTML injection • Man in the Browser • Records video!!
  • 10. [ Tatanga ] • Proxys to distribute binaries • Weak encrypted communication with C&C • HTML injection • Man in the Browser • Records video!!
  • 11. [ Tatanga ] • Modules: XOR + BZIP2 – HTTPTrafficLogger – Comm – ModDynamicInjection – ModEmailGrabber – ModAVTrafficBlocker – ModCrashGuard
  • 12. [ Tatanga ] • Modules: XOR + BZIP2 – ModMalwareRemover
  • 13. [ Tatanga ] • Modules: XOR + BZIP2 – SSL Decrypt – FilePatcher – IMSender – HTTPSender – Coredb – SmartHTTPDoser
  • 14. [ Tatanga ] • Control panel – Statistics: country, browser, OS, AV, injections, honeypots – Injections and drops management – Storing dumps of banking webpages – Classified versions of droppers and modules – Dependencies between modules – DDoS – FTP iframer – …
  • 24. [ Anatomy of an e-fraud incident ] • Infection • Configuration file update/download • Interaction with the user Social engineering!! HTML injection, Mit(B|M|Mo), Pharming, Phishing… • Banking credentials theft
  • 25. [ Anatomy of an e-fraud incident ] • Account spying – Manual / Automatic – Getting balance to choose the victim • Fraudulent transaction – Manual Mules – Automatic Man in the Browser (MitB) • Money laundering
  • 26. [ The game of cat and mouse ] Virtual keyboard Code card OTP Token SMS : mTAN PasswordID + 2FA
  • 27. [ The game of cat and mouse ] Virtual keyboard screen/video capturing…
  • 28. [ The game of cat and mouse ] Code card pharming, phishing, injection…
  • 29. [ The game of cat and mouse ] Token mTAN …MITM, code injection
  • 30. [ The game of cat and mouse ] Virtual keyboard Code card OTP Token SMS : mTAN PasswordID + SCREEN-CAPTURING PHISHING MITM CODE INJECTION FORM GRABBING KEYLOGGING PHARMING
  • 31. [ Real e-banking fraud incidents ] • SpyEye MitB, October 2010 • Automatic fraudulent transfer – Session of the legit user – Balance request – Account selection based on balance – Getting mules from the server – Social engineering password request – Automatic transaction – Modification of balance and operations
  • 32. [ Real e-banking fraud incidents ] • Tatanga MitB, February 2011 • Automatic fraudulent transfer using OTP – Session of the legit user – Balance request – Account selection based on balance – Getting mules from the server – Social engineering password request – Social engineering OTP request – Automatic transaction – Modification of balance and operations
  • 33. [ Real e-banking fraud incidents ] • Tatanga MitB, February 2011
  • 34. [ Real e-banking fraud incidents ] • ZeuS Man in the Mobile (MitMo) – September 2010, Spain – February 2011, Poland
  • 35. [ ZeuS Man in the Mobile ]
  • 36. [ ZeuS Man in the Mobile ] Each day we try to improve your security. Lately we have noticed many mobile SIM cloning attacks that result in fraudulent transfers. Due to the increase of these incidents, we have implemented a new mobile identification method, using a digital certificate. The certificate works in smartphones and is an additional method of protection. This application ensures that only you can access your online account. Please click here to start the installation
  • 37. [ ZeuS Man in the Mobile ] Source: http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/
  • 38. [ ZeuS Man in the Mobile ] Please choose your mobile manufacturer and model and add your mobile number. The digital certificate installation link will be sent via SMS. Please download and install the application
  • 39. [ ZeuS Man in the Mobile ] Source: http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/
  • 40. [ ZeuS Man in the Mobile ] The certificate installation program link will be sent by SMS. Once received, please download and install the aplication.
  • 41. [ ZeuS Man in the Mobile ] Spoofed SMS Sender ID ID Token (remember this for later!)
  • 42. [ ZeuS Man in the Mobile ] Serial Number: BF43000100230353FF7915 9EF3B3 Revocation Date: Sep 28 08:26:26 2010 GMT Serial Number: 61F1000100235BC2794380 405E52 Revocation Date: Sep 28 08:26:26 2010 GMT
  • 43. [ ZeuS Man in the Mobile ] http://dtarasov.ru/smsmonitor_lite.html
  • 44. [ ZeuS Man in the Mobile ] Spoofed SMS Sender ID ID Token (remember this for later! It is important) …sent to a UK mobile phone.
  • 45. [ ZeuS Man in the Mobile ] ON / OFF SET ADMIN ADD REM SET …sent from the “bad guy” mobile phone. SENDER ALL
  • 46. [ ZeuS Man in the Mobile ]
  • 47. [ ZeuS Man in the Mobile ]
  • 48. [ ZeuS Man in the Mobile ] if ($urlPathExt == ’sis') { $oGate->addHeader('Content-Type: application/vnd.symbian.install'); if ($data['mobile_os_type'] == OS_SYMBIAN_78) $oGate->outputFile('./symbian/cert_78.sis.txt'); else if ($data['mobile_os_type'] ==OS_SYMBIAN_9) $oGate->outputFile('./symbian/cert_9.sis.txt');} if ($urlPathExt == 'cab') { $oGate->addHeader('Content-Type: application/cab'); if ($data['mobile_os_type']==OS_WINDOWS_MOBILE_2K) $oGateoutputFile('./wm/cert_uncompress.cab.txt');else if ($data['mobile_os_type']=OS_WINDOWS_MOBILE_GR5) $oGate->outputFile('./wm/cert_compress.cab.txt'); if ($urlPathExt == ’cod') {$oGate->addHeader('Content-Type: application/vnd.rim.cod');if ($data['mobile_os_type'] == OS_BLACKBERRY_41) $oGate->outputFile('./blackberry/cert_41.cod.txt'); else if ($data['mobile_os_type'] == OS_BLACKBERRY_GR44)
  • 49. [ ZeuS Man in the Mobile ] Remember the token ? mysql_unbuffered_query(“ UPDATE sms_list SET mobile_os_version=$mobile_os_version, is_downloaded='YES', ts_downloaded=$ts_downloaded WHERE token='$token'");
  • 50. [ ZeuS Man in the Mobile ] ZeuS infected
  • 51. [ ZeuS Man in the Mobile ] ZeuS infected
  • 52. [ ZeuS Man in the Mobile ] ZeuS infected ID + PASSWORD
  • 53. [ ZeuS Man in the Mobile ] ZeuS infected ID + PASSWORD Mitmo Infected
  • 54. [ ZeuS Man in the Mobile ] ZeuS infected ID + PASSWORD Mitmo Infected COMMANDS
  • 55. [ ZeuS Man in the Mobile ] ZeuS infected ID + PASSWORD Mitmo Infected COMMANDS
  • 56. [ ZeuS Man in the Mobile ] ZeuS infected ID + PASSWORD Mitmo Infected COMMANDS
  • 57. [ ZeuS Man in the Mobile ] OTP: 0023424 COMMANDS ZeuS infected ID + PASSWORD Mitmo Infected
  • 58. [ ZeuS Man in the Mobile ] ZeuS infected ID + PASSWORD Mitmo Infected GAME OVER OTP: 0023424 COMMANDS
  • 60. [ Conclusions ] • Successful attacks: not binary dependent • Social engineering – HTML injections + extras • Innovation • Underground market – User dependent • Monitoring injections • Sharing information
  • 62. [ Thank You!! ] Jose Miguel Esparza jesparza s21sec.com @eternaltodo