SlideShare a Scribd company logo

Banking Fraud Evolution - New techniques in real fraud cases

J
Jose Miguel Esparza

New techniques in banking fraud are applied not only to malicious binaries, but also to how different cybercriminal groups use these binaries. Criminals always attempt to make the most of their malicious software. An example of this is the broad possibilities offered by HTML code injection. The latest injections discovered in both ZeuS and SpyEye show, once again, their continuous struggle to adapt to the changes and measures put in place to counter them. In the case of ZeuS, one of the latest strategies involves rendering useless the two-factor authentication used in numerous on-line banking operations.Similarly, in a campaign for distributing SpyEye, the group responsible for the malware injected code designed to automatically make fraudulent transfers after dynamically obtaining the destination accounts (mules) from a server. Therefore, the impact of campaigns to spread malware depends not only on the dangerousness of the malicious software itself, but also on how this software is used and the creativity of its criminal owners.

TechnologyBusiness
1 of 62
[ Banking Fraud Evolution ] New techniques in real fraud cases Jose Miguel Esparza
[ Agenda ] • Banking trojans • Tatanga: a new actor emerges • Anatomy of an e-banking fraud incident • The eternal game of cat and mouse • Real e-banking fraud incidents • Conclusions
[ Banking trojans ] • … • ZeuS • Sinowal (Torpig) • Gozi • SpyEye • Carberp • Feodo • …
[ Banking trojans ] Source: abuse.ch
[ Banking trojans ] • Binaries functionalities – Bot – Configuration update – Binary update – HTML injection – Redirection
[ Banking trojans ] • Binaries functionalities – Screenshots – Capture virtual keyboards – Credentials theft – Certificates theft – System corruption (KillOS)
[ Banking trojans ] • Binaries functionalities – Screenshots – Capture virtual keyboards – Credentials theft – Certificates theft – System corruption (KillOS) Information theft
[ Tatanga ] • Discovered by S21sec in February 2011 • Very low detection • MarioForever (2008) evolution? • C++ • No packers • Modular design • Anti-VM, anti-debugging • 64bits support
[ Tatanga ] • Proxys to distribute binaries • Weak encrypted communication with C&C • HTML injection • Man in the Browser • Records video!!
[ Tatanga ] • Proxys to distribute binaries • Weak encrypted communication with C&C • HTML injection • Man in the Browser • Records video!!
[ Tatanga ] • Modules: XOR + BZIP2 – HTTPTrafficLogger – Comm – ModDynamicInjection – ModEmailGrabber – ModAVTrafficBlocker – ModCrashGuard
[ Tatanga ] • Modules: XOR + BZIP2 – ModMalwareRemover
[ Tatanga ] • Modules: XOR + BZIP2 – SSL Decrypt – FilePatcher – IMSender – HTTPSender – Coredb – SmartHTTPDoser
[ Tatanga ] • Control panel – Statistics: country, browser, OS, AV, injections, honeypots – Injections and drops management – Storing dumps of banking webpages – Classified versions of droppers and modules – Dependencies between modules – DDoS – FTP iframer – …
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Tatanga ]
[ Anatomy of an e-fraud incident ] • Infection • Configuration file update/download • Interaction with the user Social engineering!! HTML injection, Mit(B|M|Mo), Pharming, Phishing… • Banking credentials theft
[ Anatomy of an e-fraud incident ] • Account spying – Manual / Automatic – Getting balance to choose the victim • Fraudulent transaction – Manual Mules – Automatic Man in the Browser (MitB) • Money laundering
[ The game of cat and mouse ] Virtual keyboard Code card OTP Token SMS : mTAN PasswordID + 2FA
[ The game of cat and mouse ] Virtual keyboard screen/video capturing…
[ The game of cat and mouse ] Code card pharming, phishing, injection…
[ The game of cat and mouse ] Token mTAN …MITM, code injection
[ The game of cat and mouse ] Virtual keyboard Code card OTP Token SMS : mTAN PasswordID + SCREEN-CAPTURING PHISHING MITM CODE INJECTION FORM GRABBING KEYLOGGING PHARMING
[ Real e-banking fraud incidents ] • SpyEye MitB, October 2010 • Automatic fraudulent transfer – Session of the legit user – Balance request – Account selection based on balance – Getting mules from the server – Social engineering password request – Automatic transaction – Modification of balance and operations
[ Real e-banking fraud incidents ] • Tatanga MitB, February 2011 • Automatic fraudulent transfer using OTP – Session of the legit user – Balance request – Account selection based on balance – Getting mules from the server – Social engineering password request – Social engineering OTP request – Automatic transaction – Modification of balance and operations
[ Real e-banking fraud incidents ] • Tatanga MitB, February 2011
[ Real e-banking fraud incidents ] • ZeuS Man in the Mobile (MitMo) – September 2010, Spain – February 2011, Poland
[ ZeuS Man in the Mobile ]
[ ZeuS Man in the Mobile ] Each day we try to improve your security. Lately we have noticed many mobile SIM cloning attacks that result in fraudulent transfers. Due to the increase of these incidents, we have implemented a new mobile identification method, using a digital certificate. The certificate works in smartphones and is an additional method of protection. This application ensures that only you can access your online account. Please click here to start the installation
[ ZeuS Man in the Mobile ] Source: http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/
[ ZeuS Man in the Mobile ] Please choose your mobile manufacturer and model and add your mobile number. The digital certificate installation link will be sent via SMS. Please download and install the application
[ ZeuS Man in the Mobile ] Source: http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/
[ ZeuS Man in the Mobile ] The certificate installation program link will be sent by SMS. Once received, please download and install the aplication.
[ ZeuS Man in the Mobile ] Spoofed SMS Sender ID ID Token (remember this for later!)
[ ZeuS Man in the Mobile ] Serial Number: BF43000100230353FF7915 9EF3B3 Revocation Date: Sep 28 08:26:26 2010 GMT Serial Number: 61F1000100235BC2794380 405E52 Revocation Date: Sep 28 08:26:26 2010 GMT
[ ZeuS Man in the Mobile ] http://dtarasov.ru/smsmonitor_lite.html
[ ZeuS Man in the Mobile ] Spoofed SMS Sender ID ID Token (remember this for later! It is important) …sent to a UK mobile phone.
[ ZeuS Man in the Mobile ] ON / OFF SET ADMIN ADD REM SET …sent from the “bad guy” mobile phone. SENDER ALL
[ ZeuS Man in the Mobile ]
[ ZeuS Man in the Mobile ]
[ ZeuS Man in the Mobile ] if ($urlPathExt == ’sis') { $oGate->addHeader('Content-Type: application/vnd.symbian.install'); if ($data['mobile_os_type'] == OS_SYMBIAN_78) $oGate->outputFile('./symbian/cert_78.sis.txt'); else if ($data['mobile_os_type'] ==OS_SYMBIAN_9) $oGate->outputFile('./symbian/cert_9.sis.txt');} if ($urlPathExt == 'cab') { $oGate->addHeader('Content-Type: application/cab'); if ($data['mobile_os_type']==OS_WINDOWS_MOBILE_2K) $oGateoutputFile('./wm/cert_uncompress.cab.txt');else if ($data['mobile_os_type']=OS_WINDOWS_MOBILE_GR5) $oGate->outputFile('./wm/cert_compress.cab.txt'); if ($urlPathExt == ’cod') {$oGate->addHeader('Content-Type: application/vnd.rim.cod');if ($data['mobile_os_type'] == OS_BLACKBERRY_41) $oGate->outputFile('./blackberry/cert_41.cod.txt'); else if ($data['mobile_os_type'] == OS_BLACKBERRY_GR44)
[ ZeuS Man in the Mobile ] Remember the token ? mysql_unbuffered_query(“ UPDATE sms_list SET mobile_os_version=$mobile_os_version, is_downloaded='YES', ts_downloaded=$ts_downloaded WHERE token='$token'");
[ ZeuS Man in the Mobile ] ZeuS infected
[ ZeuS Man in the Mobile ] ZeuS infected
[ ZeuS Man in the Mobile ] ZeuS infected ID + PASSWORD
[ ZeuS Man in the Mobile ] ZeuS infected ID + PASSWORD Mitmo Infected
[ ZeuS Man in the Mobile ] ZeuS infected ID + PASSWORD Mitmo Infected COMMANDS
[ ZeuS Man in the Mobile ] ZeuS infected ID + PASSWORD Mitmo Infected COMMANDS
[ ZeuS Man in the Mobile ] ZeuS infected ID + PASSWORD Mitmo Infected COMMANDS
[ ZeuS Man in the Mobile ] OTP: 0023424 COMMANDS ZeuS infected ID + PASSWORD Mitmo Infected
[ ZeuS Man in the Mobile ] ZeuS infected ID + PASSWORD Mitmo Infected GAME OVER OTP: 0023424 COMMANDS
[ DEMO TIME!! ]
[ Conclusions ] • Successful attacks: not binary dependent • Social engineering – HTML injections + extras • Innovation • Underground market – User dependent • Monitoring injections • Sharing information
[ Questions? ]
[ Thank You!! ] Jose Miguel Esparza jesparza s21sec.com @eternaltodo

Recommended

TheGRID
TheGRIDTheGRID
TheGRIDe-Lock Corporation
 
Cybercrime
CybercrimeCybercrime
Cybercrimedeepika28g
 
Banking Fraud Evolution
Banking Fraud EvolutionBanking Fraud Evolution
Banking Fraud EvolutionSource Conference
 
A-Z of Banking Fraud 2016
A-Z of Banking Fraud 2016A-Z of Banking Fraud 2016
A-Z of Banking Fraud 2016NetGuardians
 
David Talby, SVP Engineering, Atigeo at MLconf ATL - 9/18/15
David Talby, SVP Engineering, Atigeo at MLconf ATL - 9/18/15David Talby, SVP Engineering, Atigeo at MLconf ATL - 9/18/15
David Talby, SVP Engineering, Atigeo at MLconf ATL - 9/18/15MLconf
 
[Ai in finance] AI in regulatory compliance, risk management, and auditing
[Ai in finance] AI in regulatory compliance, risk management, and auditing[Ai in finance] AI in regulatory compliance, risk management, and auditing
[Ai in finance] AI in regulatory compliance, risk management, and auditingNatalino Busa
 
Indian banking
Indian bankingIndian banking
Indian bankingRakhul Nahar
 
Mobile banking project
Mobile banking projectMobile banking project
Mobile banking projectArfan Afzal
 

Recommended

TheGRID
TheGRIDTheGRID
TheGRIDe-Lock Corporation
 
Cybercrime
CybercrimeCybercrime
Cybercrimedeepika28g
 
Banking Fraud Evolution
Banking Fraud EvolutionBanking Fraud Evolution
Banking Fraud EvolutionSource Conference
 
A-Z of Banking Fraud 2016
A-Z of Banking Fraud 2016A-Z of Banking Fraud 2016
A-Z of Banking Fraud 2016NetGuardians
 
David Talby, SVP Engineering, Atigeo at MLconf ATL - 9/18/15
David Talby, SVP Engineering, Atigeo at MLconf ATL - 9/18/15David Talby, SVP Engineering, Atigeo at MLconf ATL - 9/18/15
David Talby, SVP Engineering, Atigeo at MLconf ATL - 9/18/15MLconf
 
[Ai in finance] AI in regulatory compliance, risk management, and auditing
[Ai in finance] AI in regulatory compliance, risk management, and auditing[Ai in finance] AI in regulatory compliance, risk management, and auditing
[Ai in finance] AI in regulatory compliance, risk management, and auditingNatalino Busa
 
Indian banking
Indian bankingIndian banking
Indian bankingRakhul Nahar
 
Mobile banking project
Mobile banking projectMobile banking project
Mobile banking projectArfan Afzal
 
nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones
nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phonesnullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones
nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phonesn|u - The Open Security Community
 
Web Security
Web SecurityWeb Security
Web SecurityBharath Manoharan
 
Cant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardCant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardSlawomir Jasek
 
Hacking Explained and How to Safeguard Our Applications
Hacking Explained and How to Safeguard Our ApplicationsHacking Explained and How to Safeguard Our Applications
Hacking Explained and How to Safeguard Our ApplicationsTuan Yang
 
How the Stolen Credit Card Black Market Works
How the Stolen Credit Card Black Market WorksHow the Stolen Credit Card Black Market Works
How the Stolen Credit Card Black Market WorksTripwire
 
On Database for Mobile Phones Ownership
On Database for Mobile Phones OwnershipOn Database for Mobile Phones Ownership
On Database for Mobile Phones OwnershipColdbeans Software
 
091209 Mc Afee Roundtable
091209 Mc Afee Roundtable091209 Mc Afee Roundtable
091209 Mc Afee RoundtableHarvard PR
 
Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)DCIT, a.s.
 
CSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserCSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserguestb1956e
 
Cybercrimes against the korean online banking systems 1227 eng_slideshare
Cybercrimes against the korean online banking systems 1227 eng_slideshareCybercrimes against the korean online banking systems 1227 eng_slideshare
Cybercrimes against the korean online banking systems 1227 eng_slideshareYoungjun Chang
 
2012 Accumulate Mobile Everywhere - Standard Product Description
2012 Accumulate Mobile Everywhere - Standard Product Description2012 Accumulate Mobile Everywhere - Standard Product Description
2012 Accumulate Mobile Everywhere - Standard Product DescriptionSzymon Dowgwillowicz-Nowicki
 
Network security
Network securityNetwork security
Network securityAli Kamil
 
(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013STO STRATEGY
 
Isn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android MalwareIsn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android MalwareJimmy Shah
 
Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Mikko Ohtamaa
 
Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Halo Metrics
 
Operations security (OPSEC)
Operations security (OPSEC)Operations security (OPSEC)
Operations security (OPSEC)Mikko Ohtamaa
 
Zsun
ZsunZsun
ZsunHai Nguyen
 
micro payments using coin
micro payments using coinmicro payments using coin
micro payments using coinNaga Dinesh
 
The Rise and Rise of Web Fraud
The Rise and Rise of Web FraudThe Rise and Rise of Web Fraud
The Rise and Rise of Web FraudDavid Jones
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 

More Related Content

Similar to Banking Fraud Evolution - New techniques in real fraud cases

nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones
nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phonesnullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones
nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phonesn|u - The Open Security Community
 
Cant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardCant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardSlawomir Jasek
 
Hacking Explained and How to Safeguard Our Applications
Hacking Explained and How to Safeguard Our ApplicationsHacking Explained and How to Safeguard Our Applications
Hacking Explained and How to Safeguard Our ApplicationsTuan Yang
 
How the Stolen Credit Card Black Market Works
How the Stolen Credit Card Black Market WorksHow the Stolen Credit Card Black Market Works
How the Stolen Credit Card Black Market WorksTripwire
 
On Database for Mobile Phones Ownership
On Database for Mobile Phones OwnershipOn Database for Mobile Phones Ownership
On Database for Mobile Phones OwnershipColdbeans Software
 
091209 Mc Afee Roundtable
091209 Mc Afee Roundtable091209 Mc Afee Roundtable
091209 Mc Afee RoundtableHarvard PR
 
Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)DCIT, a.s.
 
CSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserCSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserguestb1956e
 
Cybercrimes against the korean online banking systems 1227 eng_slideshare
Cybercrimes against the korean online banking systems 1227 eng_slideshareCybercrimes against the korean online banking systems 1227 eng_slideshare
Cybercrimes against the korean online banking systems 1227 eng_slideshareYoungjun Chang
 
2012 Accumulate Mobile Everywhere - Standard Product Description
2012 Accumulate Mobile Everywhere - Standard Product Description2012 Accumulate Mobile Everywhere - Standard Product Description
2012 Accumulate Mobile Everywhere - Standard Product DescriptionSzymon Dowgwillowicz-Nowicki
 
Network security
Network securityNetwork security
Network securityAli Kamil
 
(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013STO STRATEGY
 
Isn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android MalwareIsn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android MalwareJimmy Shah
 
Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Mikko Ohtamaa
 
Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Halo Metrics
 
Operations security (OPSEC)
Operations security (OPSEC)Operations security (OPSEC)
Operations security (OPSEC)Mikko Ohtamaa
 
micro payments using coin
micro payments using coinmicro payments using coin
micro payments using coinNaga Dinesh
 
The Rise and Rise of Web Fraud
The Rise and Rise of Web FraudThe Rise and Rise of Web Fraud
The Rise and Rise of Web FraudDavid Jones
 

Similar to Banking Fraud Evolution - New techniques in real fraud cases (20)

nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones
nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phonesnullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones
nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones
 
Web Security
Web SecurityWeb Security
Web Security
 
Cant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardCant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless card
 
Hacking Explained and How to Safeguard Our Applications
Hacking Explained and How to Safeguard Our ApplicationsHacking Explained and How to Safeguard Our Applications
Hacking Explained and How to Safeguard Our Applications
 
How the Stolen Credit Card Black Market Works
How the Stolen Credit Card Black Market WorksHow the Stolen Credit Card Black Market Works
How the Stolen Credit Card Black Market Works
 
On Database for Mobile Phones Ownership
On Database for Mobile Phones OwnershipOn Database for Mobile Phones Ownership
On Database for Mobile Phones Ownership
 
091209 Mc Afee Roundtable
091209 Mc Afee Roundtable091209 Mc Afee Roundtable
091209 Mc Afee Roundtable
 
Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)Internet Banking Attacks (Karel Miko)
Internet Banking Attacks (Karel Miko)
 
CSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserCSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browser
 
Cybercrimes against the korean online banking systems 1227 eng_slideshare
Cybercrimes against the korean online banking systems 1227 eng_slideshareCybercrimes against the korean online banking systems 1227 eng_slideshare
Cybercrimes against the korean online banking systems 1227 eng_slideshare
 
2012 Accumulate Mobile Everywhere - Standard Product Description
2012 Accumulate Mobile Everywhere - Standard Product Description2012 Accumulate Mobile Everywhere - Standard Product Description
2012 Accumulate Mobile Everywhere - Standard Product Description
 
Network security
Network securityNetwork security
Network security
 
(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013
 
Isn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android MalwareIsn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android Malware
 
Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015
 
Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!
 
Operations security (OPSEC)
Operations security (OPSEC)Operations security (OPSEC)
Operations security (OPSEC)
 
Zsun
ZsunZsun
Zsun
 
micro payments using coin
micro payments using coinmicro payments using coin
micro payments using coin
 
The Rise and Rise of Web Fraud
The Rise and Rise of Web FraudThe Rise and Rise of Web Fraud
The Rise and Rise of Web Fraud
 

Recently uploaded

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 

Recently uploaded (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 

Banking Fraud Evolution - New techniques in real fraud cases

  • 1. [ Banking Fraud Evolution ] New techniques in real fraud cases Jose Miguel Esparza
  • 2. [ Agenda ] • Banking trojans • Tatanga: a new actor emerges • Anatomy of an e-banking fraud incident • The eternal game of cat and mouse • Real e-banking fraud incidents • Conclusions
  • 3. [ Banking trojans ] • … • ZeuS • Sinowal (Torpig) • Gozi • SpyEye • Carberp • Feodo • …
  • 4. [ Banking trojans ] Source: abuse.ch
  • 5. [ Banking trojans ] • Binaries functionalities – Bot – Configuration update – Binary update – HTML injection – Redirection
  • 6. [ Banking trojans ] • Binaries functionalities – Screenshots – Capture virtual keyboards – Credentials theft – Certificates theft – System corruption (KillOS)
  • 7. [ Banking trojans ] • Binaries functionalities – Screenshots – Capture virtual keyboards – Credentials theft – Certificates theft – System corruption (KillOS) Information theft
  • 8. [ Tatanga ] • Discovered by S21sec in February 2011 • Very low detection • MarioForever (2008) evolution? • C++ • No packers • Modular design • Anti-VM, anti-debugging • 64bits support
  • 9. [ Tatanga ] • Proxys to distribute binaries • Weak encrypted communication with C&C • HTML injection • Man in the Browser • Records video!!
  • 10. [ Tatanga ] • Proxys to distribute binaries • Weak encrypted communication with C&C • HTML injection • Man in the Browser • Records video!!
  • 11. [ Tatanga ] • Modules: XOR + BZIP2 – HTTPTrafficLogger – Comm – ModDynamicInjection – ModEmailGrabber – ModAVTrafficBlocker – ModCrashGuard
  • 12. [ Tatanga ] • Modules: XOR + BZIP2 – ModMalwareRemover
  • 13. [ Tatanga ] • Modules: XOR + BZIP2 – SSL Decrypt – FilePatcher – IMSender – HTTPSender – Coredb – SmartHTTPDoser
  • 14. [ Tatanga ] • Control panel – Statistics: country, browser, OS, AV, injections, honeypots – Injections and drops management – Storing dumps of banking webpages – Classified versions of droppers and modules – Dependencies between modules – DDoS – FTP iframer – …
  • 24. [ Anatomy of an e-fraud incident ] • Infection • Configuration file update/download • Interaction with the user Social engineering!! HTML injection, Mit(B|M|Mo), Pharming, Phishing… • Banking credentials theft
  • 25. [ Anatomy of an e-fraud incident ] • Account spying – Manual / Automatic – Getting balance to choose the victim • Fraudulent transaction – Manual Mules – Automatic Man in the Browser (MitB) • Money laundering
  • 26. [ The game of cat and mouse ] Virtual keyboard Code card OTP Token SMS : mTAN PasswordID + 2FA
  • 27. [ The game of cat and mouse ] Virtual keyboard screen/video capturing…
  • 28. [ The game of cat and mouse ] Code card pharming, phishing, injection…
  • 29. [ The game of cat and mouse ] Token mTAN …MITM, code injection
  • 30. [ The game of cat and mouse ] Virtual keyboard Code card OTP Token SMS : mTAN PasswordID + SCREEN-CAPTURING PHISHING MITM CODE INJECTION FORM GRABBING KEYLOGGING PHARMING
  • 31. [ Real e-banking fraud incidents ] • SpyEye MitB, October 2010 • Automatic fraudulent transfer – Session of the legit user – Balance request – Account selection based on balance – Getting mules from the server – Social engineering password request – Automatic transaction – Modification of balance and operations
  • 32. [ Real e-banking fraud incidents ] • Tatanga MitB, February 2011 • Automatic fraudulent transfer using OTP – Session of the legit user – Balance request – Account selection based on balance – Getting mules from the server – Social engineering password request – Social engineering OTP request – Automatic transaction – Modification of balance and operations
  • 33. [ Real e-banking fraud incidents ] • Tatanga MitB, February 2011
  • 34. [ Real e-banking fraud incidents ] • ZeuS Man in the Mobile (MitMo) – September 2010, Spain – February 2011, Poland
  • 35. [ ZeuS Man in the Mobile ]
  • 36. [ ZeuS Man in the Mobile ] Each day we try to improve your security. Lately we have noticed many mobile SIM cloning attacks that result in fraudulent transfers. Due to the increase of these incidents, we have implemented a new mobile identification method, using a digital certificate. The certificate works in smartphones and is an additional method of protection. This application ensures that only you can access your online account. Please click here to start the installation
  • 37. [ ZeuS Man in the Mobile ] Source: http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/
  • 38. [ ZeuS Man in the Mobile ] Please choose your mobile manufacturer and model and add your mobile number. The digital certificate installation link will be sent via SMS. Please download and install the application
  • 39. [ ZeuS Man in the Mobile ] Source: http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/
  • 40. [ ZeuS Man in the Mobile ] The certificate installation program link will be sent by SMS. Once received, please download and install the aplication.
  • 41. [ ZeuS Man in the Mobile ] Spoofed SMS Sender ID ID Token (remember this for later!)
  • 42. [ ZeuS Man in the Mobile ] Serial Number: BF43000100230353FF7915 9EF3B3 Revocation Date: Sep 28 08:26:26 2010 GMT Serial Number: 61F1000100235BC2794380 405E52 Revocation Date: Sep 28 08:26:26 2010 GMT
  • 43. [ ZeuS Man in the Mobile ] http://dtarasov.ru/smsmonitor_lite.html
  • 44. [ ZeuS Man in the Mobile ] Spoofed SMS Sender ID ID Token (remember this for later! It is important) …sent to a UK mobile phone.
  • 45. [ ZeuS Man in the Mobile ] ON / OFF SET ADMIN ADD REM SET …sent from the “bad guy” mobile phone. SENDER ALL
  • 46. [ ZeuS Man in the Mobile ]
  • 47. [ ZeuS Man in the Mobile ]
  • 48. [ ZeuS Man in the Mobile ] if ($urlPathExt == ’sis') { $oGate->addHeader('Content-Type: application/vnd.symbian.install'); if ($data['mobile_os_type'] == OS_SYMBIAN_78) $oGate->outputFile('./symbian/cert_78.sis.txt'); else if ($data['mobile_os_type'] ==OS_SYMBIAN_9) $oGate->outputFile('./symbian/cert_9.sis.txt');} if ($urlPathExt == 'cab') { $oGate->addHeader('Content-Type: application/cab'); if ($data['mobile_os_type']==OS_WINDOWS_MOBILE_2K) $oGateoutputFile('./wm/cert_uncompress.cab.txt');else if ($data['mobile_os_type']=OS_WINDOWS_MOBILE_GR5) $oGate->outputFile('./wm/cert_compress.cab.txt'); if ($urlPathExt == ’cod') {$oGate->addHeader('Content-Type: application/vnd.rim.cod');if ($data['mobile_os_type'] == OS_BLACKBERRY_41) $oGate->outputFile('./blackberry/cert_41.cod.txt'); else if ($data['mobile_os_type'] == OS_BLACKBERRY_GR44)
  • 49. [ ZeuS Man in the Mobile ] Remember the token ? mysql_unbuffered_query(“ UPDATE sms_list SET mobile_os_version=$mobile_os_version, is_downloaded='YES', ts_downloaded=$ts_downloaded WHERE token='$token'");
  • 50. [ ZeuS Man in the Mobile ] ZeuS infected
  • 51. [ ZeuS Man in the Mobile ] ZeuS infected
  • 52. [ ZeuS Man in the Mobile ] ZeuS infected ID + PASSWORD
  • 53. [ ZeuS Man in the Mobile ] ZeuS infected ID + PASSWORD Mitmo Infected
  • 54. [ ZeuS Man in the Mobile ] ZeuS infected ID + PASSWORD Mitmo Infected COMMANDS
  • 55. [ ZeuS Man in the Mobile ] ZeuS infected ID + PASSWORD Mitmo Infected COMMANDS
  • 56. [ ZeuS Man in the Mobile ] ZeuS infected ID + PASSWORD Mitmo Infected COMMANDS
  • 57. [ ZeuS Man in the Mobile ] OTP: 0023424 COMMANDS ZeuS infected ID + PASSWORD Mitmo Infected
  • 58. [ ZeuS Man in the Mobile ] ZeuS infected ID + PASSWORD Mitmo Infected GAME OVER OTP: 0023424 COMMANDS
  • 60. [ Conclusions ] • Successful attacks: not binary dependent • Social engineering – HTML injections + extras • Innovation • Underground market – User dependent • Monitoring injections • Sharing information
  • 62. [ Thank You!! ] Jose Miguel Esparza jesparza s21sec.com @eternaltodo