Man-in-the-browser attack vectors

1. Man-in-the-Browser Attack Vectors Gunter Ollmann – Chief Security Strategist IBM Internet Security Systems gollmann@us.ibm.com http://blogs.iss.net/ IBM Date/Time: Tuesday (November 18, 2008) 4:00pm - 5:00pm Topic: Web 2.0

4. Threat Evolution

8. Man-in-the- Middle – old news?

13. Intercepting Traffic – Man-in-the-browser Trojan Application Local Proxy Agent OS Hooking Keyloggers, Screen grabber TCP/IP Stack Interception Packet inspection, pre/post SSL logging System Reconfiguration DNS Settings, Local HOST file, Routing tables, WPAD and Proxy settings Traditional Malware Operates and intercepts data at points through which the Web browser must communicate Man-in-the-browser Malware hooks inside the Web browser

14. API Hooking Malware Application The Web browser WinInet httpsendrequest(), navigateto() Winsock TCP/IP stack Clean System Internet Malware Proxying Web browser data . Application The Web browser WinInet httpsendrequest(), navigateto() Winsock TCP/IP stack Internet Infected System Manipulate Copy, redirect, script, change, insert, sell.

16. Crime with Man-in-the- Browser

19. MITB – Grabbing Login Credentials Original pre-login fields UID, password & site Modified pre-login fields Now with ATM details and MMN New fields added MITB malware inserted additional fields. Records them, and sends them to the attacker

20. MITB – Grabbing Login Credentials Modified pre-login fields Now with ATM details and MMN Programmable Interfaces Malware authors developing an extensible platform that can be sold or rented to other criminals Configuration files XML support, dynamic updates

21. Hiding in Plain Sight

23. MITB – State-of-the-art Banking Proxy Trojan Attacker makes off with the money and the victim is unaware a transaction has occurred Victim logs in to the bank “securely” and banks “normally” Proxy Trojan starts functioning once the victim logs in Intercepts each transaction Calculates what is supposed to be in the account Modifies the page that appears to the victim Steals some money

24. Honing in on the Transaction Customer logs in Authenticates successfully and securely Transfers Customer navigates to the fund transfer interface Validation Customer asked to provide a validation key for the transaction – may include a bank-issued “salt” value 2 nd Submission Customer clicks “Submit” to proceed Confirmation Transfer complete Transaction Validation As an anti-keylogger and anti-replay technique, some banking applications require the use of a separate “ validation” code for each transaction Payment Details The customer proceeds with entering transfer details (from, to, value, when, etc.) Submission Customer clicks “Submit” to proceed Submit Submit

25. Honing in on the Transaction – Malware Injection 2 nd Submission Customer clicks “Submit” to proceed Payment Details Customer enters their transfer payment details Background Malware In the background, the proxy Trojan has created it’s own transfer details Submission Customer clicks “Submit” to proceed Validation Customer asked to provide a validation key for the transaction – maybe including a bank-issued “salt” value Malware Fakes The malware fakes a “validation failure” even though the fake transaction worked. Prompts user to “try again” 2 nd Validation Customer enters another validation code 3 rd Submission Malware submits the original “real” customer transfer information Confirmation 2 nd transation is confirmed back to the customer. In reality, two transfers have been conducted Submit Submit Submit

27. Social Engineering past CAP Transfers - Original Transaction Validation Assuming the customer has already logged in, they must successfully navigate multiple pages to complete a funds transfer.  Page (1) Which FROM account? Page (2) How much? Where TO? Page (3) Are details correct? Page (4) CAP instructions and CODE? Page (5) Validation complete!

28. Social Engineering past CAP Transfers - Injected  Transaction Monitoring The malware continuously monitors the customer as they navigate the pages to conduct a funds transfer HTML Page Insertion An extra page is inserted in to the transfer sequence and requests an additional CAP “ Security Code”. Page (1) Which FROM account? Page (2) How much? Where TO? Page (3) Are details correct? Page (4) CAP instructions and CODE? Page (5) Security CODE? Page (6) Validation complete!

31. An Entwined Threat

34. PROTECTION STRATEGIES

41. Questions? Gunter Ollmann – Chief Security Strategist IBM Internet Security Systems gollmann@us.ibm.com http://blogs.iss.net/ IBM Date/Time: Tuesday (November 18, 2008) 4:00pm - 5:00pm Topic: Web 2.0