HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And Exciting Ways To Steal Your Cash
1. Money Is In The Eye Of The Beholder:
New And Exciting Ways To Steal Your
Cash
Yuval Vadim Polevoy – Hackito Ergo Sum 2011
2. Agenda
A bit of nostalgia
Listening to the wind of change
Fraudsters going brutal
Security industry catching up
Fraudsters prepare to take the next leap
3. Geek Viruses
My virus beats your virus!
Naïve exploitation of poorly written systems
Fun oriented
Developed by „Basement Dwellers‟ in spare time
No financial gain
4. Business Viruses – Brave New World
Fun turns to profit
Financially oriented:
• Clickers
• Espionage
• Ransomeware
• Financial Crimeware
Developed by underground companies as a fully
commercial software
5. Financial Crimeware
Basic Idea:
• Obtain login credentials
• “Keep it secret – keep it safe!” – Gandalf The Gray
• Login using stolen data
• Buy / sell stocks
• Pay your bills
• Transfer some cash to your grandma
13. Simple, right? WRONG!
Technology:
• Bot
• Infecting correct victims
• Obtaining and maintaining a drop-point:
• DNS
• Storage
• Uptime
14. War it is!
Small transfers
Short distance transfers – branch and/or location
Mules
Bullet-proof hosting
Socks
Fast-flux
15. Mules
Unsuspecting 3rd party doing the dirty work
Setup phony company webpage
Hire people to “cash out” the stolen money
• Either transfer cash via Cash wiring services etc
OR
• Buy goods and ship them over
OR
• Login to online gambling sites and “loose”
16. Mules - cont
Mules cannot be punished
Two steps plan for successful “cashing out”:
• Have more Mules than Bots
• Come up with creative and untraceable way to transfer cash /
goods
20. Two-Factor Authentication
First secret considered to be compromised
Second secret on a decoupled medium
Internet Math:
User knows it
+
User has Trojan
=
I knows it!
I, for one, welcome our new Man-In-The-Browser (MITB)
Overlords
21. MITB Usage
Spot user-initiated money transfer
Replace destination Bank Account with your Account /
Mule‟s Account
Sit back and let the user do all the authentication for you
• (Have a beer!)
22. MITB Advanced Usage
Spot user-requested history view
Replace „hijacked‟ transfers with their original destination
Open an iframe in the background,
Initiate money transfers on your own
• If encountered two-factor authentication – relay it to the user
25. War it is, Take II
Security industry catching up
Keyboard sniffers are tackled with Virtual On-Screen
keyboards
MITB getting a lot of attention
• Obfuscating documents to prevent HTML injections
• High-logic tests to determine the origin of the request
26. Divide and Conquer
Obviously not a one-man-gig
Function based approach
• Or is it „outsourcing‟?
A multi-stage cross-border sting operation
• Now Hiring: VP of Operations for an international money stealing
venture
In Soviet Russia, criminals cyber you
• The Al Capone of the Digital Age
33. Russ ZeuS Hamilton
A wide range of online games where „seeing‟ the
opponents screen guarantees winning
• A subset of these involves real money gambling
The other side doesn‟t know you‟re cheating
• The perfect theft!
• In case you keep low profile, of course
Also takes care of Virtual Keyboards!
34. Screen Scraping
More than one way to get it done
• Which way to protect?
Cannot be hermetically monitored
No attention
• Various programs use screen capturing to display advanced visual
effects
The new cat-n-mouse game