Banks in the Crosshairs: 8 Ways Cybercriminals Outfox Strong Security Controls

These days, cybercriminals are successfully circumventing advanced security controls with the precision of a sniper. In the crosshairs are banks, financial institutions, governments and enterprises. In a recent Gartner survey, 76 U.S. banks indicated that malware-based attacks were a growing problem and that fraudsters were able to defeat defenses such as advanced profiling systems, risk-based authentication and even most strong authentication methods.

Unlike the old shotgun approach, attackers now carefully study their prey using cyberreconnaissance techniques. They use this knowledge along with social engineering techniques and advanced malware to target the five-step transaction lifecycle below.

  1. Prelogin – before the user initiates a transaction
  2. Login – while the user is logging into the Web application
  3. Postlogin – immediately after authenticating to an online banking site
  4. Transaction – while the user is conducting a sensitive business transaction
  5. Post-transaction – after the transaction has been approved

Here are eight common methods Cybercriminals are using to routinely defeat the strongest security controls available today.

Evading Detection With Code Obfuscation

Recent analysis shows that cybercriminals are now less likely to prompt end users to download malware during the prelogin phase. Instead, they focus on exploiting browser vulnerabilities to infect machines. Users, in turn, get infected through techniques such as search engine poisoning, whereby they are routed to malicious websites that contain exploit code. In some cases, cybercriminals even break into genuine websites (such as news portals), where they embed exploit code.

Since some security solutions create exploit code signatures to detect attacks, fraudsters are simply obfuscating their code by making small changes that do no affect its ability to execute fraud tactics. However, this serves to create a new undetected exploit code signature.

Bypassing Virtual Keyboards

To protect against keylogging during the login phase, some websites have introduced so-called virtual keyboards. These are implemented via HTML and Javascript in the browser and present virtual keys that are clicked using the mouse instead of the keyboard, rendering key logging ineffective.

However, some malware families are capable of generating a screen capture with every mouse click during login, then sending the captured sequence of screens to the fraudster, where they can be sifted through visually to steal login credentials.

Stealing Sensitive Data Using Fake Web Forms

Thanks to increased end-user education, most people are wary of phishing emails, especially those requesting personal information. However, users are less likely to suspect similar requests that originate from a genuine bank website.

Man-in-the-browser (MitB) Web injection attacks take advantage of the trust people bestow on authenticated online banking sessions. The malware simply waits for the end user to log into a targeted website (for example, an employee VPN site or an online banking site). After the user logs in, the malware injects an HTML page that asks for additional credential information for “security reasons.” These stolen credentials allow fraudsters to use or sell credentials and commit online account take-over fraud.

Real-Time Theft of Two-Factor Authentication Credentials

To address phishing and key/screen logging attacks, many organizations have implemented two-factor authentication methods that use one-time passwords (OTPs) sent through an out-of-band (OOB) channel such as mobile SMS messages or a token device. Delivering OTPs using mobile SMS is considered one of the most effective strong authentication mechanisms.

However, fraudsters have developed sophisticated methods to circumvent this security measure by capturing OTPs in real time. We have even discovered schemes used to trick users into providing the security codes fraudsters need to change users’ mobile phone of record so that OTPs are sent to a phone number controlled by the criminals. Other fraudsters have developed malicious mobile software that, once installed on the victim’s mobile device, redirects SMS messages to the fraudster after the user logins. Fake Web pages are used to carry out social engineering attacks that lure users to download this malware to their mobile under the pretense that it is “an additional security measure” offered by the service provider.

Social Engineering to Circumvent Transaction Signing

To fight on-the-fly transaction tampering, some banks have implemented card-reader transaction signing systems. Users are issued a standalone card reader and a Chip and PIN card, and are required to authenticate each transaction.

Recent research has shown that fraudsters have used post-login fake “security training” or “device calibration” schemes to trick users into generating a transaction verification code and surrendering it to them.

Malware Adopting Human-like Behavior

Many malware variants are preconfigured to identify post login authenticated sessions and automatically perform preconfigured transactions (for example, money transfers) behind the scenes, while the end user is presented with an overlaid/altered screen showing a security or operational message.

These malware-generated automated transactions typically exhibit non-human behaviors during online banking sessions — for example, activities performed too quickly (quicker than a human being is capable) or pages normally presented to the user being skipped (malware using a direct URL to a page). To avoid detection, new malware variants meticulously try to imitate user actions by simulating human data entry and button clicks and adding artificial, random delays between page transitions to make them appear normal.

Hiding Post-Transaction Validation Emails

Sending emails and SMS messages for authorized transactions is commonly used as a means to confirm their authenticity. If customers receive a transaction notification for a transaction they did not initiate or approve, they can contact the bank to stop the money transfer.

A recent malware configuration reveals that fraudsters have found a way to short-circuit this post-transaction validation method. MitB malware (like Zeus) can be configured to inject code into popular Web-mail systems to hide email messages that contain text typically found in banking confirmation messages, such as “Payment Confirmation” or “Payee Update.” With the malware hiding these messages from the victim, the fraudulent transaction can go unnoticed for days and weeks.

Persistent Transaction History and Account Balance Manipulation

Recently we discovered a SpyEye post-transaction attack configuration which, instead of intercepting or diverting email messages, automatically and persistently manipulates the bank account transaction history and balance webpage presented to the customer. The attack unfolds as follows:

  • First, a man-in-the-browser attack is launched during an online banking session;
  • Next the victim’s username and password and/or debit card data are captured (see “Stealing Sensitive Data Using Fake Web Forms”) above;
  • Then, fraudulent online banking transactions are carried out and/or the debit card data is used to commit fraud;
  • Whenever a customer logs into their online banking site, a post-transaction attack is launched that hides fraudulent transactions from the victim.

Understanding ‘Crime Logic’ Is the Key to Defense

Since cybercrime can occur at different phases of an online banking transaction and use a multitude of attacks methods, recognizing “crime logic” rather than just a single instance of code is the key to defeating these attacks.

There are two steps to this process. First, it is vital to quickly detect crime logic. Next, it is necessary to adapt existing defenses to block new forms of attack. This requires the integration of security layers with a cybercrime intelligence gathering mechanism to create adaptive protection.

When deployed together, the following three elements create an adaptive protection architecture:

  • Software which resides on endpoints and collects intelligence, removes existing instances of malware and blocks future infections.
  • Protection integrated into Web applications that can detect and block infected machines at login.
  • An overarching cybercrime monitoring capability that actively analyzes evolving threats, develops countermeasures, and pushes these out to the endpoint and web application protection software.

Intelligence-based adaptive protection is the only way to keep pace with the continuing evolution of malware and cybercrime tactics that are now adept at bypassing the most advanced, yet static, security controls in use today.

Amit Klein is CTO and head of security intelligence for cybercrime prevention vendor Trusteer.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories

E-Commerce Times Channels