Thursday, December 11, 2014

Man in the Browser – The Online Banking Nightmare

Since 2004 the popularity of online banking has been rising rapidly, Hackers, fraudsters, cybercriminals and other individuals with malicious intentions present heavy threats to online banking. These people have led banks to adopt internal and external security countermeasures; some of the internal measures include deploying multiple defense layers, DMZ, filters, firewalls, intrusion prevention systems, honey pots, packet analyzers and so on. While on the external level banks were able to impose some security features on their clients including strong password, double factor authentications, tokens, virtual keyboards, secure socket layer (SSL) encryption, and awareness guides to their clients.
When these cybercriminals realized that targeting banks is now hectic and will require lots of time and effort, they switched to the weaker link, the USER, the person that is using the online banking service.
And therefore a new attack emerged, the Man In the Browser Attack or: MITB attack is an attack that threatens the current online banking systems not by addressing the top notch security implemented by banks but by targeting the less aware and vulnerable end users.

Two-Factor Authentication

Two-factor authentication also known as two-step verification is a process involving two stages to verify the identity of a person trying to access services on a computer or in a network. One of which is typically something memorized, such as a security code, password or PIN, and the other of which being an OTP (One Time Password) generated by a physical token, such as a card, or even mobile verification (SMS).
Since this method elevates the level of security and decreases the incidents of identity thefts, it has not only been adopted by financial institutions (online banking), but also by several online services providers (Social Media, Cloud Storages and Email Services)
The adoption of TFA or Two-Factor Authentication significantly decreased the fraud figures in the last two years. For example if hacker succeeded in unveiling a customer’s login password by either cracking it, regardless of its strength and complexity using commonly used technical tools, or by stealing this password by the use of spear phishing, the hacker will not be able to proceed without supplying the online banking website with the another verification OTP that is sent to the customer via his personal mobile phone (SMS). In this case the hacker along with having the first password is required to have access to the customer’s mobile phone to utilize the received code in order to proceed with any transaction.
Moreover, TFA provide an elevated sense of security to the customer and to the issuing financial institution. But then the MITB attack was introduced.


MITB: Man-In-The-Browser-Attack

Man in the Browser or a modified version of the notorious Man in the Middle Attack is a form of internet threat introduced to the victim’s system using a malware, mainly a Trojan that infects the web browser by taking advantage of vulnerabilities in the browser security and it aims to modify web pages, transaction content or even insert additional transactions. All of these modifications are done in a completely covert fashion invisible to both the user and host web application. An MITB is created to intercept data as it is transmitted over the secure communication channel between the victim and the online application. The Trojan responsible for the infection hides itself deep into the browser code and can be programmed to launch itself when the user accesses a specific online banking website.
The malware responsible for infecting a user’s PC is usually introduced to the victims system when the user is tricked into clicking on an applet placed in a fraudulent website; usually this applet claim that an update or so called advantage is needed to view the un-displayed content. Upon clicking on this applet a script is executed allowing the malware to run and accordingly infect the browser.
When MITB Attack is running it has the ability to intercept, manipulate and modify the contents of online banking WebPages by adding extra fields in order to trick and outsmart second authentication mechanisms.
Two famous examples are widely spread and can explain the situation clearly,
Example1:  when a user with an infected browser initiates a transaction, the attacker has the ability to change several parameters of this transaction including but not limited to the amount or the beneficiary but the victim’s browser will still display to the user the original and correct information, tricking him into believing that he had entered the valid data. Thus the user inputs his authentication credentials along with the OTP generated for this transaction and submits the transaction for processing. The attacker can even modify statement of accounts in order to trick the user into seeing the legitimate transaction being processed.
Example 2: Some online banking services require the user to enter another OTP while processing his application: one at the login page in order to verify the user identity, another is when the transaction is submitted or even when the online banking page has been idle for a longer time. The attacker uses advantage of these options and uses them to tricking the user to generate an OTP and input it to field totally controlled by the attacker, and thus trick the user into providing him with an un-used ready to be used OTP. The attacker then makes use of this newly generated OTP to conduct a fraudulent transaction while using the correct credentials of the victim. 
In both examples, Banks involved in these transactions can’t detect that the transactions are fraudulent, since they appear to be originating from the authentic customer himself, and therefore these transactions will be normally processed and flagged legitimate.
So, to sum up the basic flow of a Man in the Browser Attack:
  1. A customer gets infected by a Trojan designed to launch an MITB attack
  2. When the customer is initiating an online transaction, the Trojan is activated
  3. The victim will affect all his credentials and authentications required
  4. The Trojan will modify the transaction details.
  5. The Trojan tricks the user by displaying fake pages, showing transaction details originally entered by the user.

MITB attacks are not targeted to one region or geography; they are a global threat affecting all regions.  Since they are hard and expensive to conduct, they are usually performed by well funded and well organized cyber criminals. These criminals mostly target clients or accounts with high volume of transactions and multiuser authorizations: accounts that are managed by multiple users within an organization.

MITB Mitigation

Ensuring user confidentiality and integrity of their online banking services, as well as reducing financial impact caused by online frauds are of high importance to financial institutions. Although hackers will keep on finding several technical and non technical ways to conduct fraudulent malicious activities, there are some concepts and methods, in the case of MITB, that could lead to the reduction of financial impacts.
The first would be implementing an Out-Of-Band Authentication and Transaction Verification. An OOB requires that authentication and transaction verification are performed outside the customer’s web browser and essentially outside the customers PC. A common form of OOB authentication is delivering an SMS OTP along with the details of the transaction and therefore allowing the user to review and confirm the details of the transaction before entering the OTP into his PC browser.  
The second method would be implementing an enforced secure browsing environment. For example, some financial institutions provide their users with portable web browsers stored on the USB authentication tokens, this USB flash device is set as “Read Only” which prevents any user, malicious attacker or any software from modifying the data stored on it, this setup which will prevent any infection from reaching the stored portable browser application. Moreover, this trusted browser can be pre configured by the bank to open specific internet pages and block any attempt to navigate into other un-assigned sites.
Another effective method to mitigate risks arising from MITB is to use Fraud Detection Based on behavior. User profiling will create a baseline normal behavior so that abnormal behavior can be detected and the user can be alerted before an actual transaction takes place. For example if a bank detects that an online banking customer is conducting an abnormal and unusual transaction (maybe using a new beneficiary, a newly used currency, a new location to establish the online banking session, etc…) it will stop the transaction and require direct intervention from the user in order to verify the validity of this transaction either by using SMS, Email or even phone calls. The bank systems will learn the patterns and behavior of this user in order to improve their screening process.
There are several ways to fight MITB attacks, but the most effective one is user awareness. Total dependency on the technical aspects is insufficient. When indulging in an online Bank agreement with its customers, Banks should provide adequate training, materials and even awareness quizzes and instructions that aim to educate the user into spotting any inappropriate and malicious activity being conducted on his PC, and in his browser specifically. Yet banks should acknowledge that protecting their security should be extended outside their parameter to reach the client side.

Finally a combination of customer awareness and education, the correct and appropriate use of alerting systems, along with the keen screening behavior and monitoring systems can provide the online banking industry with an effective protection against MITB attacks. Although these protective measures will not guarantee a safe and fraud free environment, but it will significantly lower the risks of getting bitten by a malicious attacker.

This article is cross posted in the Lebanese "Certified Accountant" Magazine issue 52 - Year 2014 

Friday, June 6, 2014

A Big Problem: Cryptolocker the Ransomware

Cryptolocker is back in the headlines, thanks to a coordinated effort to take down the computers and criminals that run the notorious "ransomware". But what is it? And how can you fight it?

Cryptolocker is ransomware: malicious software which holds your files to ransom

The software is typically spread through infected attachments to emails, or as a secondary infection on computers which are already affected by viruses which offer a back door for further attacks.
When a computer is infected, it contacts a central server for the information it needs to activate, and then begins encrypting files on the infected computer with that information. Once all the files are encrypted, it posts a message asking for payment to decrypt the files – and threatens to destroy the information if it doesn't get paid.

The authorities have won users a two-week window of safety
The National Crime Agency (NCA) announced yesterday that the UK public has got a "unique, two-week opportunity to rid and safeguard" themselves from Cryptolocker. The agency didn't go into more detail, but it seems likely that at least one of the central servers which Cryptolocker speaks to before encrypting files has been taken down.
The NCA has also taken down the control system for a related piece of software, known as GameOver Zeus, which provides criminals with a backdoor into users' computers. That back door is one of the ways a computer can be infected with Cryptolocker in the first place.
What that means is, until the window is closed – and the virus cycles to new servers – users who are infected with Cryptolocker won't lose their files to encryption. As a result, these users have the chance to remove the virus before it destroys data, using conventional anti-virus software. In other words, there has never been a better time to update the protection on your computer. 
But watch out – while the servers that control Cryptolocker are out of action, it's possible to be infected with it and not know. If you don't keep your computer clean, then at the end of the two-week period, you could be in for a nasty surprise.

Cryptolocker only infects PCs, but there are other types of ransomware
Cryptolocker is the name of one particular virus, which only infects Windows PCs, running XP, Vista, Windows 7 or Windows 8. So if you use an Apple computer, it can't affect you. Similarly, smartphones are safe from cryptolocker. 
Although it is the most famous example of ransomware, it's not the only one. Even in the two-week window, PC users may be infected with other types of ransomware, and Android and Mac OS users should carry on with their normal security precautions. Being safe from one type of malware doesn't mean you're safe from all of them.

If you've been infected by Cryptolocker, your files really are gone unless you have a backup
Some ransomware is little more than a confidence trickster, presenting a message asking for payment without having done anything to the user's files. Cryptolocker isn't like that: the software really does encrypt your files, to a strength which renders it unbreakable even by the fastest computers in the world – even if they had the entire lifetime of the universe to work on it.
That means you'll have to rely on any backups of your data to get it back. But it's important that you don't try and restore your data before you clear your computer of the infection, otherwise you could lose your backup, too.

Sometimes paying the ransom will work, sometimes it won't
Except, of course, there is another possibility. Some users hit with Cryptolocker report that they really did get their data back after paying the ransom – which is typically around £300. But there's no guarantee it will work, because cybercriminals aren't exactly the most trustworthy group of people. 
What's more, if the NCA really is bringing down the command and control servers, then the criminals may not be able to return the data, even if the ransom has been paid. There's also a whole load of viruses which go out of their way to look like Cryptolocker, and which won't hand back the data if victims pay. Plus, there's the ethical issue: paying the ransom funds more crime.

This article was originally posted on: