Wednesday 2 October 2013

Money Online: Threats And Electronic Payment Protection

Online shopping, online money transfers and online banking save us a lot of time and make our lives easier. However, these same technologies also make life easier for cybercriminals by offering them new and easy ways to steal users’ money. Using stolen payment data is an effective and popular way of making a quick profit. Although banks try to protect their customers, attacks against individual users are still quite common. Hacking a bank is more time-consuming and expensive and the risk of being caught is higher. By contrast, many individual customers use computers with numerous vulnerabilities, which are easier to compromise. By stealing a relatively small amount from each hijacked online banking account, a cybercriminal has a good chance of going undetected. Significantly, attacks against individual customers are largely automated and require almost no operator involvement.
steal_title_EN

Weapons of mass infection

Banking Trojans have been popular in the criminal market for several years. The huge number of potential victims who do not keep applications on their computers up-to-date gives enormous opportunities to cybercriminals. A Trojan infects a workstation and independently collects payment information; some are even capable of conducting financial transactions on behalf of users.
For example, the ZeuS banking Trojan injects its own data entry form into a web page, which enables it to get the user’s payment details (card number, CVC2/CVV2, full name, billing address etc.).
After injecting its code into the browser, Carberp, a malicious program that is widespread in Russian cyberspace, saves the bank card data (card number) from the online banking system’s main page and then prompts the user for additional information (CVV2, personal data etc.).
Hacking a bank is more time-consuming and expensive and the risk of being caught is higher. By contrast, many individual customers use computers with numerous vulnerabilities, which are easier to compromise.
In addition to web injection, Trojans use other techniques to obtain payment information. For example, the latest variants of the Carberp malware mentioned above can modify the code of iBank 2, a popular online banking system, on-the-fly, which enables them to intercept payment details.

Getting over the second hurdle

Some banks try to make cybercriminals’ lives harder by introducing sophisticated variants of extra authentication factors, such as tokens – small USB devices which contain a unique user key that is requested every time a payment transaction is performed. Developers of the Lurk Trojan have found an ingenious method of bypassing this protection and authorizing payment transactions:
  1. A user initiates a payment transaction in the online banking system and enters the relevant details.
  2. The Trojan intercepts the payment details and waits for the system’s prompt for a token.
  3. The online banking system prompts the user to provide a token. The user does this by plugging a USB token into an appropriate hardware port.
  4. The Trojan intercepts this and brings up a “blue screen of death,” which tells the user that a memory dump is being created for subsequent analysis, asking the user not to turn off the workstation until the operation is completed.
  5. While the user is waiting for the operation to be completed (with the token still in the USB port), the cybercriminals, who now have access to the user’s account, complete their payment transaction, transferring the user’s money to their account.

Financial transaction security system

After a piece of banking malware makes its way onto a computer, it needs to find a way to intercept payment data. Trojans most commonly use the following techniques to achieve this:
  • Web injection (modifying the contents of web pages before displaying them to the user)
  • Hijacking an HTTP/HTTPS session (a classical example of the ‘man-in-the-middle’ attack)
  • Spoofing an authentication form or redirecting to a targeted phishing page
  • Making screenshots of the desktop
  • Logging keystrokes
Understanding this list of threats makes it possible to create a secure payment scenario:
  1. A user opens an online banking resource in the browser.
  2. The antivirus solution detects this and scans the operating system for critical vulnerabilities. An example is the Safe Money solution, which is designed to protect payment data and which fully implements this concept using a knowledge base incorporated into the antivirus product.
  3. Simultaneously, the anti-phishing module checks the URL against a database of trusted resources. The integrated software solution, which protects payment information, does this by requesting domain name information from a knowledge base.
  4. The antivirus solution checks the certificate used to establish a secure connection.
  5. If the certificate can be found in the database of trusted certificates, the antivirus solution launches the browser process and establishes a secure HTTPS connection with the requested URL. The browser process is monitored by the antivirus software, which protects it from being manipulated by other applications.
  6. The user enters payment transaction details (card number, CVV2/CVC2, personal data etc.) using a secure keyboard input, which guarantees that the scan code of each key pressed is safely transferred to the browser.

The Silver bullet

Banks and payment systems actively protect their users. Sophisticated multi-factor authentication, the use of additional devices (tokens, chipTANs, etc.), various warnings of possible fraud – all this is designed to protect the customer’s money. However, cybercriminals keep coming up with new and equally sophisticated ways of stealing payment information and additional transaction authorization codes.
That’s why it is very important to implement 360-degree protection on the client side, securing user’s computer, communication channel and ensuring it connects to the right server. This is exactly the principle used in our Safe Money technology inside Kaspersky Internet Security. It provides a comprehensive solution for protecting against online theft, offering bulletproof protection against any malicious activity of banking malware.

EC3 Arrested two Ukrainian for Selling Access to 21,000 Hacked Servers

The European Cybercrime Centre (EC3) at Europol has supported Spanish National Police in arresting two Ukrainian criminals in Madrid who sold cybercriminals access to a huge number of compromised computer servers for anonymising their Internet activities. They are also suspected of laundering the illicit proceeds of police ransomware.
Operation Ransom II – the second of this kind after one in Málaga (Spain) in February 2013 – was the culmination of an extensive investigation of over a year, corroborating the fact that police ransomware is still a big threat to EU citizens.
On 9 July, Spanish National Police arrested the two criminals and searched their house. One of them was caught red-handed, running virtual machines and chatting with other cybercriminals. Along with numerous electronic devices and digital evidence, around EUR 50,000 in cash and several thousand euros in e-currency were seized during the search.
Their sophisticated money laundering facility was processing around EUR 10,000 daily through various electronic payment systems and virtual currencies.
The 21,000 compromised servers of companies located in 80 countries (1,500 of them in Spain) had a common feature whereby access settings were via a remote desktop (RDP). With this setup, the cybercriminal could access all information contained on the servers, using full administrator privileges for the system, i.e. absolute control.
The criminals ran an online shop where the compromised machines were ‘sold’ to 450 of their cybercriminal ‘customers’ who were able to choose the location (country) of their preferred servers.
This Spanish National Police investigation was supported from the early stages by Europol specialists, who organised and hosted a coordination meeting in April 2013. Europol then facilitated the exchange of criminal intelligence with other EU Member States, delivered analytical reports, and supported the operation on the spot with a mobile office and technical advice.
Europol will receive data on the compromised computers so it can be analysed and distributed to law enforcement authorities, who in turn can notify those server owners affected by the criminals’ activity.
According to Troels Oerting, Head of EC3, the development and sophistication of malware will continue and the threat will remain high. It is important for citizens to understand that they should never pay any ransom.

NSA Storing Internet Data, Social Networking Data, on Pretty Much Everybody

This is getting silly. General Alexander just lied about this to Congress last week. The old NSA tactic of hiding behind a shell game of different code names is failing. It used to be they could get away with saying "Project X doesn't do that," knowing full well that Projects Y and Z did and that no one would call them on it. Now they're just looking shiftier and shiftier.
The program the New York Times exposed is basically Total Information Awareness, which Congress defunded in 2003 because it was just too damned creepy. Now it's back. (Actually, it never really went away. It just changed code names.)
I'm also curious how all those PRISM-era denials from Internet companies about the NSA not having "direct access" to their servers jibes with this paragraph:
The overall volume of metadata collected by the N.S.A. is reflected in the agency's secret 2013 budget request to Congress. The budget document, disclosed by Mr. Snowden, shows that the agency is pouring money and manpower into creating a metadata repository capable of taking in 20 billion "record events" daily and making them available to N.S.A. analysts within 60 minutes.
Honestly, I think the details matter less and less. We have to assume that the NSA has everyone who uses electronic communications under constant surveillance. New details about hows and whys will continue to emerge -- for example, now we know the NSA's repository contains travel data -- but the big picture will remain the same.
Related: I've said that it seems that the NSA now has a PR firm advising it on response. It's trying to teach General Alexander how to better respond to questioning.
Also related: A cute flowchart on how to avoid NSA monitoring.

Android Firefox browser app flaw allows data stealing from SD card

Vulnerability In Android Firefox browser app allows hackers to steal user’s files from the SD Card And Firefox’s Privately Stored Data.

Androidpolice blog reported that security researcher Sebastián Guerrero discovered an Android Firefox browser app vulnerability that allows hackers to access both the contents of the SD card and the browser’s private data.
Once again mobile security is under discussion, the number of cyber threats is dramatically increased, the Android Firefox browser flaw is just the last in order of time and appears a serious menace for the users’ privacy. The expert provided the details to Mozilla and also published a POC video on the hack.
It is important to note that the flaw is exploitable by attackers only in one of the following scenarios:
  • The victim installs a malicious application on his mobile device.
  • The victim opens a locally stored HTML file that includes the malicious Javascript code in the vulnerable Android Firefox browser.

Android Firefox browser

A representative from Mozilla has clarified that the Android Firefox browser vulnerability has been fixed in Firefox for Android v24, released on September 17th. Sebastián Guerrero has found anyway a way to exploit the vulnerability remotely and decided, also in this case, to responsibly disclose it to Mozilla.
If the original Android Firefox browser vulnerability having already been fixed with v24 the remote attack won’t be effective.Once exploited the Android Firefox browser vulnerability an attacker is able to access data files stored on the SD Card, including user’s login credentials, media files, and navigating information.
The files are accessed through the standard URI syntax “file: //”, but the information is encrypted by Firefox. To avoid the obstacle and access to encrypted the data stored in internal storage hackers also introduce a third-party app which gets the encrypted keys stored on the device.
However, to protect the most sensitive information, apps can place data in a separate location called internal storage, a private folder for each app that even the user is prevented from accessing directly (unless the device is rooted). The most significant threat from this vulnerability is that the secured location for Firefox is also accessible, which means a hacker will have access to cookies, login credentials, bookmarks, and anything else Mozilla think should be kept safely tucked away.” states Androidpolice blog.
The colleagues at The Hacker News reached Guerrero, following an useful series of answers and questions on the Android Android Firefox browser vulnerability:
Q. Can an attacker host the malicious Javascript code HTML file on a server to exploit the flaw remotely by making victim to visit the website only ?A. The exploit cannot be executed by a remote web page. This flaw works only if you install an application, but there is another vulnerability in Firefox that could allow an attacker to install applications without user’s knowledge. I disclosed it to  the Firefox, but other researcher did the same before me.But it’s possible to host the malicious HTML file somewhere and using some social engineering , attacker can make victim to download and execute the file locally on their Firefox app.
Q. To steal the files from the victim’s SD card, an attacker need to pre-define the file names or folder path in the exploit code ?
A. Nope, there is no need to specify the path, because I’m obtaining the salted folder generated by Firefox at runtime, due to a vulnerability. So I can make a copy of the SDcard, because the path will be always /sdcard, and for the private folder locates at /data/data/org.mozilla. Firefox, I’m obtaining at runtime the salted profile generated.
Q. Where and how stolen files will be uploaded ?
A. You can upload it where you want i.e. Using exploit code we are opening a socket connection against the remote FTP server to upload stolen files.
Q. Is there any CVE ID or Mozilla’s Security Advisories ID defined for the Vulnerability yet ?
A. As far as I know there isn’t a CVE assigned to this vulnerability.