October 01, 2009

Man-in-the-Browser goes to court

Stephen Mason reports that MITB is in court:

A gang of internet fraudsters used a sophisticated virus to con members of the public into parting with their banking details and stealing 600,000, a court heard today.

Once the 'malicious software' had infected their computers, it waited until users logged on to their accounts, checked there was enough money in them and then insinuated itself into cash transfer procedures.

(also on El Reg.) This breaches the 2-factor authentication system commonly in use because it (a) controls the user's PC, and (b) the authentication scheme that was commonly pushed out over the last decade or so only authenticates the user, not the transaction. So as the trojan now controls the PC, it is the user. And the real user happily authenticates itself, and the trojan, and the trojan's transactions, and even lies about it!

Numbers, more than ordinarily reliable because they have been heard in court:

'In fact as a result of this Trojan virus fraud very many people - 138 customers - were affected in this way with some 600,000 being fraudulently transferred.

'Some of that money, 140,000, was recouped by NatWest after they became aware of this scam.'

This is called Man-in-the-browser, which is a subtle reference to the SSL's vaunted protection against Man-in-the-middle. Unfortunately several things went wrong in this area of security: Adi's 3rd law of security says the attacker always bypasses; one of my unnumbered aphorisms has it that the node is always the threat, never the wire, and finally, the extraordinary success of SSL in the mindspace war blocked any attempts to fix the essential problems. SSL is so secure that nobody dare challenge browser security.

The MITB was first reported in March 2006 and sent a wave of fear through the leading European banks. If customers lost trust in the online banking, this would turn their support / branch employment numbers on their heads. So they rapidly (for banks) developed a counter-attack by moving their confirmation process over to the SMS channel of users' phones. The Man-in-the-browser cannot leap across that air-gap, and the MITB is more or less defeated.

European banks tend to be proactive when it comes to security, and hence their losses are miniscule. Reported recently was something like €400k for a smaller country (7 million?) for an entire year for all banks. This one case in the UK is double that, reflecting that British banks and USA banks are reactive to security. Although they knew about it, they ignored it.

This could be called the "prove-it" school of security, and it has merit. As we saw with SSL, there never really was much of a threat on the wire; and when it came to the node, we were pretty much defenceless (although a lot of that comes down to one factor: Microsoft Windows). So when faced with FUD from the crypto / security industry, it is very very hard to separate real dangers from made up ones. I felt it was serious; others thought I was spreading FUD! Hence Philipp Güring's paper Concepts against Man-in-the-Browser Attacks, and the episode formed fascinating evidence for the market for silver bullets. The concept is now proven right in practice, but it didn't turn out how we predicted.

What is also interesting is that we now have a good cycle timeline: March 2006 is when the threat first crossed our radars. September 2009 it is in the British courts.

Postscript. More numbers from today's MITB:

A next-generation Trojan recently discovered pilfering online bank accounts around the world kicks it up a notch by avoiding any behavior that would trigger a fraud alert and forging the victim's bank statement to cover its tracks.

The so-called URLZone Trojan doesn't just dupe users into giving up their online banking credentials like most banking Trojans do: Instead, it calls back to its command and control server for specific instructions on exactly how much to steal from the victim's bank account without raising any suspicion, and to which money mule account to send it the money. Then it forges the victim's on-screen bank statements so the person and bank don't see the unauthorized transaction.

Researchers from Finjan found the sophisticated attack, in which the cybercriminals stole around 200,000 euro per day during a period of 22 days in August from several online European bank customers, many of whom were based in Germany....

"The Trojan was smart enough to be able to look at the [victim's] bank balance," says Yuval Ben-Itzhak, CTO of Finjan... Finjan found the attackers had lured about 90,000 potential victims to their sites, and successfully infected about 6,400 of them. ...URLZone ensures the transactions are subtle: "The balance must be positive, and they set a minimum and maximum amount" based on the victim's balance, Ben-Itzhak says. That ensures the bank's anti-fraud system doesn't trigger an alert, he says.

And the malware is making the decisions -- and alterations to the bank statement -- in real time, he says. In one case, the attackers stole 8,576 euro, but the Trojan forged a screen that showed the transferred amount as 53.94 euro. The only way the victim would discover the discrepancy is if he logged into his account from an uninfected machine.

Posted by iang at October 1, 2009 09:26 AM | TrackBack

The Urizone sounds like a trojan with a long term plan perhaps it's withdrawal scenario can present a learning curve for taxation specialist ie determining how much to take before creating despair. Of course any disputed transaction will alert the fraud investigation group after the fact and if they lack the resolve to follow these instances without automated detection assistance then it is their loss in either customer satisfaction or real money. It does however provide a fantastic over funded insurance opportunity at least one that is willing to check balances from an uninfected machine. Is it possible to have the customer verify in at least some titular fashion the monthly transactions via email or even a secure network ala VPN? At some point a trail will be configured and an assessment of the losses suffered totaled , but that glorious day is far off in the future without at least some customers complaining and with no recourse via an uninfected machine the losses mount. One would think that given enough time and the tightening of profitable margins of activity for banks that they might given a bad enough situation actually design something that is secure and use it as a means of providing a service that is different from their competitors, but until that day arrives they follow the path of the herd dictated by the drones of corporate security standards. I await Panama becoming a fulling functioning offshore facility with the OECD Nations breathing down their necks for information, that kind of pressure should spark a Renaissance of sorts in online services that would demand a high degree of security. As it stands now the banks are non-profit extensions of the Central Banks and implement policy of placating the masses via bailouts and loss mitigation with a total lack if regard for the laws regarding credit. Bravo trojan writer everywhere, up the rebels and what not, because the money you steal today is worth half its value in six months and half again by years end. The ultimate hack is the belief in the efficacy of the Central Banks and their coordinated attack again all borrowers and holders of their currencies that they inflate in an orchestrated fashion with hardly anyone noticing via the observance of exchange rates as a measure.

Posted by: Jimbo at October 4, 2009 03:27 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.