The ability to make financial transactions on the Internet has made our lives much easier. Now, virtually every type of product or service can be purchased from your home, while web banking services save you the trouble of standing in a bank line. However, the growing popularity of online payments plays into the hands of cybercriminals who are also busy adopting cutting-edge technologies: the more people opt for remote financial management, the more can potentially become victims. Criminal activity becomes more profitable. As a result, stealing financial information and transferring users’ assets to accounts controlled by cybercriminals is now a highly efficient way to make money, employed by cybercriminals worldwide.
In theory, for cybercriminals who are seeking to steal financial information, it is more advantageous to attack the server side of payment processing (including banking infrastructure, payment system servers, etc.), as it contains tremendous amounts of data that can be used to advantage or sold. However, in practice it is just as difficult to gain such access as to crash into a physical bank vault, because corporate servers as very well protected. Therefore, cybercriminals prefer to attack the users of banking and payment systems – these are not as well protected. In a single attack, cybercriminals can infect tens of thousands of home computers, and at large scale will bring them the coveted profit.
Cybercriminals are armed with an entire arsenal of methods with which to gain access to users’ confidential information. Most of the attacks which target financial data have social engineering as their basic element. This can be used either to spread malware or to steal user credentials directly.
Phishing is a classic example of using social engineering to defraud users of their financial information. A user is deceived into handing over confidential information to cybercriminals. For instance, a disoriented victim may receive an “official” letter in the name of a reputable bank (a payment system, online store, etc.) which says that there was a failure on the organization’s server, so all clients need to urgently provide their personal data for verification. The pretexts can vary, but in any case the client is prompted to send their login credentials in a reply email, type them in an attached web form or on the bank’s “official” website, following a link in the email. All information provided by the user will arrive in the cybercriminals’ hands.
Phishers use fake web sites which imitate the originals.
To make the spoofing less conspicuous, the cybercriminals use URL addresses that are similar to those of the original web sites. Different ways of spoofing the line in the address bar are also used.
The phishers’ fabrications are often hard to distinguish from the original sites. Therefore, experts advise users to access financial sites from bookmarks in their browsers rather than following an email link.
There are also dedicated malicious programs designed to steal financial information; these are banking Trojans. Typically they automatically collect information about payments made from infected computers and sometimes carry out financial transactions in the name of users.
When bank clients are attacked with the help of malicious programs, phishing emails can also be sent in the name of the attacked bank. In these fake emails users are not asked to send information, but to open an attached document under some pretext. The attachment, in fact, is a malicious file.
This massive spread of banking Trojans is aided by exploits for vulnerabilities in Windows and other popular software. Without letting the user know, these exploits penetrate the system via software vulnerabilities and download other malicious programs which steal financial information from the victim computer. To make the attack effective, the cybercriminals use so-called exploit packs, or packages of exploits to various vulnerabilities, rather than single exploits. An exploit pack analyzes the software installed on the user’s computer; if it finds a loophole in the software, it picks a suitable exploit to infect the computer.
Exploit packs are hosted either on cybercriminals’ servers or on hacked resources. Links to the exploits are distributed by cybercriminals via spam, social networks, hosted on hacked legitimate sites; even the banners and teasers of legal advertising systems may be used for this. Exploits, in turn, download Trojans to victim computers. Infections of popular sites are especially dangerous: they are visited by many users, and when a malicious link is present, each visitor’s computer is unobtrusively attacked by exploits that are trying to attach malicious programs to them.
Cybercriminals use both multi-purpose banking Trojans capable of attacking the clients of various banks or payment systems, and single-purpose Trojans designed to attack the clients of specific banks.
Once on a user’s computer, a banking Trojans establishes a foothold in the system, and then begins its assigned task, which is to steal all types of financial information from the user.
Malicious programs use the following techniques:
To compelte the vast majority of online financial operations, users need web-browsers. The techniques employed by modern banking Trojans are one way or another related to this software.
Web injections, or modifying the contents of an HTML page, are a popular method with cybercriminals. A malicious program adds extra fields when the bank’s web page is displayed in the browser, prompting the user to enter confidential information. For example, the Trojan Carberp uses a web injection to add extra fields to the online banking entry page, in which it prompts the user to enter his/her bank card number, name of the holder, expiry date, CVV, CVC and the code word. If the user refuses to do so, the Trojan displays an error message and blocks the banking session.
The extra information entered by the user falls into the cybercriminals’ hands, but does not reach the bank as it is intercepted when the data is sent to the banking server. Therefore, neither the victim nor the bank knows anything about the fraud.
In most cases, cybercriminals prefer to use combinations of various techniques – this way they improve their chances of a successful infection and increase the effectiveness of the malicious program. The banking Trojan ZeuS (Zbot) is one of the most advanced, high-tech Trojan programs used by cybercriminals. Many varieties of this malicious program exist across the globe; moreover, its functional clone – the SpyEye Trojan – was created.
Here are some of ZeuS’ features:
This malicious program is spread with the help of social engineering and by exploiting vulnerabilities in popular software by Microsoft, Oracle, Adobe etc. when users visit compromised web sites. Links to these sites are mostly distributed in spam.
ZeuS is capable of stealing confidential information to gain unauthorized access to accounts in the world’s largest banks. In 2012, we recorded 3,524,572 attempts to install this malicious program on 896,620 computers with Kaspersky Lab products installed on them, located in different countries.
As discussed above, banks invest a lot of effort in protecting their clients. Banking Trojans have been so effective that banks have to introduce an extra protection layer – user identification tools; with the standard login credentials, they make up the so-called two-factor authentication. With two-factor authentication in place, it not sufficient to know a user’s login and password to gain control over the bank account.
However, cybercriminals see upgraded protection as a new challenge, and keep looking for new ways to bypass it.
With two-factor authentication in place, banks use one-time passwords (Transaction Authentication Number, TAN). In practice, that may be an ATM slip with codes printed in it; SMS messages with one-off passwords that a bank sends to the user’s mobile phone (mTAN), or even a dedicated device (chipTAN).
To bypass the above security systems, cybercriminals have created new methods of stealing data, and modified their social engineering techniques.
The banking Trojan ZeuS has a set of tools in its arsenal which can bypass different types of two-factor authentication. ZeuS uses an interesting tool to collect the one-time passwords that users print out at an ATM.
Working together with the mobile Trojan ZeuS-in-the-Mobile (ZitMo), ZeuS can steal users’ one-time passwords that arrive to the mobile phone.
This is how the two Trojans interact with users:
chipTAN is another method of two-factor authentication. It is used by Western European banks and requires each client to have a special TAN generator device. Having set up a transaction on a banking site, users put their bank cards into the chipTAN and enter the PIN code.
Next users put the device next to their computer’s monitor to check the details of the transaction in progress. Having checked the transaction details against the data displayed on the device screen, users enter an additional code from the device to confirm the transaction.
chipTAN is now the most advanced and effective banking security tool. Unfortunately, however, the creators of the banking Trojan SpyEye have learned to bypass this high-tech security tool as well.
A token is a USB device, used as an extra security tool and containing a unique key that the system requests each time the user makes a payment operation. The creators of the banking Trojan Lurk found quite an effective way to bypass this protection:
The malicious programs of the Trojan-Banker.Win32.BifitAgent family use another method to bypass the USB token. These malicious programs are designed to attack users of online banking software developed by the Russian software manufacturer BIFIT.
The BifitAgent malicious program consists of two main modules that run on the victim computer – an executable file and a Java archive. When the malicious program runs, the main executable module, which enables communication with the C&C server, operates simultaneously with the malicious JAR files and enables the attackers to modify any JAVA code at the moment when bank transactions are being made. The main function of the Java code contained in the malicious JAR file is to spoof the data used in banking transactions on an infected computer without letting users notice it. The use of a USB token in the transaction is no hindrance for the cybercriminal since the token only signs the transaction after the data has been spoofed. As a result of this, users’ money lands in the cybercriminals’ accounts.
Banks and payment systems invest a lot of effort in improving their clients’ security, but this alone is not enough to mean users can be laid-back about the safety of their assets. The user’s computer must be secured against thefts of payment data by banking Trojans and other malware – this is ensured by protecting the browser from malicious code, protecting keyboard inputs, and antivirus technologies which prevent malware from penetrating the system. Yet not even antivirus protection is enough in itself; there needs to be a method of checking the legitimacy of a web resource (the site of the bank, payment system, online store etc.), and to guarantee a secure connection to it.
No financial transaction can be considered secure unless three key components are protected:
An antivirus protects the system as a whole from malicious programs; a dedicated component in the antivirus protects the browser used to access the online banking system.
The antivirus uses a variety of protection mechanisms that make it difficult or impossible for malicious code to penetrate a system, launch and run on the computer. These protection mechanisms work at all stages of a banking operation.
If an unknown malicious program manages to penetrate a system, the main task of a comprehensive antivirus solution is data protection. For this, the product must monitor browser running processes and protect it from manipulation by other applications. Additional protection here is ensured by the virtual keyboard with which users can securely enter the details of any payment operation (bank card number, CVV2/CVC2, personal data etc.) into the browser.
A secure connection precludes the interception of the data communicated from the client to the server. The communication channel is secured by applying special protocols (TLS/SSL) which guarantee the encryption of the communicated data. The site to which a connection is established is identified with the help of a certificate.
The sites of banks and payment systems have digital certificates that are issued and signed by certification authority. These certificates verify the authenticity of the site and the legitimacy of its owner.
Fake sites either do not have certificates or use fake certificates. However, a more complex situation may also exist. For example, a Trojan that has gained a foothold in the system may modify the hosts file and take users to a site which is an exact replica of the original site. The same Trojan can install an extra root certificate on the victim computer which would verify the legitimacy of the fake certificate on the cybercriminals’ web-page, when checked by the browser. That way, the cybercriminals are able to decipher all data communicated by the browser from the fake site.
The antivirus solution should independently check the authenticity of the security certificate rather than rely on the operating system and the browser for that. If a certificate is not legitimate, users receive a warning.
Cybercriminals craft their sites to look like the official sites of banks and payment systems. Certificate legitimacy check is only effective when users enter the correct URL of the bank site. If users go to a bank site following a fake link from a phishing letter, a social network or from search results, anti-phishing components must intervene. Links are checked against the database of untrusted web resources. If users attempt to visit an illegitimate site, they receive threat warnings. To avoid falling victim to phishers, it is advisable to visit bank sites using the appropriate list from an antivirus product.
Last but not least, a high level of self-protection is an indispensable component in a quality security solution. If a malicious program manages to disrupt the work of the antivirus solution, it creates a breach in the security system and compromises the security of future transactions.
It is this concept of securing online transactions that is implemented in Safe Money, Kaspersky Lab’s software solution.
Let us now see how a secure transaction is carried by Safe Money.
Thus, a payment transaction is protected from banking Trojans with the help of an antivirus, a secured browser process and a secure keyboard input. The authenticity of the payment system or online banking site is validated by checking the links and the digital certificate.
The effectiveness of a solution based on the concept of secure online transactions has been confirmed by testing laboratories.
Banks, payment systems and other financial organizations invest a lot of effort in protecting their infrastructures and clients from cybercriminals. However, cybercriminals also persist in developing malware, coming up with new ways to bypass security tools and steal users’ banking information. At this stage, the users’ banking information is best protected by antivirus products and dedicated solutions that can warn of a danger, prevent infection in a timely manner, and will not leave a loophole for a new banking Trojan.
2013 Sep 24, 11:57
But in this article you maybe not consider another cybercriminal's attack, cybercriminals can attack IE browser direct with COM api to modify the bank's webpage content, and cybercriminals can uses this way to change the payment to another one.
Edited by Jeffery, 2013 Sep 24, 12:10
2013 Dec 14, 02:51
None of that works - the TRANSACTION needs to be authenticated.
Bruce Schneier, back in 2005, explained why OTP and secure browsers etc are not the answer - here's his essay:
2014 Jan 11, 01:36
Grey Mark in Google Search Results