14 December 2017
Uri Rivner

The Joy of Fraud Fighting

Uri Rivner - BioCatch

78Posts 364,750Views 36Comments
Online Banking

Online Banking

This community is for discussion of developments in the e-banking world, including mobile banking. This can include all the functional, business, technical, marketing, web site design, security and other related topics of Internet Banking segment, including public websites of the banks and financial institutions across the globe.

Curse of the Were-Laptop

24 November 2008  |  4864 views  |  2

Richmond, Virginia - Sunday 20:00 EST 

The storm outside sent wave after wave of heavy rain drops that banged on the large window, trickling down into the garden bushes below. Distant thunderclaps rolled, making the glass vibrate every other minute, not before the bright flashes of lightning lit Jack's study.

Jack was browsing the Internet, several web pages open on his laptop display. He was scanning the latest private messages in his favorite social network website; one of them was from Sarah, his good friend back from the college days, saying something about a cool video he must watch.

Clicking on the link in the private message made a new page open. Jack immediately recognized the website's logo - it was a popular video sharing site – and waited for the video clip titled 'something funny' to load.

After about ten seconds, a message came up saying the video clip cannot be loaded since the Flash movie program was out of date. The message helpfully suggested to run an update, and Jack didn't think twice before hitting the "Run" button.

The room filled with the blinding flare of lightning, immediately followed by roaring thunder that shook the window glass.

Thirty seconds later, the download process ended and now the video was running just fine. It wasn't that funny – actually, it was pretty bad slapstick. What did Sarah have in mind?


Almaty, Kazakhstan – Monday 07:05 KET

The Zeus Trojan server was crunching the incoming traffic. Information from more than 500 computers out of over 7,000 infected by this particular strand of Zeus operated by a gang of cyber criminals was flowing in simultaneously.

One specific request came from an IP address in Virginia, US. Being a new device, the server opened a new record in the 'users' table for further tracking. A lot of data started to flow in from this new device into the unstructured database; social network data, URLs browsed in a popular news website, access credentials into a well known virtual world - all of these were filed for possible future use… But now came something much more interesting, triggering the structured data indexing script.


Richmond, Virginia - Sunday 20:30 EST

Jack blinked at the page. Other than a user name and password, the bank was now asking for his ATM PIN code. This looked a little odd; why would the bank ask that?

Slightly suspicious, Jack looked carefully at the website address, but it was the real URL. Just to make sure, he double clicked on the small yellow lock, which presented the genuine certificate of the bank.

Sighing to himself, he typed the PIN code, filled the regular login information and clicked submit. He was immediately let inside. Perhaps this is a new requirement, he thought, and then went on to check his balance and last month's transactions.

"Honey, I see a 250 dollars cheque from last week in the statement. Who was this for?" Shouted Jack, hoping his voice will carry to the bedroom, beating both the raindrops and the sound of TV reality show that was playing in the background.

"Wasn't it for your sister? The new baby trolley?" Came the faint response.

"Oh, right", said Jack. He always went in to check his online banking on Sunday evenings. This way if there was anything he wanted done, he could call the bank first thing Monday morning. But now everything seemed in order.

"Are you coming dear? If you'll watch the show with me for ten minutes I promise to let you watch the game all night!"

Jack grinned. Sounds like a good deal… He folded the laptop, putting it in the nice black case his wife bought him recently for his new promotion.


Somewhere in Virginia - Monday 07:45 EST

Surveillance cameras watched the Honda SUV as it approached the main gate. Jack nodded to the guard, opened the window and waved his RFID access tag in front of the new security device implemented earlier this year. He smiled at the small face capture camera, heard the friendly beep and saw the guard nod back. Closing the window, he muttered to himself something about the ridiculous amount of security he had to go through these days.

Driving straight to his designated parking spot, Jack got out of the car. Carrying the laptop case with him, he disappearing into the vast steel and glass building.


* * *


We all know about Lycanthropy, the mythical disease in which victims are bit by werewolves and develop the nasty habit of turning into beasts every full moon. They can live years without realizing they have been infected by a curse.

Today, laptops all over the world have two faces. At day they are plugged into the corporate network, protected by the latest technology. But at night… At night their owners connect them to private broadband, where many predators await.

When a laptop gets infected at home by a Trojan, it poses a unique risk. It becomes a WereLaptop: an unsuspecting carrier of a hidden curse.

Its owner, unaware of the danger, can take the WereLaptop with him or her, walk through the office doors, and plug it into the network.

And then you have a Trojan behind corporate firewalls.

It's almost as if online criminals have completed a full circle. Ten years ago, they tried to hack into the enterprise, but the industry responded with firewalls, event log monitoring and intrusion detection systems.

Seeing that network security is too difficult to breach, fraudsters turned into a much less protected target: the consumer. Phishing, Trojans and other attack vectors became a money making machine.

Now that online banking and eCommerce security is getting stronger, the fraudsters will have to turn elsewhere. Byron Acohido's recent article in USA Today demonstrates some of the precision attacks cyber criminals and industrial spies stage against corporate resources; but this is just the tip of a very large iceberg.

Thousands of additional breaches have already occurred, but the Trojan that already resides behind the firewall sits idly and attempts no further action. Think of the lycanthropy victim under regular circumstances: everything seems normal, and the curse is well hidden.

So why hasn't this hidden curse materialize yet? Why was there no full moon shining on the infected werelaptops, turning them into a corporate menace? 

That's because at the moment, all the Trojan operator is interested in is the employee as a consumer. 

But sooner or later, fraudsters will realize they are inside the firewall. They'll wake up and say: hey, how cool is that?

And although today monetizing access to corporate resources is a generally unknown practice in the consumer-focused eCrime world, fraudsters at large will figure it out. 

They always do.


* * *


Where did Jack just enter? Is it a large corporate that handles many business or consumer accounts? A financial services company? A high-security laboratory involved in classified research? A critical infrastructure provider? A government complex? A military compound?

Whichever the case, Jack is going to walk up to his desk, put the laptop in the docking station, provide the Windows access credentials and sit back in his chair, getting ready for another week of hard work.

The very laptop that was infected by Zeus a few hours ago.

The WereLaptop.


Comments: (4)

Anthony Cossey
Anthony Cossey - Fixnetix ltd - London | 24 November, 2008, 13:33

Great article, the 'walk in and plug in' culture is a nightmare for security admins, more products like Trend Micro's 'RUBOTTED' or more widespread use of Linux netbooks may be seen in the future to help prevent this 'werelaptop' curse.....Silver Bullets for the in house security team.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Uri Rivner
Uri Rivner - BioCatch - Tel Aviv | 24 November, 2008, 18:29

Good suggestions. Does anyone have other ideas? What do you feel about security by virtualization?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
John Dring
John Dring - Intel Network Services - Swindon | 03 December, 2008, 19:58

Lets also not forget that most employees see their shiny laptop as 'theirs' and corporate IT and Security are 'those people that try to hinder you doing what you want'.  So in addition to the hackers trying to circumvent corporate security, the employee themselves is more than helping.

Most will revert to a direct network connection, not the corporate VPN and HTTP Proxy.  They will use all manner of utilities which are not Corporate and revel in beating the many restrictions.

And yet, they sit back in the belief that their laptop is 'secured by the company' and therefore safe.  So you have a double problem - the employee both resists/detests the security and yet depends and relies on it at the same time.

I still wonder why the banks and account holder do not offer a simple alerting/notification service for transactions.  I would not mind a little text message every time something over a set level occurs.  But as usual, its not in the service provider's interest to provide these good things, so they don't.  You just become an acceptable level of risk, and accept it until it happens to you.

Good read though, but I was waiting for the killer punch where you explained how much damage the cyber-crooks could do with the info.


Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Uri Rivner
Uri Rivner - BioCatch - Tel Aviv | 04 December, 2008, 06:33


I was thinking about adding the punchline about what criminals can do once they're inside the corporate firewall, but I decided to do a Hitchcock and just leave the actual murder scene for people's imaginations ;)

But basically, the answer is – whatever criminal activity fortune 1000 companies have invested billions to defend against by building corporate firewalls, network security and intrusion detection systems. And much beyond that, given the fact fraudsters today are better equipped and more globally coordinated than 10 years ago when the original problem of hacking into the enterprise loomed.

With regards to employees helping the crooks, I think it's an excellent point. You're right, people will do their best to get around security.

The magnitude of the issue became apparent in an RSA "people on the street" survey conducted last year.

35% of employees feel that they sometimes need to work around security procedures established in the corporate so they can get their job done.

68% of corporate employees and 58% of government employees said they leave the office carrying sensitive data on a mobile device such as a laptop, smartphone or USB memory stick.

92% of government employees said they get training about the importance of following security practices, as opposed to 69% in the corporate. Can this explain why government employees fair a little better?

Not really. 68% of government employees said they sent work documents to a private email address so they could work on them at home, compared to 61% in the corporate. Reconciling all these figures is simple: the public sector issues less laptops and blackberries than the private sector. So if you've got a government deadline to meet, you are more likely to work on it on your private home PC than your corporate colleague.

8% actually said they've lost a device containing corporate data. What type of data might be inside? The survey lists customer data, personally identifiable information such as Social Security numbers, company financials, credit card data, or competitively sensitive information as some possible examples.

So yes, I totally agree: the enterprise environment still didn't figure out how to balance corporate security with ease-of-use for employees.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Uri

Brazil vs. Germany: A Surprising Find

12 July 2014  |  3801 views  |  1 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

Sweetheart Scams: When Fraudsters Turn to Romance

30 June 2014  |  3106 views  |  0 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

BitCoin Explained: How to Become a BitCoin Thief - part 1

04 December 2013  |  22280 views  |  1 comments | recomends Recommends 1 TagsMobile & onlinePaymentsGroupInformation Security

A Message from Hell

01 October 2013  |  3774 views  |  0 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

Uri's profile

job title Head of Cyber Strategy
location Tel Aviv
member since 2008
Summary profile See full profile »
Internet. The perfect fraud frontier. These are the thoughts of Uri Rivner, head of Cyber Strategy at BioCatch and formerly Head of new technologies, identity protection, at RSA, the security division...

Uri's expertise

Member since 2008
78 posts36 comments
What Uri reads

Who's commenting on Uri's posts