24 November 2017
Uri Rivner

The Joy of Fraud Fighting

Uri Rivner - BioCatch

78Posts 364,122Views 36Comments
Innovation in Financial Services

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

When Gods Jabber

28 August 2009  |  3038 views  |  0

 

As befitting its name, Zeus – King of Gods - is the most powerful Trojan kit on earth.

Some Trojans you cannot buy – take Sinowal, for instance; it’s a commercial grade infrastructure featuring a state of the art Trojan. It’s operated by an organized crime group that invests back in the business. You won’t find Sinowal as a kit for sale.

But when it comes to Trojan kits you can buy and distribute to unsuspecting victims, Zeus is today’s best seller. It costs a minimum of $1000 (a more expensive ‘professional’ version exists; it packs additional features and has a large library of target templates) but worth every penny – if you’re an aspiring fraudster, that is.

The popularity of Zeus stems from its superb usability – unlike many other Trojans it is very easy to control and configure – and its rich set of functionality.

But one thing still remains largely unsolved.

 Zeus, like many other Trojans, records everything you do in SSL protected pages and sends it to a ‘drop zone’ site. In the drop zone, huge amount of data is collected. Zeus does a good job at indexing the data, so it’s easier to sell; but what if you’re interested in cashing out the victim’s account almost in real time?

If you are, then this becomes an issue. In the typical fraud eco system you have one fraudster stealing data, and another fraudster specializing in cash-out. How would they ‘talk’ to each other in real time?

Or, what if it’s a single organized group, but people who specialize in cash-out need a steady feed of fresh credentials from the various drop zones?

Fraudsters always prefer the fastest way to hit the bank. That’s why according to the August Online Fraud Report from the RSA FraudAction lab, several Zeus variants are now connected to an open-source Instant Messaging (IM) software called Jabber.

Jabber is open-source software similar to ICQ or Windows Messenger. The fraudsters like the fact it’s not controlled by Microsoft or AOL – can’t trust these guys not to sniff on the communication – so instead they download the Jabber server to a host they control, and now the problem is solved.

Now they have a way to instantly send any fresh credentials stolen by Zeus to a another fraudster waiting on the other side of the globe to receive them and engage in the cash-out activity, almost in real time.

The report discusses the exact flow of the Jabber use. It should be noted that real time integration between harvesters and cash-out fraudsters was considered a major operational barrier to real-time fraud until recently, but this new Zeus functionality allows two groups – one engaged in spreading the Zeus Trojan and steal credentials, and one interested in receiving the credentials ASAP and cash out the account – to communicate effectively and complete the lifecycle of fraud within less than a minute.

What does this mean? It means we’ll see the time between credential harvesting and cash-out get shorter and shorter. I’d project that by mid 2012, over half of cash outs in US and West Europe will be within an hour of the credential theft by a Trojan.

TagsSecurity

Comments: (0)

Comment on this story (membership required)

Latest posts from Uri

Brazil vs. Germany: A Surprising Find

12 July 2014  |  3765 views  |  1 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

Sweetheart Scams: When Fraudsters Turn to Romance

30 June 2014  |  3079 views  |  0 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

BitCoin Explained: How to Become a BitCoin Thief - part 1

04 December 2013  |  22220 views  |  1 comments | recomends Recommends 1 TagsMobile & onlinePaymentsGroupInformation Security

A Message from Hell

01 October 2013  |  3763 views  |  0 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

Uri's profile

job title Head of Cyber Strategy
location Tel Aviv
member since 2008
Summary profile See full profile »
Internet. The perfect fraud frontier. These are the thoughts of Uri Rivner, head of Cyber Strategy at BioCatch and formerly Head of new technologies, identity protection, at RSA, the security division...

Uri's expertise

Member since 2008
78 posts36 comments
What Uri reads

Who's commenting on Uri's posts