Good Times in Fraudland: Part I

Thirty years from now if I’ll ever look back and read my old blogs, I’m sure I’ll agree with what my current self is about to state: There was never a better time to be a cybercriminal than in good old 2009.

So many things worked in favor of online fraudsters that I doubt if there’ll ever be a year as good as 2009, assuming you’re crooks trying to empty unsuspecting victims’ accounts.

2009 featured three main trends that lined up in a rare celestial alignment. Knowing that it’s after New Year and we all have tons of emails to read, I’ll divide this blog to 3 entries and talk about the trend and the solutions the industry developed against it.

Point-and-Shoot High-Grade Trojan Horses

Lets take a step back for a minute and talk about Trojans. We all know what Trojans are, but how many consumers know what a financial Trojan horse can do? Most people still think of viruses as something that will destroy their hard drive; Trojan Horses have a different objective. They want your PC to work perfectly… Until you access your online banking account.

Trojans have cool names. Torpig, now known as Sinowal, terrorized the European financial industry as soon as 2006. Limbo, one of the first massively used HTML injection kits, dominated the fraud underground in 2007. And in 2008 a new incumbent appeared in the dark cybercrime sky: Zeus. User-friendly, stealthy and highly customizable, Zeus quickly became the weapon of choice of many fraudsters.

In 2009, Zeus 2.0 emerged as the clear winner of the Trojan War. Now armed with full Man in the Browser capabilities and real time alerts, Zeus 2.0 allows a fraudster with little technical know-how to empty a victim’s account in seconds, transferring funds to a mule account while circumventing virtually every form of strong authentication through a combination of social engineering and session hijacking. Thousands of individuals and small criminal groups use Zeus 2.0; each infect on average thousands of PCs, resulting in millions of compromised machines spied upon by the cybercriminals.

Zeus 2.0 records almost everything you do on your PC: credentials to just about any site of interest to the fraudsters; HTPPs traffic; even HTTP forms. It grabs data stored in your browser’s protected storage area. It even copies your clipboard: who knows, maybe this will become useful. The result: terabytes of data stolen by each Z-bot.

ZeusTa (see image below), a complete ‘Fraud as a Service’ offering, took it one step further: for $120 per month you get Zeus 2.0 hosted in a bulletproof server and connected to a high grade infection kit, so you can just get thousands of infected PCs send gigabytes of stolen records to your ZeusTa inbox. All of a sudden, every petty cyber thug that was once involved in small credit card scams, could access WMD-grade crimeware without even knowing how to spell ‘Trojan’. It’s like my 3 megapixel point-and-shoot camera installed in my Nokia cell phone: you don’t need to be an Alfred Eisenstaedt or an Annie Leibovitz to get satisfactory results.

Other Trojans also bob in and out of the murky swamp of cybercrime. Most of them are syndicate crime groups operating a Trojan, rather than a kit for sale in the underground. After the massively popular Zeus and the notorious Sinowal there’s a long tail of other Trojans. Here are a few examples: Clampi hits mainly corporate accounts; URL Zone infests European PCs; Silentbanker kicked back to action recently.

Industry Response

The UK Payments Administration reported 39 million pounds in H1 2009 online banking losses, a fracture of the 233 million pounds lost in card fraud over the same period. While the figure is higher than last year, there’s no exponential growth. It shows the financial sector did not sit idle, watching Trojans evolve into a lethal threat without developing counter-measures, such as:

• Anti-Trojan services that spot Trojan attacks, shut down infection and command & control servers, and monitor Trojan drop zones·         Adaptive Authentication where high risk – say, coming from an unrecognized device – triggers a step up security. Since Trojans can kick into action after the initial login, many banks using Adaptive Authentication now move from login-level protection to a transaction-level protection where decisions can be made in real time for each suspicious transaction.
• Behind the scenes monitoring of the user’s activities is an important line of defense used today by more and more retail and commercial banks, as well as online trading companies and other financial organizations. Being completely invisible makes it hard to beat by the Trojans.
• Out-of-Band authentication: many FIs worldwide adopted SMS based One Time Passwords or automated phone calls to the customer, requiring him or her to type an OTP presented on the screen. OOB has its downfalls and there are ways to circumvent it, but it’s still effective against many Trojan deployment modes.
• MITB Hardening solutions that combine several pieces of the above, including feeding Trojan traces into the monitoring systems, as well as services to expose mule destination accounts. This helps prevent automated money transfers.
• Desktop Hardening: several companies offer keyboard and browser-level encryption as a way to prevent the Trojans from stealing user input. This requires the active participation of the account holder who needs to download the software. 

To summarize, 2009 was a great year for fraudsters in terms of the tools and services at their disposal. Like point-and-shoot cameras, Trojans today provide superior results without requiring a great technical skill.

Remember this is the first of 3 major trends… So from a fraudster’s perspective, things get even better in my next post.

.