Sunday, January 24, 2010

Banks under fire. Malware vs. financial companies

For many people the word "hacker" is associated with the word "bank". This is not surprising, because for several decades, crackers, who wanted to "get" a lot of money, paid his calculating gaze is on the banks. And this is understandable: what can give the most money, if not an attack on a major bank?

But to break into servers that manage transactions and accounts, - a thankless task. It will attract too much attention, and attention increases the risk of being caught. So much more interesting to the attacker's just another option - it is to gain access to the assets of one bank's clients. Quite simply: less scale hacking - more likely to remain at large - inverse, speaking in mathematical language. This is where I would like today to stay. In this article I make out the following: the types and the work of malicious software that specializes in banks and other financial organizations, social engineering techniques used by hackers, attacks that are carried out in order to get information about your account or to seize control transaction. As well as reflect on the theme, "and how to avoid.

Financial malware - it is the name of the malicious programs are targeted at financial services companies in the classifications of anti-virus laboratories. In this case the monetary malware may include not only the program of one class (for example, not only Trojans daunloader'y, but keylogger ', etc.). To start, I think it will be useful to run a little statistics. This will greatly assist us in understanding the current situation at the moment and its differences from the situations that occurred in the past.

Some Statistics

According to statistics from Kaspersky Lab, after reducing the financial activity of writing malicious code at the end of 2006 was marked by a sharp jump from the number in the network, which already took place in 2007. Pay attention to the chart (Fig. 1) - shows that the jump was not impulsive, but just the opposite: the average stayed almost stable at sufficiently large values. Naturally, increasing the number of malicious software aimed at finance, and brought to an increase in attacks on banks. The present situation is slightly different, because values began to decline (see chart), but the number of attacks on banks remains at that level. As the first cause, which led to this turn of events, I would like to highlight a wide choice of technology attacks. Attackers use a completely different methods in fact, and not all of them require the participation of malicious software - hence the difference. The second reason is that most hackers prefer to modify an existing program than to write something completely new. This is quite understandable - why sit a few days, if sufficiently few hours?

Most bank malware aimed at specific region. This led to the creation of software that can carry out an attack on some banks (usually 1-3), usually located in the same region. An attacker can not prepare for malicious bank of another country before not acquainted with its structure protection, and make it easier for all with the bank, which is handy. Below is another chart, which reflects the percentage of malware that can attack several banks (Fig. 2). In addition, there has been the introduction of or attachment to the type of financial malware rootkit (rootkit) technology, whose task is to protect the malware from antivirus systems and their verification technologies. Given that rootkits are now at a fairly high level of development, and technology to successfully deceive the anti-virus software is not bad, made it difficult for antivirus laboratories.

By means of protection applies to polymorphism, but not one about which you all thought. The fact that the classical polymorphic viruses with no problems are determined by antivirus scanners. At the new level of development has been actively used server-side polymorphism, which is characterized by the fact that the script code modification is not in the body of the virus, but on a remote server. Thus, the algorithm can not analyze the script, and hence more difficult to identify malicious - remains the only generic-detection (detection of the common signs of malware), but it is not so reliable as signature.


Phishing mules and cash (money mules) - the two techniques of deception. In this case the first is designed to steal the rights data fraudulently, and the second - to launder the stolen money. Let's order. Activity distribution "phony" letters is still high - this suggests that fraud is sufficiently effective. Users fall for again and again. The reasons for this may be a few. Perhaps the most stupid - ignoring information about phishing e-mailings - our old-established national "maybe blow over." The second reason can be called a simple lack of awareness of users in terms of security, as a consequence - ignore messages about the absence of certificates. In general, the result is the same - the user without a doubt is the link and enter account data (plastic credit card) in the form of a fake bank website. There are banks here and the wine, and it is in the fact that most of their security systems use static passwords. Attacker enough to get the password, and access to an account in his pocket. To change this situation can only dynamic passwords that can be sent to the client by mail, SMS or just transferred to the bank on the media. However, most banks prefer simple static passwords - this is their weakness.

Money mules (still referred to as loot), as I said, intended to "launder" money. Every effort is quite simple: the site publishes vacancy announcement. "Financial Manager" by concluding a contract, nothing suspect. If you are using mules, the financial system of electronic money: the purses come mule means that it must be translated into other wallets, while keeping a commission of 5-15%. This helps attackers to escape punishment if the operation would be discovered and traced the bank or special services. In addition, the mules, in most cases are treated as partners, so do not hang the tag "easy income" for this occupation.

the Net

I think that the subtitle seemed strange to you. I shall now make a little explanation: there collected information about all the attacks, one way or another connected with traffic, its transmission, etc.

First in line is an attack, which is widely used for hacking, it is - to divert the traffic. One of the easiest ways is to change the redirection file hosts, which is located in Rute system at system32\drivers\etc. With this file, you can avoid requests for DNS-server. These servers (DNS) converts domain names into IP-addresses, because the request to the server can only address. If in some way to change the file, you can ensure that when entering a specific domain name request will be sent to a fake server.

Next on the list will go is already familiar to many and many times I have described the attack MitM (Man-in-the-Middle). Let me remind you: this attack is, as the name implies, is that between the server, the addressee and the sender there is a host-channel data interception. Naturally, the data that is sent to the user, may be altered or "doctored" for an attacker to obtain the desired result. Naturally, the interception takes place through financial malware, who both work as a saboteur to the victim computer. In such cases, the owner of the account in the Internet banking may provoke one deal, and doctored information coming to the server, make another.

Another technique of attacks, which belongs to the new school, a Man-in-the-Endpoint. This attack is different from MitM'a only that changes in traffic is not on the "middle", and on the local machine. Cost of time, of course, much more, but holding an illegal transaction does not present extra IP, which again, reduces the likelihood of attracting attention. The process has a look like this: Trojan infects the system and sends traffic to the remote computer, where the virus writer, analyzing the information received, prepares for another Trojan attack on a specific bank resources.

And what can we do?

Unequivocally that protect the banking system completely impossible. When the main drawback was static passwords, problem solved (and very successfully) any malicious programs that intercept keystrokes or fake forms on fake sites. When everything came around and began to introduce a system of dynamic passwords, it is to solve the problems with static, but did not stop the attackers - the battle went to the attack, aimed at the traffic. Therefore, the only thing you can do - constantly monitor the status, conduct nology and analyze suspicious transactions. This will solve some problems, the rest need to be addressed by continuing to update security systems, as in the war Hack vs. Security resistance varies in two directions and, most likely, will not come into equilibrium more than one century. So it all depends on the speed. Unfortunately, while losses from the attacks on financial institutions rising, that upsets. Therefore only hope for professionals in the field of IB, which under the force in some way to bring some stability in this area. On this I finish - I hope that the information led you to think about the situation, and most importantly - about his condition:).

"Get Money for Clicks" - Fastest Growing Domain Parking Company in the World.

No comments:

Post a Comment