- Email: [email protected]
The cyber-crime threat to online transactions
INTERNET TRANSACTIONS
The cyber-crime threat to online transactions Bruno Rodriguez, product manager, Panda Labs internet transactions Every day, millions of pounds change hands across the internet in online transactions. Some of these transactions, such as those of large corporations, are worth millions in themselves. Others, such as iTunes Store downloads, eBay purchases, and bill payments, are more modest. In total however, the amount of money that moves online is more than sufficient to attract criminal attention. Whereas hackers were once motivated by the notoriety they could achieve with widespread they are now in it for the cash, and as such, they prefer to keep their heads down and stay out of the limelight.
The rise of the trojan This change in attitude goes a long way to explaining why trojans are now the most numerous type of new malware. These malicious codes are ideally suited for the aims of today’s cyber-crooks, and
in particular, for stealing confidential data. In fact, one specific class of trojan, known as banker trojans, specialised in stealing passwords for online banking services. The methods used by banker trojans are many and varied. Some, for example, lie in wait for users to enter certain words (e.g. the name of a bank) or URLs. When triggered, they start to capture keystrokes. This way, they can obtain the bank password of the infected user. There are even trojans that can make video captures of the data entered
Bruno Rodriguez
by users in bank web pages, as in this way, they can obtain information entered in virtual keyboards that would be inaccessible through the technique described above. Another type of banker trojan is designed to display a spoof web page, imitating that of the user’s online bank. If the user were to enter bank details in this false page, the data entered would be sent to the cyber crooks. This type of fraud is used, for example, by some variants of the banker family of trojans. This technique is very similar to (in fact, pretty much copied from) the one used for phishing. Although phishing generally targets users of banking and financial services, it is not unheard of for other types of web pages to be used, such as eBay, or the Inland Revenue.
Figure 1: How malware can be stopped and mitigated to preserve the integrity of future internet transactions.
May 2009
Network Security
7
INTERNET TRANSACTIONS Although it may seem unlikely that users would fall for the tricks used by phishers, a study by Gartner has revealed that phishing attacks caused losses of $3.2 billion among US consumers in 2007. Similar research by the AntiPhishing Working Group estimated that in 2006, the average amount stolen from each victim of phishing and Trojans was E6,383.
“There are even trojans that can make video captures of the data entered by users in bank web pages, as in this way, they can obtain information entered in virtual keyboards that would be inaccessible through other means” There is no precise data on the profits generated for cyber-crooks by banker trojans, but the estimates produced by Gartner on the effect of phishing in the USA indicates that the revenue returned by these more sophisticated techniques must be extremely high.
Pharming There is a third serious threat to online transactions, is to a certain extent a combination of the two already mentioned. Like the first example mentioned, it is usually implemented through the actions of malicious code, and like phishing, it redirects users to spoof web pages and invites them to enter confidential details. We are talking about pharming. Pharming involves modifying the host file on a user’s computer. This file relates IPs (for example, 198.125.12.XX) with their corresponding URLs (e.g. www.pandasecurity.com). By modifying this file, cyber-crooks can direct users anywhere they want. In the case of online transactions, all they have to
8
Network Security
do is link the URL of a bank, online store, etc. to a malicious IP hosting a spoof version of the target website. This kind of modification can also be performed manually by a hacker who has remote control of a computer, although this is less common. One advantage of pharming over, say, phishing, is that it is not dependent on users taking the bait and visiting the spoof web page via the fraudulent email. In the case of pharming, it is the user that actually types in the bank’s URL, and that’s when the fraud is perpetrated, completely transparently to the victim. All these threats affect users of banks and pay-platforms, but not the companies themselves. This may seem illogical, as the amount of money that any single home user might have is a trifle compared to that of a bank. The reasoning, though, is that as the security of institutions is much tighter, it is considerably easier to target an individual user. Moreover, theft of say £500 from 1000 users attracts far less attention than stealing the same amount directly from a bank. Currently, cyber-crooks are focused primarily on silent epidemics, stealing money and barely leaving a trace of their actions.
Protection However, just because individual users are the main target of today’s cybercrooks, this does not mean that banks, ecommerce and other online businesses are not losing money through this fraud. So far, banks and companies have designed different security strategies to make sure that the person at the other end of a transaction is who they claim to be, and not a hacker. From cards with coordinates to virtual keyboards, these various authentication systems have been undermined by cyber-criminals.
Nowadays, when users of these services discover that their bank accounts have been emptied, they file a claim with their bank, which, besides having to reimburse the client, must take action to stop the attack and prevent other users from falling victim to it. To do so, they must identify the malware responsible, find a way to block its effects and actually implement the necessary measures. This usually takes a minimum of 48 hours, sufficient time for the amount of money lost to increase considerably. Banks and financial entities spend thousands of euros in security, and even so, they have to cover huge financial losses every year. Why? Because they didn’t check the weakest link in the authentication process: the user. If a user happens to be infected by a newly created banker trojan, then all the banks’ security efforts could be in vain. So, it’s not just users that need to be concerned about the security of online transactions. Banks, pay platforms, ecommerce operators and others leave both their money and image at stake with fraudulent operations.
About the author Bruno Rodriguez has been working at Panda for just over one year and before taking on the role of product manager for Panda Security Internet Transactions, he was business development manager and director of the Malware Radar Business Unit. Prior to joining Panda, Bruno worked as business development manager in Euskaltel for 6 years, driving incremental business in the telecommunications and internet industry. He has also worked as a consultant at Ipartek. Bruno Rodriguez holds a computer engineering degree from Deusto University (1999) and also an MBA from the same university (2005).
May 2009
The cyber-crime threat to online transactions Bruno Rodriguez, product manager, Panda Labs internet transactions Every day, millions of pounds change hands across the internet in online transactions. Some of these transactions, such as those of large corporations, are worth millions in themselves. Others, such as iTunes Store downloads, eBay purchases, and bill payments, are more modest. In total however, the amount of money that moves online is more than sufficient to attract criminal attention. Whereas hackers were once motivated by the notoriety they could achieve with widespread they are now in it for the cash, and as such, they prefer to keep their heads down and stay out of the limelight.
The rise of the trojan This change in attitude goes a long way to explaining why trojans are now the most numerous type of new malware. These malicious codes are ideally suited for the aims of today’s cyber-crooks, and
in particular, for stealing confidential data. In fact, one specific class of trojan, known as banker trojans, specialised in stealing passwords for online banking services. The methods used by banker trojans are many and varied. Some, for example, lie in wait for users to enter certain words (e.g. the name of a bank) or URLs. When triggered, they start to capture keystrokes. This way, they can obtain the bank password of the infected user. There are even trojans that can make video captures of the data entered
Bruno Rodriguez
by users in bank web pages, as in this way, they can obtain information entered in virtual keyboards that would be inaccessible through the technique described above. Another type of banker trojan is designed to display a spoof web page, imitating that of the user’s online bank. If the user were to enter bank details in this false page, the data entered would be sent to the cyber crooks. This type of fraud is used, for example, by some variants of the banker family of trojans. This technique is very similar to (in fact, pretty much copied from) the one used for phishing. Although phishing generally targets users of banking and financial services, it is not unheard of for other types of web pages to be used, such as eBay, or the Inland Revenue.
Figure 1: How malware can be stopped and mitigated to preserve the integrity of future internet transactions.
May 2009
Network Security
7
INTERNET TRANSACTIONS Although it may seem unlikely that users would fall for the tricks used by phishers, a study by Gartner has revealed that phishing attacks caused losses of $3.2 billion among US consumers in 2007. Similar research by the AntiPhishing Working Group estimated that in 2006, the average amount stolen from each victim of phishing and Trojans was E6,383.
“There are even trojans that can make video captures of the data entered by users in bank web pages, as in this way, they can obtain information entered in virtual keyboards that would be inaccessible through other means” There is no precise data on the profits generated for cyber-crooks by banker trojans, but the estimates produced by Gartner on the effect of phishing in the USA indicates that the revenue returned by these more sophisticated techniques must be extremely high.
Pharming There is a third serious threat to online transactions, is to a certain extent a combination of the two already mentioned. Like the first example mentioned, it is usually implemented through the actions of malicious code, and like phishing, it redirects users to spoof web pages and invites them to enter confidential details. We are talking about pharming. Pharming involves modifying the host file on a user’s computer. This file relates IPs (for example, 198.125.12.XX) with their corresponding URLs (e.g. www.pandasecurity.com). By modifying this file, cyber-crooks can direct users anywhere they want. In the case of online transactions, all they have to
8
Network Security
do is link the URL of a bank, online store, etc. to a malicious IP hosting a spoof version of the target website. This kind of modification can also be performed manually by a hacker who has remote control of a computer, although this is less common. One advantage of pharming over, say, phishing, is that it is not dependent on users taking the bait and visiting the spoof web page via the fraudulent email. In the case of pharming, it is the user that actually types in the bank’s URL, and that’s when the fraud is perpetrated, completely transparently to the victim. All these threats affect users of banks and pay-platforms, but not the companies themselves. This may seem illogical, as the amount of money that any single home user might have is a trifle compared to that of a bank. The reasoning, though, is that as the security of institutions is much tighter, it is considerably easier to target an individual user. Moreover, theft of say £500 from 1000 users attracts far less attention than stealing the same amount directly from a bank. Currently, cyber-crooks are focused primarily on silent epidemics, stealing money and barely leaving a trace of their actions.
Protection However, just because individual users are the main target of today’s cybercrooks, this does not mean that banks, ecommerce and other online businesses are not losing money through this fraud. So far, banks and companies have designed different security strategies to make sure that the person at the other end of a transaction is who they claim to be, and not a hacker. From cards with coordinates to virtual keyboards, these various authentication systems have been undermined by cyber-criminals.
Nowadays, when users of these services discover that their bank accounts have been emptied, they file a claim with their bank, which, besides having to reimburse the client, must take action to stop the attack and prevent other users from falling victim to it. To do so, they must identify the malware responsible, find a way to block its effects and actually implement the necessary measures. This usually takes a minimum of 48 hours, sufficient time for the amount of money lost to increase considerably. Banks and financial entities spend thousands of euros in security, and even so, they have to cover huge financial losses every year. Why? Because they didn’t check the weakest link in the authentication process: the user. If a user happens to be infected by a newly created banker trojan, then all the banks’ security efforts could be in vain. So, it’s not just users that need to be concerned about the security of online transactions. Banks, pay platforms, ecommerce operators and others leave both their money and image at stake with fraudulent operations.
About the author Bruno Rodriguez has been working at Panda for just over one year and before taking on the role of product manager for Panda Security Internet Transactions, he was business development manager and director of the Malware Radar Business Unit. Prior to joining Panda, Bruno worked as business development manager in Euskaltel for 6 years, driving incremental business in the telecommunications and internet industry. He has also worked as a consultant at Ipartek. Bruno Rodriguez holds a computer engineering degree from Deusto University (1999) and also an MBA from the same university (2005).
May 2009