Silver Tail Systems Blog

Preventing Online Fraud Through Web Session Intelligence

Microsoft: Takedown of 153 CnCs Out of 156 is a Great Start

In an article yesterday, FireEye talks about how the recent Zeus takedown by Microsoft resulted in only 153 command-and-control domains being disabled instead of the full 156 domains. While it would be great to have all domains shut down, I applaud Microsoft and the other collaborators who put the effort into getting these domains shut down.

That effort and the one by Kaspersky to shut down the Kelihos system are remarkable in that it is the first time we have seen real impact on large botnets. Of course the first few attempts at this aren’t going to be perfect. But at least people are taking a step in the right direction!

April 5, 2012 Posted by | Detection, Zeus | | Leave a Comment

Scammers as Vigilantes?

Brian Krebs has another very intriguing post about $600,000 being stolen from the Catholic Diocese of Des Moines.   This follows the usual storyline – victim’s computer had malware and malware was used to steal money. 

Where the story diverges from the usual is that the criminals told the mules that these stolen funds were going to be sent to the victims of sex abuse associated with the Catholic church.  Do I think the funds will really go to the victims?  No.  What I think is that the criminals have found a new way to convince mules that what the crime being perpetrated is for a good cause.  It’s essentially a new spin on the “you are sending money to build orphanages in third world countries” bit.

Anyone out there think that this money was really going to abuse victims?

September 2, 2010 Posted by | business logic abuse, Fraud, Man-in-the-Browser, Zeus | , | Leave a Comment

Are link-shortening services not so bad after all?

An article today talks about a study done by ZScaler on link shortening services like bit.ly and tinyurl.  The results show that well less than 1% of links posted on Twitter linked to something malicious.

There’s an obvious reason to use the shortened URL services to send people to webpages with malicious code or unexpected content.  People have been trained to look at a URL to determine whether where they are being sent is legitimate.  (Hey!  Maybe some of that consumer education I did in a former life actually worked!)  With shortened URL services, the URL is trusted since it is from a well-known brand like tinyurl.  It is not clear to the consumer where s/he will actually be taken once they click the link. 

I was very surprised by the findings of this study, but my opinion may be biased.  I see lots of articles about malicious shortened URLs on Twitter and Facebook.  And I get emails about these types of problems quite often.  Maybe it’s the case that because I care about things like this people are sending me many of the examples or I’m noticing them more in the news?

April 5, 2010 Posted by | Fraud, Social Networks, Zeus | , | Leave a Comment

Kneber – the “new” version of Zeus

Brian Krebs posted an especially compelling blog about the recent white paper from NetWitness.  Mr. Krebs comments on how Kneber – the “new” variant of Zeus – isn’t really all that new. 

Sadly, this botnet documented by NetWitness is neither unusual nor new. For the past several years at any given time, the number of distinct ZeuS botnets has hovered in the hundreds. At the moment, there are nearly 700 command-and-control centers online for ZeuS botnets all over the world, according to ZeuStracker, a Web site that keeps tabs on the global threat from ZeuS.

As a security researcher, I understand that it can be difficult to explain what is new and interesting about a particular event.  But it’s too bad that some of the news outlets didn’t understand that they were reporting on something that had been around for a long time and that wasn’t as remarkable as they portrayed it.

If anyone has comments on good ways to work with the press to try to minimize these understandings, I’d very much appreciate hearing them.

February 22, 2010 Posted by | information security, Zeus | Leave a Comment

Screen Injection Webinar – All Your Users’ Credentials Belong to Zeus

Update: the link below was going to the wrong place for a while.  It has been updated and should be correct now.

For those of you who have followed the press coverage of the Zeus malware, you might be wondering about the various functions available within Zeus.  In this webinar we’ll get into the details about one particular function: screen injection (aka parameter injection).

The webinar will be February 23 at 10am Pacific time.  If you want to participate, you can register here.   Unfortunately, because of the sensitive nature of some of the things we’re going to show in the webinar, we’re restricting participants to people who work for brands targeted by Zeus and law enforcement.  If your webinar registration is denied and you believe you fall into one of these groups, please let me know.

Abstract:

The financial services industry has responded to the inadequate security provided by username/password authentication with widespread deployment of two-factor authentication. However, criminals behind the leading banking Trojans have been innovating as well. Their latest advance – screen injection – has been successfully integrated into the Zeus, Clampi and URLZone  data theft Trojans. According to the FBI, this new ability to defeat multi-factor authentication has led to more than $40 million in online banking theft from the US alone. Understanding screen injection is critical for everyone concerned with online security.

In this webinar, Laura Mather, Ph.D, Founder of Silver Tail Systems, will give a detailed explanation of screen injection.  She’ll provide a quick overview into the general nature of the “Man in the Browser” data theft banking Trojans and then dive into the operational details of screen injection as it has been weaponized in the Zeus malware.

We will conclude with live demonstrations of screen injection from the victim’s perspective. Using first a clean computer and then an infected computer, you will see screen injection at work on many US banking sites stealing ATM PINs, social security numbers and answers to secret questions. The challenges of detecting this devious attack and possible solutions will be discussed.

If you are concerned about the latest criminal innovations,  this webinar will give you an in-depth understanding of one of the key criminal techniques.  Find out before your organization becomes a victim. 

February 11, 2010 Posted by | Fraud, Man-in-the-Browser, Zeus | , , , | Leave a Comment

Even more on Zeus

There has been a fair amount of interest in the Zeus blogs, so I thought I’d continue in that vein.

stsPIC4Bruce Schneier has an interesting article about how to beat second factor authentication.  One of the methods (trojan) describes the methodology that Zeus uses to get past second factor authentication.

Trojan attack. Attacker gets Trojan installed on user’s computer. When user logs into his bank’s website, the attacker piggybacks on that session via the Trojan to make any fraudulent transaction he wants.

Bruce gives some examples and talks about how second factor authentication is not going to solve all identity theft problems.  This is a worthwhile read if you want to know more about how bad guys are beating strong authentication.

September 22, 2009 Posted by | Detection, Fraud, Man-in-the-Browser, Phishing, Zeus | , | Leave a Comment

   

Follow

Get every new post delivered to your Inbox.