Silver Tail Systems Blog

Preventing Online Fraud Through Web Session Intelligence

Man-in-the-Browser, Parameter Injection, and Beating Multi-Factor Authentication

Trusteer has described a new variant of Zeus that combines many attack vectors. After the malware has been installed on the victim’s computer, it uses Man-in-the-Browser and Parameter Injection to steal information about a victim’s cell phone. The criminal then uses that information to claim that a cell phone has been lost and get the number reassigned to a different phone. Then, when the bank calls to verify a transaction, the bank is really calling the criminal and not the victim.

The thing I find amusing is that the name of the malware, Zeus Ice IX, appears to be a reference to Kurt Vonnegut’s Cat’s Cradle. In Cat’s Cradle Ice Nine was the polymerized water that ended the world. Hopefully Zeus Ice IX won’t be that catastrophic.

March 16, 2012 Posted by | Man-in-the-Browser | , | Leave a Comment

2012: A New Year – New Threats?

On behalf of Silver Tail Systems, I’d like to begin this blog post by wishing all of you a very Happy New Year. 2011 has come and gone, and with 2012 officially upon us, that can only mean one thing: new cyber threats. Of course that’s not all 2012 will bring, but it is forecasted to be a top concern for banks, federal organizations, and e-commerce sites worldwide. In fact, according to Gartner,  financial impact of cybercrime will grow 10% per year through 2016, due to the continuing discovery of new vulnerabilities.

We closed out the 2011 holiday season with Anonymous announcing its intention to steal from banks and “bring happiness and gratitude to families around the globe” with its ‘DestructiveSec’ campaign and with that, security experts predict more pain from cybercriminals for the coming year. This is only one group of threats, and many others – particularly in the mobile arena – will remain a priority for cybersecurity professionals and vendors throughout 2012.

The role that web session intelligence plays in the detection and prevention of online fraud  is increasingly important as the use of web-based applications expands and I believe this needs to be a key focus area for 2012. Visibility into the Navigation Layer is so important because it better enables organizations to determine whether or not they need to report a potential risk or attack, and ideally limits the exposure to the attack.

January will mark the launch of the National Critical Infrastructure Cybersecurity Education Initiative, which aims to develop cybersecurity education programs between the private and public sectors. With both private and public companies today undergoing a very real shift in the online security landscape, I believe it is imperative to protect the freedoms and rights of US citizens while protecting their electronic safety. We may not be able to guarantee networks are completely bullet-proof, but we can help fight cybercrime by being more proactive. It is no longer sufficient to monitor only the web pages that support online transactions. Instead, we need to monitor every click on a website to ensure the criminals aren’t finding new means for perpetrating their attacks. By detecting and stopping threats in real-time, we can minimize the impact of cybercriminals and continue to safeguard sensitive computing networks and platforms.

January 4, 2012 Posted by | Fraud, information security, Man-in-the-Browser | , , | Leave a Comment

FS-ISAC 2011 Fall Summit: Top 3 Discussions You Couldn’t Miss

As the 2011 FS-ISAC Fall Summit came to a close today, I returned from the summit with a fresh outlook, some food for thought and a few key takeaways to close out 2011. For those of you who didn’t attend the FS-ISAC Summit this year, this event serves as a meeting place for industry influencers from government agencies to share ideas and strategies for understanding the threats and how to defend against them. This year’s summit agenda was built around cyber-security and IT risk trends and issues, which is a hot button for us here at Silver Tail Systems.

This year’s summit was extremely influential for me personally as I had the pleasure of hosting a roundtable with Forester’s Principal Analyst, Andras Cser. The combination of Andras’ expertise in security, risk, and enterprise fraud management, fueled discussion for all attendees, including myself,  at the roundtable. That being said, I thought this would be an appropriate time to share my perspective on the key topics discussed.

With the recently updated SEC and FFIEC guidance, compliance and regulatory mandates were of particular interest. As part of the roundtable I shared my thoughts on the topic, as I expressed in a previous blog post, so I’ll briefly reiterate. Since the commercialization of the Internet, there has been an evolution with how cyber criminals are conducting malicious activities on Web sites. Because of the evolution of malicious behavior, businesses will be required to strategize around how to protect the brand, stock price, revenue, and reputation of an organization. Unexpected costs associated with a malicious cyber event could range from a stock price dip to loss of productivity when resources are pulled from revenue generating projects to address the event. Additionally, when a well orchestrated malicious security event is launched against a Web site, that organization will lose revenue if the site becomes inaccessible or does not function properly. Yes, brand erosion will occur as customers become concerned about the security of their information or purchases. If the Web site of a company is compromised, what is the likelihood a consumer would come back to the business and trust that their sensitive information is protected? Going forward it’s going to be critical for organizations to take into account the various business expenses that arise from the diversity of cyber attacks that are beginning to unfold. From the corporate boardroom to the average consumer, Navigation Layer attacks are far from isolated localized events.

Another area of most interest was around the topic of mobile initiatives. People wanted to know if financial institutions are going to support mobile applications in the future in order to meet business requirements. My concern is that as computing platforms are extended to mobile devices additional threats will also increase exponentially, opening up a company’s computing environment to be even more susceptible to attacks. Not only are these devices presenting a huge challenge for security professionals worldwide, but companies and executives need to be up-to-speed on the challenges they face to protect their corporate reputations as well.

The last topic that was discussed is web session intelligence. In my opinion, the importance of web session intelligence can’t be expressed enough. The bottom line is that IT Security, Fraud, and IT Operations teams need to implement web session intelligence solutions to identify and address malicious activities in near realtime. As the former head of Information Security for Sears Online, I’ve seen it all and that’s why I understand the role that web session intelligence plays in the detection and prevention of online fraud. It’s become increasingly important as the use of web-based applications expands and industry regulations evolve.

December 1, 2011 Posted by | Fraud, information security, Man-in-the-Browser, Online Fraud | , , , , , | Leave a Comment

New Mobile Malware Delivery Mechanism: QR Code

In many of my recent discussions, people ask how mobile malware is delivered. I’ve heard of it being delivered through some of the following mechanisms: (1) An SMS message could be sent to the phone that encourages the user to click on a link that takes them to an infected website; (2) A legitimate mobile app could be modified to contain malware (think Angry Birds changing to Evil Birds); (3) An app can be created specifically to be malicious – there was once an app that allowed login to more than 50 bank brands, each time stealing the user’s password.

This morning I was told of a new mechanism for infecting phones: QR codes. For those of you who don’t know, QR codes are the three dimensional bar codes that phones can use to direct them to a website. Kaspersky has announced that they have discovered some QR codes that download malware onto mobile devices.

A colleague mentioned to me that this type of delivery mechanism has already been used in Asia which makes sense since QR codes are much more prevalent there. But this new attack vector is evidence that QR codes are starting to become mainstream here if criminals see benefit in exploiting them.

The one other thing my colleague mentioned was that there aren’t good statistics on how often QR codes are malicious. I’d be curious if anyone has such statistics – if you do, let me know as this would make for a very interesting discussion.

October 5, 2011 Posted by | information security, Investigation, Man-in-the-Browser, Prevention | , , , | Leave a Comment

Has MIT Cracked the Code?

A newly presented paper from an MIT research team claims to defeat attempted Man-in-the-Middle attacks on wireless networks. At a high-level, the paper discusses the three ways that Man-in-the-Middle (MitM) attacks are perpetrated and then describes how they can use different types of signals between parties A and B, to notify party B when a third party has tampered with a message intended for party A.

After reading through what sounds like a lot of math mumbo-jumbo, it comes down to two assumptions: first, there are only three types of wireless MitM attacks and second, each type of attack can be identified to the party receiving the messages as the attack occurs. If this is true, it’s quite impressive. Now, I’m nowhere close to an expert on wireless MitM attacks, but my thought process about this approach comes in the form of two questions: 1) Are there really only three ways to perpetrate a wireless MitM attack and 2) Is it true that the attacker can’t work around the various ways to expose the tampering?

For the sake of argument, let’s assume the assumptions are true. Since I am much more concerned about the online world, I am wondering if there is any correlation between the wireless case and the online case. One concern is that there are several types of Man-in-the-Middle attacks in the online world.  Sometimes just reading the “message” (for example the userID and password) is enough to benefit from the attack. If there is a way to be notified when there is such tampering, it would be very interesting to understand that since MitM is also a problem in the online space.

August 30, 2011 Posted by | education, information security, Investigation, Man-in-the-Browser | , , | 7 Comments

Hackers for Hire: The Outsourcing of Cybercrime

A recent post by Brian Krebs talks about the ability for anyone to “purchase” a denial of service (DoS) attack against any website they would like.  In the real world, I suppose this is similar to hiring someone to perform a “hit” for you, though the consequences are a bit less damaging.  While Brian talks in detail about DoS attacks, I think it warrants mentioning that there have already been other types of attacks that are suspected of being done on a for-hire basis.

The alleged infiltration of the Iranian nuclear facility was likely not carried out by a group who just wanted to cause mischief.  There was probably a group that wanted to create a very specific event and needed the appropriate tools to do so.  Whether that was “outsourced” to a hacking group or not is up for some debate, but the hypothesis is that the attackers were paid for their services has definitely been floated.

There have also been purported cases of loggers hiring hackers to help them defeat the online permitting process.

No matter your viewpoint, it’s hard to ignore that criminals are benefiting from offering their services to the highest bidder.  It’s just scary that the highest bidder can acquire these sets of skills – and lack of ethics – on demand.

August 26, 2011 Posted by | information security, Man-in-the-Browser, risk management | , | 1 Comment

Gates Versus Jobs: Whose Platform is More Secure?

In the past week I’ve had two different people tell me about a security incident that happened to them. One had her email and Facebook account compromised and the other had his email account stolen. When I talked to them about the various ways this could have happened, both of them said to me, ‘But that can’t be true! I have a Mac!’

While the security community has come to understand that neither Windows nor MacOS is a bullet proof platform, it is taking the general public a lot longer to come to the same conclusions. People who purchased Apple hardware five years ago could almost always safely assume that they wouldn’t be the victim of hackers. What people didn’t understand is that their security at the time had nothing to do with the overall security of their platform versus another. Instead, it came down to one economic factor: return on investment. Simply stated, if the criminals had to choose one platform to infiltrate, which one had the highest potential for victims, and therefore financial returns?  Five years ago the answer was overwhelmingly Windows.

Fast forward to today:  Steve Jobs and Apple have done a wonderful job in both producing consumer-friendly devices and marketing those devices such that the MacOS platform is now part of a much larger percent of the population’s technology. This makes it more lucrative to the criminals to focus some efforts on that platform.

So, for those of you who are frustrated because you bought an Apple device thinking it was more secure, you can blame Steve Jobs. His success has created a market for the criminals that didn’t exist before: your hardware.

August 18, 2011 Posted by | Man-in-the-Browser, risk management, Trust | , , | Leave a Comment

Small Businesses: Attractive Targets for Today’s Hackers

A recent Wall Street Journal article by Geoffrey Fowler and Ben Worthen noted that hackers are expanding their targets beyond multinationals to include small companies making the leap to computerized systems and digital records. With the recent surge of online attacks putting F500 companies in headlines, hackers today are viewing small businesses as a greenfield when launching a cyberattack. Why are small businesses a prime target? Due to the lack of in-house technical expertise and resources associated with small businesses, hackers know that gaining access to credit card numbers is a much smaller barrier to entry. With large businesses spending serious dollars on IT security, it’s time that small businesses follow the path.

According to a National Small Business Cybersecurity Study, most small businesses don’t do enough to protect themselves online. Nearly one-fifth of small businesses don’t have or use antivirus software. Sixty percent don’t use any encryption on their wireless networks, and two-thirds don’t have a security plan in place. With the previous notion of immunity, the small business community is under a microscope and cybercriminals are prepared to take advantage of weak security measures. This study validates that organizations need to expand the notion of security as it relates to enterprise networks and computer systems. It’s become vital that any organization selling products or services online, whether it’s a large bank or a small e-commerce site, should be proactive and uphold a multi-layer approach to security. Not only are cyberthieves capable of accessing sensitive information around the small business itself, they may also have accessed sensitive customer information.

Bottom line: any business that keeps records on a computer that is connected to the Internet is vulnerable, and any network, system or application where employees have access to the Internet is vulnerable. Organizations of any size must invest in proactively monitoring all traffic to their websites in order to be always at the ready as tomorrow’s threats are expected to be more sophisticated and pose more risk to websites, and in turn, the end user.

July 27, 2011 Posted by | information security, Man-in-the-Browser | , , , | Leave a Comment

It’s About Time: FFIEC Releases New Guidelines for Financial Institutions

As I’m sure many of you have seen, it’s finally here: the financial industry’s most anticipated document. Just in time for Independence Day Weekend, the Federal Financial Institutions Examinations Council (FFIEC) issued a supplement to its Internet banking authentication recommendations. Last updated in 2005, the newly issued 12-page document discloses guidance to help banks determine what technology investments to make in order to safeguard private networks and customer’s personal information from cyberattacks.

I am glad to see online security officials continue to emphasize an important point: cybersecurity must be a high priority for online financial institutions. We can’t guarantee networks are completely bulletproof, but we can protect against cybercrime by ensuring that organizations are more proactive. 2010 saw a surge in data loss as a result of breaches, and 2011 has seen an astounding number of high-profile breaches already. I was pleased to see my stance affirmed when the FFIEC recommended that a multi-layered approach to security is critical in helping combat cyber threats in real-time.

One area of focus the document does not discuss in detail is the rise of mobile banking from smart-phones or tablets. Gartner analyst Avivah Litan also agrees with this point; the recent rise in malware and man-in-the-browser, man-in-the-middle and man-in-the-mobile attacks are particularly alarming. Retailers, banks and credit card providers all need to be aware of the potential dangers associated with mobile purchases, mobile banking, online transactions and more. With so much corporate functionality and data available through mobile devices, we are already seeing abuse of these functions and I only see this problem getting worse.

The FFIEC guidelines also fall a bit short in that they don’t talk about the threats that occur beyond authentications and transactions. Recent attacks have used functions of a website other than login or money transfer to steal data and harm the brand reputations of some of the world’s largest websites. It is critical for online financial institutions – as well as any other online entity – to start looking at ways their websites can be abused outside of login and money transfer.

It’s clear that financial institutions need to put preventative security in place and improve responsiveness to emerging and constantly evolving threats. One way to accomplish this is through behavioral and predictive analytics. By detecting and stopping threats in real-time, no matter what part of the website they are attacking, we can minimize the impact of data breaches, mobile threats, Man in the Middle, Man in the Browser, and whatever threats the attackers throw at us tomorrow and beyond. It’s great that the FFIEC supplement agrees with the importance of multi-layered security and I’m interested to see how financial organizations will tackle this approach in a mere six months and how much impact it will have given that the criminals have already found other ways to steal money, data, and brand reputation. Regardless, this is a step in the right direction and I look forward to working with institutions to minimize the threat landscape.

July 5, 2011 Posted by | Fraud, information security, Man-in-the-Browser, Online Fraud | , , , , | Leave a Comment

Summary of Gartner’s Steps to Fraud Prevention

Gartner’s Avivah Litan, vice president and distinguished analyst, is a long-time industry expert focusing primarily on security and privacy. Her recent report, titled, “The Five Layers of Fraud Prevention and Using Them to Beat Malware,” is a great piece of research that outlines a multi-layered approach for addressing fraud and provides readers with step-by-step guidelines for combatting malware.

As we all know, malware is a huge problem and has been the driver behind increasing occurrences of man-in-the-mobile and man-in-the-browser attacks. So often, organizations don’t know where to start. The biggest takeaway from Litan’s research is the idea that each organization should have multiple layers of defense. It was great to see the way she laid out the different layers. I hadn’t seen detection and prevention segmented in this way and it makes a lot of sense. Fraud prevention teams need to design a framework for their program so that it is not solely focused on fighting fires. Only then can they truly think strategically and work to prevent attacks rather than just detect them.

The first layer of defense is securing the endpoint, which is then followed by identification of navigation patterns of those who interact with your Web server in any way. Other layers include monitoring users and accounts on your system, across other channels and then linking those activities to gauge consistent and accurate profiles.

Litan also draws attention to the fact that technology can’t do everything – you need intelligent, knowledgeable people managing your environment and watching for and addressing the right issues. It is also imperative to stop and strategically design your processes, because without that framework, getting one step ahead of cybercriminals becomes a near-impossible task. A general rule of thumb is to identify your internal assets first and then outline where your holes are before making any technology investments.

May 4, 2011 Posted by | education, Fraud, Man-in-the-Browser | , , | Leave a Comment

« Previous Entries    

Follow

Get every new post delivered to your Inbox.