iZOOlogic protects hundreds of the world’s leading brands, across banking, finance, government and more.
The iZOOlogic platform is an integrated suite of solutions allowing real time intelligence into the online threat landscape and provides a seamless 24 x 7 x 365 Global Incident Response.
Phishing first came to light more than a decade ago – and really took hold 2001 – 2003. After the world dealt with the Y2K mania – phishing was the new super bug.
Banks took out adverts in newspapers and other print media to warn their customers of phishing attacks. This endeavor was to try and educate their customer base to this new and emerging risk. These days, banks would hardly advertise the fact that they are the target of phishing. Though, last year in one of our emerging markets we surprisingly saw the same strategy of a local bank warning their customers against phishing in print media.
We are not actually sold on this idea of educating the customer as a fool proof method of phishing protection.
Cybercriminals still use emails to launch the social engineering component of a phishing or malware attack. Email content uses a ‘call to action’ such as a security update, web payment or refund to lure victims into clicking on the embedded link. Users are routed to fake web content or to download malicious attachment and executables.
Criminals can easily send such emails using a spoofed ‘from’ address to mask the spamming source. The spoofed source address adds to the legitimacy of the sender’s credentials and garners the required trust to trick the victim to act upon the social subterfuge. Spear phishing attacks can disguise email requests such as executive staff or a trusted trading partner. If a user receives an email from a known trusted or senior source, the user is much more likely to take immediate action.
All business networks will have some gateway and endpoint email security such as spam filtering and anti-malware protection, however, such emails can often bypass such controls, especially if the spam run is discreet, smart or launching a zero-day attack. It is well known and documented that such anti-virus and anti-malware products struggle to combat emerging threats.
Other messaging platforms such as SMS, online messaging services on social networks, instant messaging, whatsapp and skype can also be exploited to spread phishing attacks. Although other platforms are increasing in popularity, email still remains the primary vector to distribute phishing and malware content.
SMiShing attacks often leverage a trusted brand to route the victim to a phishing site. An alternative variant of SMiShing is where the spam message contains only a call back number. The message maybe as simple as ‘Please urgently call back xxxx xxxx xxxx to update your account details’ and there is no mention of a brand’s name. This type of SMiShing can easily reach a broad audience. The number may direct to a human voice – where our friendly criminal will answer the call, or it may often lead to an automated system where the victim is prompted to enter in credentials.
This type of SMiShing, where a brand is not leveraged, is harder for the business to monitor and detect as their brand is not mentioned in the message or attack. However, the bank may still end up with their access credentials / credit card details compromised.
SMiShing is prevalent in some countries where a new mobile phone number can be readily obtained, often with a lack of verification, or where mobile pay-as-go accounts are common. The use of fake IDs, credit card details can also be used by the criminal to obtain a mobile number. The portability of mobile numbers to alternative carriers may also assist the criminal in their efforts. In some countries, the telecommunication regulator mandates the ease of obtaining mobile accounts and the portability of those accounts which further assists the criminal in launching their attacks.
The source of SMiShing originates from the telco network but the outcome deeply affects other industries such as finance and banking. As the victim is often a non-telco business the motivation to help prevent this kind of SMiShing may be a little disparate. Often the real solution may take a coordination between the telco/bank with the involvement of the respective regulators.
Let us introduce the Top 4 Malware – Financial Trojans – Zeus, Carberp, Citadel and SpyEye. Later in this series of articles we will look into each malware (financial Trojan) in greater detail but allow us to make the formal introductions.
Zeus is not only the Grecian God but also the mother of all financial Trojans. Zeus first came onto the radar in 2007 after it was used in a credential-theft attack targeting the United States Department of Transportation. Since then it has remained the king of malware. Other malware has evolved with increased sophistication, however, Zeus has been responsible for the highest infection rates and financial losses. Infected victims are in the tens of millions and total fraud impact makes this a billion dollar piece of software. The original Zeus creator left the “business” in 2011 and the source code was published in 2011. Most other financial Trojans have some kind of Zeus function, method and even base code.
Zeus is also known for innovative usage of mobile ‘younger brother’ called ZitMo to circumvent popular two-factor authentication schemes with a security code being provided via text message. SpyEye and Carber developed their respective mobile counterparts as well.
Banking malware aside, the Zeus trojan is among the most notorious of all malware, second only perhaps to Stuxnet.
Carberp was originally introduced as a typical financial Trojan. It was designed to steal users’ sensitive data such as online banking credentials, username/password pairs, authentication token etc. Carberp was maintained via the cyber-criminals via a command and control (C&C) server and sent stolen data back to the primary server or credential drop sites. Carberp was soon enhanced with a layer of sophistication via a complex rootkit functionality allowing the Trojan to hide on the victims device. Later generations of Carberp provided variants with added plug-ins. These add-ons provided further stealth that uninstalled or disable anti-virus software plus others that scanned and disabled competing malware. This is an arms race.
The Citadel trojan is a variation of the king of financial malware, Zeus. Citadel started where Zeus finished. It emerged, along with a number of other one-off trojans, after the Zeus trojan’s source code leaked in 2011. Citadel is like financial Trojan 2.0 – where the creators opened up the business models and the level of professionalism kicked up several gears. Cybercriminals could now purchase this financial malware under license. The source code was in the public domain where enhancements and function were constantly being revised and enhanced. Citadel’s initial noteworthiness has a lot to do with its creator’s novel adoption of the open-source development model that allows anyone to review its code and improve upon it.
The SpyEye trojan came out after Zeus and ran in parallel or competition to Zeus. Spyeye functioned in a similar manner to Zeus in terms of architecture and ran with large scale deployments and massive botnets and infection rates. We saw the back end infrastructure such as the Control and Command server become more complex, with multiple servers with built in redundancies making mitigation difficult. However, SpyEye peaked and then quickly became less popular as Zeus and Citadel Trojans evolved and became the Trojan of choice amongst the cyber criminal networks. At one point, parts of SpyEye botnet operation merged with Zeus into a meg-banking-botnet, but it would ultimately burn out without living up to the initial hype.
Financial Trojans evolve, always with increased stealth, impact to provide their creators, owners and masters a return on investment. Victim organisations must deploy strategic layers of defense – and in an evolving manner
In an online world the digital assets of the business are open to a large range of fraud and abuse. Digital assets can be legally protected via Trademark and Copyright ownership claims. Examples of trademark and copyright infringement are fake websites and phishing sites, unauthorised social media accounts, rogue mobile apps, spoofed domain registrations, leaked private business documents and more.
When business trademark and copyright properties are available in the public domain the organization has the rights to enforce their property ownership.
Copyright vs Trademark
Two main type of protection the business can use are Trademark and Copyright claims.
Copyright is a form of protection provided to the authors of ‘original works of authorship’. Copyright includes works of art, photos, pictures, graphic designs, drawings and other forms of images.
A Trademark is a word, name, symbol or device which is used in trade with goods to indicate the source of the goods and to distinguish them from the goods of others. Trademark rights are used to prevent others from using a confusingly similar mark, but not to prevent others from making the same goods or from selling the same goods or services under a clearly different mark. Trademark protects a business name title, slogan, or other short word phrase. Copyright law does not protect a bare phrase, slogan, or trade name.
A company logo image design is protected either by trademark or copyright law depending on whether its use is intended to identify the source of goods or services. Usually a company logo design in protected by a Trademark claim.
In an evolving online world the business must take effort to protect its digital assets. Protection is usually made via either a trademark and copyright claim. First the business needs proactive detection, then to deploy an appropriate response in negotiating with third parties for the removal of the infringement.
First let’s define the internet, “The internet is the global system of interconnected computer networks that use the Internet protocol suite (TCP/IP) to link devices worldwide”. We have been enjoying the benefits and convenience of the internet in today’s modern life. However most users are only aware what the surface internet/clear net has to offer.
There used to be explicit and unfriendly contents that used to exist in the surface web, now they are all gone, but not totally gone. Where did they all go?
The Dark web is a place on the internet that is not accessible using the regular browsers or your regular connections. This is where all or most of the explicit and unfriendly contents can be found.
Dark net websites are accessible only through networks such as Tor aka “The Onion Router” and I2P (“Invisible Internet Project”). Tor browser and Tor-accessible sites are widely used among the dark net users and can be identified by the domain “.onion”. While Tor focuses on providing anonymous access to the Internet, I2P specializes in allowing anonymous hosting of websites.
The dark web is also used for illegal activity such as illegal trade of stolen assets such as bank information, personal information, as well as drugs and a media exchange for nefarious activities like terrorism.
There is also what we call a Deep web; this is often confused with Dark web. Both of them uses TOR and the onion.
What’s the difference?
Deep web sites can be searched through search engines. While dark web sites usually cannot be searched by search engines. Dark net is evolving with efforts to make these dark net sites more known through repositories and lists.
Business Email Compromise (BEC), formerly known as Man-in-the-Email scams are a blended Spear-phishing attack. BEC attacks follow similar traits to phishing, technical subterfuge with social engineering.
BEC threats actually compromise legitimate business email accounts in order to conduct unauthorised transfer of funds to criminal controlled bank accounts. Essentially the employee of the business is tricked into making a bank transfer, such as paying an attached fake invoice.
BEC scams usually start by compromising an executive’s email account. The attackers compromise the legitimate email account by using malware such as a key logger or via phishing based methods. Alternatively, the attackers create a domain that’s similar to the company they’re targeting, or use a spoofed email that tricks the target into providing account details. The perpetrators often perform a fair amount of research in order to determine an exploit, such as who initiates money transfers and who requests them, a traveling executive, change in leadership team or similar vulnerability that they can exploit.
The attacker will then submit a bogus invoice or request the victim to make a time critical transfer to a fraudster controlled bank account. Messages can be sent to multiple vendors identified from the employee’s contact list. The business may not become aware of the scheme until their vendors follow up to check for the status of the invoice payment.
The scam relies on social engineering, and typically doesn’t need a sophisticated system penetration. Unlike phishing scams, the emails used in BEC scams are not mass-emailed to avoid being flagged as spam – hence can be problematic to detect and monitor.
The victims are tricked into doing the transfers, via classic social engineering, often stating that the victim should act quickly or in confidence when transferring funds.
In terms of protection, the business must verify any changes in vendor payment locations by using a secondary sign-off by company personnel, educate and train employees and carefully scrutinize all emails.
What’s the difference?
To start with the business is best placed to protect themselves from malware and spear phishing based attacks
Real Time Phishing is a Man-in-the-Middle (MitM) attack that allows the criminal to commit real time fraud. Stolen credentials from the phishing site are used to access the internet bank session in real time. Real time phishing allows the criminal to readily bypass banking authentication protocols.
Traditional or classic phishing steal internet bank credentials that are used for account take over – post attack. Such credentials were traded on the black market and used to defraud the victim and bank well after the attacks – hours or days later. Real time phishing sites dupe the user with a seamless flow of changing screens and messages controlled by the attacker from a remote server.
Banks have protected themselves against phishing with Out-of-Band Authentication. Out-of-band authentication happens away from the user’s browser, via a smartphone, card reader or numeric code chart. These One Time Passwords (OTP) are easily harvested by the criminal. Real time phishing can simply bypass this kind of authentication by grabbing these credentials and completing the transaction requirements.
This phishing technique easily compromises the account from the bank’s website to make a transaction in real time, all the while milking more authentication details from the unsuspecting victim.
Cyber criminals are integrating multiple attack methods to defeat the latest security measures such as One Time Password (OTP) Tokens implemented by banks.
MitM – real time phishing may also use other attack components and methods, such as malware, to compromised local DNS and registry files. Real time phishing demonstrates increased sophistication making attacks more believable through real-time data theft.