Browser-Focused Banking Attacks EvolveBanking Trojans Combine Sophistication With Localization
Security firm RSA recently issued a warning over a fraud ring that targets the Boleto, which is one of Brazil's most popular payment methods.
According to RSA, the gang's "Bolware" malware compromised about 496,000 Boletos transactions over a two-year period, which were worth as much as $3.75 billion. When users logged into a site to send Boletos to a designated Boleto ID number - often to pay their mortgage, utility bills, taxes or doctor - the malware would route their payments instead to an attacker-controlled Boleto ID.
The attacks are notable not just for the amount of money fraudsters may have stolen - which many information security experts don't believe was anything close to $4 billion - but also because they used a man-in-the-browser attack technique that has continued to dog banks, payment systems and their users for years, despite concerted efforts to combat such fraud.
Fraudsters Play Victims
Of course, in the old days of online crime, says Dan Kaminsky, the chief scientist at anti-malware firm White Ops, attackers simply used malware to harvest banking credentials from infected PCs, then employed those credentials to drain accounts at their leisure. But banks became wise to those types of attacks, and started using security tools such as device and IP fingerprinting, to tell, for example, if a Boston-based customer was logging into their account using a computer in Latvia that had never been seen before.
As a result, attackers began not just stealing credentials, but also using the victim's computer to commit related fraud. "The attackers basically said, 'we were in there once when we stole the password; we could just stay in there and access the bank account from the user's own computer,'" Kaminsky says. "Thus was formed the man-in-the-browser attacks that everyone has been dealing with for almost a decade now. And it's extremely difficult to manage, because it's the user's computer, and the user was literally sometimes just there."
Web Injection Disguises
Man-in-the-browser attacks rely on Web injections, which is a fancy way of saying that attackers can be actively transferring a victim's money out of an account, while "injecting" an interface that makes everything appear normal to the customer, while they're using the site. Indeed, criminals will sometimes even leave these Web injections in place after they're done attacking, so that "as you review your statement, it omits these fraudulent transactions from your view," says TK Keanini, CTO at Lancope. The more time that passes, the harder it becomes to freeze and recover stolen funds, identify the attackers or shut down their operations.
In the case of the Bolware gang, to maximize the potential number of victims, the group created Web injections for 34 different banking or payment sites. Ultimately, the malware infected an estimated 192,000 PCs, which phoned home to an attacker-controlled command-and-control server and allowed the gang to trick each compromised PC into routing legitimate Boleto payments to attacker-controlled Boleto ID numbers.
The attacks appear to have been quite effective. "The total value of all Boletos that were modified by this malware and stored inside the Bolware C&C server is estimated to be up to U.S. $3.75 billion," RSA's Eli Marcus says in a blog post. "It is important to note that this is an estimated number based on the discovery of 8,095 fraudulent Boleto ID numbers tied to 495,753 compromised transactions."
Despite the potential haul, "it remains unclear how the fraudsters were actually monetizing this network," says Tim Erlin, director of security and risk at security software vendor Tripwire. That refers to the difficulty of not just moving stolen funds, but also converting those funds to cash. "It does seem clear that they have not redirected a full $4 billion U.S. in Boletos payments, but it will take detailed analysis to determine exactly what funds they have actually stolen."
Fraud Attacks Are Easy
One lesson from the Bolware attacks is that any payment system - based on payment cards or otherwise - is at risk of being subverted by online attackers. "Actually, it is happening all over the world, and this attack is very similar to what online banking Trojans typically do," says Engin Kirda, chief architect at security vendor Lastline.
Some crimeware toolkits, for example, allow users to easily add their own Web injections. For example, while the peer-to-peer Gameover Zeus "crimeware as a service" banking Trojan includes a basic Web injection template, "each customer ... can modify and add new advanced webinjects and increase the number of targets," says Peter Kruse, a security specialist at CSIS Security Group. In fact, Kruse found that while Zeus Gameover attackers were collectively targeting 1,097 financial services "brands" at the beginning of January 2014, by the end of March, that number had risen to 1,515. The increase was largely driven by attackers customizing the malware to target banks in previously less-attacked countries, including Australia, Croatia, India, Nigeria, South Africa and United Arab Emirates.
Even if attackers aren't using an off-the-shelf exploit pack like Gameover Zeus, writing the injection code required to launch a man-in-the-middle attack isn't very difficult. "In fact, I've even seen students program such an attack in a controlled environment in my computer security courses in the past, so that they could see how easy such an attack is to implement," says Lastline's Kirda, who's also an associate professor of information assurance at Boston's Northeastern University.
But the Bolware attacks demonstrate how attackers with the right tools - though not necessarily the most advanced - might collectively steal millions or billions of dollars from their victims. "The technique that the attackers have used is not novel, but the magnitude of the damage is quite astounding," Kirda says.