trends in malware enabled identity theft
play

Trends in Malware Enabled Identity Theft Matthew McGlashan - - PowerPoint PPT Presentation

Feb 06, 2024 •259 likes •535 views

Trends in Malware Enabled Identity Theft Matthew McGlashan - matthew@auscert.org.au Computer Security Analyst, AusCERT Outline About AusCERT What AusCERT is doing to combat ID theft The Threat: Trojan Horse software

  1. Trends in Malware Enabled Identity Theft Matthew McGlashan - matthew@auscert.org.au Computer Security Analyst, AusCERT

  2. Outline • About AusCERT • What AusCERT is doing to combat ID theft • The Threat: Trojan Horse software • Timelines: 2004 and 2005 • Hooks and Lures • Installation • Exploit timeline • Logging: methods, trends, data, examples • Recent developments • Future directions • Internal operational processes • Operational response results • Questions

  3. About AusCERT • Australia’s national CERT – Collect, monitor, advise on threats and vulnerabilities – Incident response coordination and assistance • Independent, university-based, non-government • Not-for-profit – revenue from service contracts and member subscriptions • Chair of APCERT • Close collaboration with the AHTCC • Close collaboration with APACS • “Other” collaborations (eg other CERTs)

  4. AusCERT v ID Theft • Monitor threats, vulnerabilities, detect incidents • Coordinate IR with UK and Germany • Procedures to prioritise actions per AHTCC/AusCERT strategy • Incident response: – closed hundreds of sites – submitted over 40 virus sample to AV vendors in 2004 • Request artefacts and logs to investigate impact • Provided technical and threat analysis • Encouraging analysis, information sharing between Australia, UK and Germany

  5. AusCERT v ID Theft By arrangement with AHTCC, AusCERT is the central reporting point of contact in Australia for reporting incidents of on-line identity theft in the banking and finance sector (BFS) • Provide first-line response to incidents of on-line identity theft: – Through CERT network, seek closure of sites overseas and retrieval of artefacts, logs • Provide technical analysis of artefacts, techniques, trends to AHTCC and banks • Issue alerts about new threats/vulnerabilities regarding on-line identity theft

  6. Trojan Horses • Attackers motivation: financial gain • Method: – Compromise online banking credentials • “Phishing” (fraudulent web sites) since 2003 • DNS corruption (“Pharming”) • Trojan horse software - early 2004 – Move money from compromised accounts to “mules” – Mules take a cut and transfer the rest overseas via Western Union • Why are Trojans effective? ….

  7. Timeline 2004 24 May 2004 22 November 2004 Korgo/Padobot Compromised Banners AL-2004.17 e.g. The Register 18 April 2004 15 June 2004 2 December 2004 NIRS incident report Download.Ject Tsunami trojan http://ussrforeva.com AL-2004.20 AL-2004.40 16 Feburary 2004 4 November 2004 Police Investigation Session piggyback AL-2004.03 E-gold - Win32.Grams 4 May 2004 Tofger eBay Trojan http://proxy4u.com

  8. Timeline 2005 16 May 2005 New domains point to past site and malware changes over time ? 04 April 2005 Botnet used for DNS and hosting 10 March 2005 Berbew log encryption 22 April 2005 BankAsh GOST log encryption

  9. Hooks • Spam – Hard to detect and rarely reported – No malicious code, but URLs to malicious sites – Unrelated to the targeted institution • Variations on spamming – Posts to bulletin boards – Instant messaging • Other – Padobot (aka: Korgo) – LSASS vulnerability – Download.Ject – Vulnerable IIS serving berbew – Compromised banner ads (e.g. The Register) – Cross site scripting

  10. Lures • Spam – social engineering: – June 04 and prior: “RE: Question for seller -- Item #845269116” – Aug 04: “Act of terrorism at The Opening Ceremony of the ATHENS 2004 Olympic Games” – Aug 04: “Customerhelpcentre, Your ID was stolen” d-reports.org – Sep 04: “Osama Found Hanged” – Sep 04: “George Bush sniper-rifle shot!” – Nov 04: “Huge ocean wave!” http://www.tsunamidanger.com – Feb 05: “I sent Sent You an E-Card From AOL E-Cards powered by BlueMountainCards.com.au” – Mar 05: “SENSATION! It's happened again! White house orgie!” – May 05: “You've been sent money”

  11. Installation • Browser (IE particularly based) exploits – IFrame vulnerability – Drag and Drop vulnerabilities – ITS protocol handlers and CHM – Java classloader vulnerability – plus others… • Weak browser settings • Pure social engineering – “Update your windows machine” (AL-2005.07) – “Pick up sticks” game – “Paypal Safety Bar”

  12. Browser Exploit • Example: “Drag and Drop” Vulnerability (CAN-2004-0839) – 19 Aug 2004: Initial post to Full Disclosure by “http-equiv” – 24 Aug 2004: More effective POC released by “mikx” – 24 Aug 2004: AL-2004.024 released by AusCERT – 31 Aug 2004: Akak Trojan, analysis by LURHQ – 07 Sep 2004: AusCERT Incident report, active exploitation for financial fraud – 12 Oct 2004: Patch released by Microsoft – 19 Oct 2004: A variation of this vulnerability not fixed by the patch posted to Full Disclosure by “http-equiv”

  13. Logging Methods • Three main methods: – HTTP: posting via php forms – FTP: username/password encoded into the trojan – Email: Sending email to a hard coded email address • In the majority of networks, this traffic would be considered OK unless there was content inspection.

  14. Logging Trends Tsunami Trojan: infections and logging 12000 10000 Logging site hits 8000 6000 4000 2000 0 19/11/2004 24/11/2004 29/11/2004 04/12/2004 09/12/2004 14/12/2004 19/12/2004 Date / time Data logged Trojan infections

  15. Logged Data • centrelink.gov.au • .gov.au • ebay.com.au • .gov.uk • etradeaustralia.com.au • .gov • gu.edu.au • .mil • iinet.net.au • melbourneit.com.au • “Question for seller” • myob.com.au • 8.7 Gb of text • optusnet.com.au • Bitmap screenshots • qantas.com.au • 1652 unique IPs • sa.gov.au • 1130 domains • thrifty.com.au • Not just the banks…

  16. Logging Example • The following slides show data from a recent incident: Active processes: TrojanSpy.Win32.Banker.jj … \SystemRoot\System32\smss.exe C:\WINNT\system32\services.exe UID: {3C24AAB7-F462-4472-BD0B-AAAAAAAAAAAA} C:\WINNT\system32\spoolsv.exe IP: x.x.220.245 C:\Program Files\Common Country: United Kingdom Files\Symantec Shared\ccEvtMgr.exe Language: English C:\Program Files\Norton Internet OS: Windows 2000 Service Pack 3 (Build 2195) Security\NISUM.EXE IE: Internet Explorer 5.01 SP3 (Windows 2000 SP3 only) C:\Program Files\Norton Internet Security\ccPxySvc.exe Installed apps: C:\WINNT\Explorer.EXE … C:\WINNT\process.exe Windows 2000 Hotfix - KB823980, version: … 20030705.101654 -- LiveReg (Symantec Corporation), version: 2.2.5.1678 Created on Monday 14th of February LiveUpdate 2.6 (Symantec Corporation), version: 2005 07:58:42 AM 2.6.14.0 Spybot - Search & Destroy 1.3, version: 1.3 Norton Internet Security, version: 6.0.2.0 …

  17. Logging Example -- Saved Forms -- URL (Form): http://lc1.law13.hotmail.passport.com/cgi-bin/login User/Pass: <username>: URL (Form): http://signin.ebay.co.uk/aw-cgi/eBayISAPI.dll User/Pass: <username>:<password> (Modified: 09/07/2004 14:00) URL (Form): http://webmail.businessserve.co.uk/index.php User/Pass: <username>:<password> (Modified: 16/06/2004 16:42) URL (Form): http://www.viewdata.net/login.asp User/Pass: <username>:<password> (Modified: 19/01/2004 12:07) User/Pass: <username>:<password> (Modified: 19/01/2004 12:07) -- Outlook Passwords -- SMTP Email Address: sales@<domain>.co.uk POP3 User Name: <username> POP3 Password2: <password> POP3 Server: pop.businessserve.co.uk

  18. Logging Example (!) URL: https://online.lloydstsb.co.uk/logon.ibc ------------------------------------------------------------------------ Form action: https://online.lloydstsb.co.uk/logon.ibc Form method: post Java (hidden): On Key (hidden): 01-0000011111111774711000000000000 LOGONPAGE (hidden): LOGONPAGE UserId1 (text): <username> Password (password): <password>

  19. Recent Developments • Increase in the number of organisations targeted • Domain names and hosting: – Several domain names registered, multiple IP changes as ISPs respond – Botnets used to host phishing sites so the host serving the site changes every 30 minutes • Captured account details – Encoding and private key encryption – More detailed, better organised and compressed • Malware: – Root-kit techniques for hiding presence – Session piggybacking (e-gold Win32.Grams / GETGOLD.A) – Downloadable (dynamic) configuration

  20. Future Directions • Domain names and hosting: – Botnets for hosting, as for phishing – Exploits of browsers other than Internet Explorer • Captured account details – Strong (public key) encryption • Malware: – More root-kit technology – Binary armouring, obfuscation and other anti-analysis techniques – Session piggybacking for other organisations. Subverting 2 factor authentication – Improved and encrypted dynamic configuration and updates

  21. Future Directions Source: NBSO - NIC BR Security Office - Brazilian Computer Emergency Response Team

  22. Internal Operational Processes Evil Scammer Trawlinator Web Report Scanner Troj-O-Matic AusCERT CC Team Incident Created! Scam Reporter Banking Reporter • Phishing Report Form • Aus Bank • Trojan Report Form • UK Bank • All Bank

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Identity Theft Identity Theft Identity theft occurs when your personal information is stolen

Identity Theft Identity Theft Identity theft occurs when your personal information is stolen

Identity Theft Identity Theft Identity theft occurs when your personal information is stolen and used without your knowledge to commit fraud or other crimes Identity theft can cost you time and money. Tips for Preventing Identity Theft

322 views • 10 slides
Identity Theft By: Brian Paulsen How common is identity theft? According to the US Department of

Identity Theft By: Brian Paulsen How common is identity theft? According to the US Department of

Identity Theft By: Brian Paulsen How common is identity theft? According to the US Department of Justice, 10% of people over the age of 16 reported being victims of identity theft in 2016 (Harrell). Who is most susceptible? Multiple reports

233 views • 21 slides
Training to Prevent Identity Theft Identity Theft is the fastest growing crime in America.

Training to Prevent Identity Theft Identity Theft is the fastest growing crime in America.

Training to Prevent Identity Theft Identity Theft is the fastest growing crime in America. The Social Security number is a major privacy concern for most people, because it links to information that is typically kept private. Exposing

326 views • 17 slides
What is Identity Theft? &quot;Someone obtaining your personal identifying information without

What is Identity Theft? &quot;Someone obtaining your personal identifying information without

Identity Fraud: Protecting Your Identity Between Work and Play Ryan Sothan, Outreach Coordinator Nebraska Department of Justice, Office of the Attorney General Consumer Protection and Anti-Trust Division What is Identity Theft?

314 views • 18 slides
Child Identity Theft: What to Know, What to Do Colleen Tressler FTC Division of Consumer &amp;

Child Identity Theft: What to Know, What to Do Colleen Tressler FTC Division of Consumer &amp;

Child Identity Theft: What to Know, What to Do Colleen Tressler FTC Division of Consumer &amp; Business Education ctressler@ftc.gov consumer.ftc.gov IdentityTheft.gov Definition of Identity Theft Identity theft is the misuse of

459 views • 20 slides
IDENTITY THEFT FINANCIAL EDUCATION SERIES Equal Housing Lender. Member FDIC and Associated

IDENTITY THEFT FINANCIAL EDUCATION SERIES Equal Housing Lender. Member FDIC and Associated

4/2/2018 IDENTITY THEFT FINANCIAL EDUCATION SERIES Equal Housing Lender. Member FDIC and Associated Banc-Corp AGENDA Tips to avoid identity theft What you should do if you become a victim of identity theft How to obtain free

381 views • 4 slides
Identity Theft 101 Wanda Downs, AAP Director, CU Development &amp; Marketing Identity Theft 101

Identity Theft 101 Wanda Downs, AAP Director, CU Development &amp; Marketing Identity Theft 101

Identity Theft 101 Wanda Downs, AAP Director, CU Development &amp; Marketing Identity Theft 101 Identity Theft 101 Wanda Downs First Carolina Corporate Credit Union, 2004 to present &gt; Director of CU Development &amp; Marketing AAP

440 views • 16 slides
What will you learn? During this presentation you will learn: How ID theft and account fraud

What will you learn? During this presentation you will learn: How ID theft and account fraud

What will you learn? During this presentation you will learn: How ID theft and account fraud happen The effects of ID theft and fraud How to avoid becoming a victim Identity Protection Identity Theft is Rampant Number of victims rose

764 views • 30 slides
Identity Theft Wiam Younes Training and Awareness Coordinator Information Security Office(ISO)

Identity Theft Wiam Younes Training and Awareness Coordinator Information Security Office(ISO)

Identity Theft Wiam Younes Training and Awareness Coordinator Information Security Office(ISO) www.cmu.edu/iso Computing Services www.cmu.edu/computing What is Identity Theft? Identity Theft is a crime in which an impostor obtains key

409 views • 24 slides
(1 in 4) Fraud (43%) (12.6 M) 2013 Identity Theft Report Javelin Strategy &amp; Research FTC

(1 in 4) Fraud (43%) (12.6 M) 2013 Identity Theft Report Javelin Strategy &amp; Research FTC

THE THE NEW NORM NEW NORM IDENTIT IDENTITY Y THE THEFT FT AND AND GO GOVERNMENT VERNMENT FRA FRAUD UD Identity Fraud Data Breach Government (1 in 4) Fraud (43%) (12.6 M) 2013 Identity Theft Report Javelin Strategy &amp;

527 views • 17 slides
IRS Criminal Investigation Detroit Field Office Identity Theft The FTC estimates that as many

IRS Criminal Investigation Detroit Field Office Identity Theft The FTC estimates that as many

IRS Criminal Investigation Detroit Field Office Identity Theft The FTC estimates that as many as 9 million Americans have their identities stolen each year. How Do They Get Your Information? Theft of valuables purses, wallets, cell

344 views • 15 slides
the bottom line your data protects protecting to remedy the harm caused by identity theft. ties

the bottom line your data protects protecting to remedy the harm caused by identity theft. ties

24 and lost sales. 7 to the indictment, the thieves security breach. 8 According tion with the T.J. Maxx data of 11 individuals in connec- announced the indictment D e p a r t m e n t r e c e n t l y identity theft, the Justice catch the

561 views • 6 slides
Identity Theft Victim Shawn Savage IRS Sr. Stakeholder Liaison Seminar Objectives Increase

Identity Theft Victim Shawn Savage IRS Sr. Stakeholder Liaison Seminar Objectives Increase

Helping the Identity Theft Victim Shawn Savage IRS Sr. Stakeholder Liaison Seminar Objectives Increase awareness of how to help IDT victims Improve understanding of Taxpayer Protection Program, Identity Protection Specialized Unit and

799 views • 16 slides
Results from Help Us Protect the Carnegie Mellon Community from Identity Theft study A

Results from Help Us Protect the Carnegie Mellon Community from Identity Theft study A

Results from Help Us Protect the Carnegie Mellon Community from Identity Theft study A Real-Word Evaluation of Anti-Phishing Training Mary Ann Blair Lorrie Faith Cranor Ponnurangam Kumaraguru (PK) Joint work with Justin Cranshaw,

964 views • 74 slides
So Some facts About 43% of all reported identity thefts in the U.S. in 2013 were

So Some facts About 43% of all reported identity thefts in the U.S. in 2013 were

So Some facts About 43% of all reported identity thefts in the U.S. in 2013 were medical-related, according to a study released last month by Identity Theft Resource Center (ITRC). 1 in 3 people report a problem after their identity is

827 views • 26 slides
Protecting Your Identity, Data, and Assets 1 Its Not a Matter of If, but When 17.6

Protecting Your Identity, Data, and Assets 1 Its Not a Matter of If, but When 17.6

Protecting Your Identity, Data, and Assets 1 Its Not a Matter of If, but When 17.6 million 63% Identity fraud is a serious issue. people experienced of confirmed data Fraudsters have identity theft in 2014 breaches involved stolen

605 views • 29 slides
Navigating Internet Neighborhoods: Reputation, Its Impact on Security, and How to Crowd-source It

Navigating Internet Neighborhoods: Reputation, Its Impact on Security, and How to Crowd-source It

Navigating Internet Neighborhoods: Reputation, Its Impact on Security, and How to Crowd-source It Mingyan Liu Department of Electrical Engineering and Computer Science University of Michigan, Ann Arbor, MI November 6, 2013 Intro Motivation

811 views • 52 slides
Information Retrieval Lecture 6 Recap of the last lecture Parametric and field searches

Information Retrieval Lecture 6 Recap of the last lecture Parametric and field searches

Information Retrieval Lecture 6 Recap of the last lecture Parametric and field searches Zones in documents Scoring documents: zone weighting Index support for scoring tf idf and vector spaces This lecture Vector space

887 views • 49 slides
Country Governance and IP Reputation Bradley Hu ff aker Topology Meeting Naval Postgraduate

Country Governance and IP Reputation Bradley Hu ff aker Topology Meeting Naval Postgraduate

Country Governance and IP Reputation Bradley Hu ff aker Topology Meeting Naval Postgraduate School, June 2013 Tuesday, June 18, 13 Outline Hypothesis Data Analysis Future Work URLs Tuesday, June 18, 13 Outline

595 views • 13 slides
CS490W Web Search (II) Luo Si Department of Computer Science Purdue University Modified Slides

CS490W Web Search (II) Luo Si Department of Computer Science Purdue University Modified Slides

CS490W Web Search (II) Luo Si Department of Computer Science Purdue University Modified Slides from Manning, C., Raghavan, P. and Schtze, H. Todays topics Estimating web size and search engine index size Near-duplicate document

449 views • 31 slides
Web Mining Web Mining Web mining is the use of data mining techniques to automatically

Web Mining Web Mining Web mining is the use of data mining techniques to automatically

What is Web Mining? What is Web Mining? Web Mining Web Mining Web mining is the use of data mining techniques to automatically discover and extract information from Web documents/services (Etzioni, 1996, CACM 39(11)) Web mining aims to

566 views • 22 slides
RUSSIAN BLACK MARKET sh-3.2# whoami Alan Kakareka, CISSP, GSNA, GSEC, CEH, MCP, MCDST, Net+,

RUSSIAN BLACK MARKET sh-3.2# whoami Alan Kakareka, CISSP, GSNA, GSEC, CEH, MCP, MCDST, Net+,

INSIGHT INTO RUSSIAN BLACK MARKET sh-3.2# whoami Alan Kakareka, CISSP, GSNA, GSEC, CEH, MCP, MCDST, Net+, Sec+ MS MIS @FIU CTO and founder of Demyo, Inc. Demyo, Inc. AND I ENJOY GREEN LETTERS ON BLACK BACKGROUND Demyo, Inc. WHAT

646 views • 32 slides
Authentication and Encryption Kelly Rivers and Stephanie Rosenthal 15-110 Fall 2019 The In

Authentication and Encryption Kelly Rivers and Stephanie Rosenthal 15-110 Fall 2019 The In

In Internet Security: Authentication and Encryption Kelly Rivers and Stephanie Rosenthal 15-110 Fall 2019 The In Internet: A Utopian Vision The In Internet: Reality Main Questions First who are the bad actors or r adversarie ies?

515 views • 24 slides
Information Retrieval What Is Clustering? Group data into clusters Similar to one

Information Retrieval What Is Clustering? Group data into clusters Similar to one

Information Retrieval What Is Clustering? Group data into clusters Similar to one another within the same cluster Dissimilar to the objects in other clusters Unsupervised learning: no predefined classes Outliers Cluster 1

489 views • 38 slides

More recommend