Difference between revisions of "OWASP Anti-Malware Project - Awareness Program"

From OWASP
Jump to: navigation, search
(From user infection to cash out process:)
(From user infection to cash out)
 
(13 intermediate revisions by one user not shown)
Line 1: Line 1:
 +
== Introduction ==
 +
=== What is Banking Malware ===
 +
=== What is Banking Malware Awarness Program ===
 +
 +
=== How Banking malware deals with Web Application Security ===
 +
 
== Banking Malware Attack Process ==
 
== Banking Malware Attack Process ==
The process involving Malware attack require the subsequent verification of each of the following steps to be successful. We consider an attack to be successful if the attacker obtain a financial gain from the initial client attack. The first two steps do not involve the Banking infrastrucure, while some other are tightly connected since attackers need to use the functionalities offered by the hacked online bank accounts to do cash outs.
+
The process involving Malware attack require the subsequent verification of each of the following steps to be successful. We consider an attack to be successful if the attacker obtain a financial gain from the initial client attack. The very steps (e.g. Infection of clients) usually do not involve the Banking infrastrucure, while others are tightly connected to it. Attackers absolutely need the functionalities offered by the hacked online bank accounts to do cash outs.
  
 
=== From user infection to cash out ===
 
=== From user infection to cash out ===
Line 7: Line 13:
 
This is a chain of required steps. Attackers need to perform successfully each of these for turning the attack into a monetary gain. For this reason the process can be reasonably stopped at any level. As in other cases a defense in depth approach is suggested to be effective against the weakest link of each part of the attack.
 
This is a chain of required steps. Attackers need to perform successfully each of these for turning the attack into a monetary gain. For this reason the process can be reasonably stopped at any level. As in other cases a defense in depth approach is suggested to be effective against the weakest link of each part of the attack.
  
Infection of User clients and pcs
+
Interesting Resources for further reading:
Exploitation of client side vulnerabilities (during internet browsing)
+
* [http://www.youtube.com/watch?v=_2K8kRSlJXw '''MULTIDISCIPLINARY BANK ATTACKS, Gunter Ollman''']
Spam (Infection delivered via Email)
+
  
Hiding The Infection and creating the Permanent threat
 
Packers
 
Modded Builds
 
Rootkit (and Bootkit)
 
  
Stealing of Auth credentials
+
==== Infection of clients and pcs ====
KeyLogging and Form Grabbing
+
* Exploitation of client side vulnerabilities (during internet browsing)
Video Grabbing
+
* Spam (Infection delivered via Email)
WebInjects
+
  
Storing of Auth credentials
+
==== Hiding The Infection and creating the Permanent threat ====
Standard Dropzone
+
* Packers
Fast Flux Based Server
+
* Modded Builds
Instant Messaging and P2P network
+
* Rootkit (and Bootkit)
  
Hiding The Operations
+
==== Stealing of Auth credentials ====
Data Tunnelling
+
* KeyLogging and Form Grabbing
Modification of Contact Details
+
* Video Grabbing
User Interface Restoring
+
* WebInjects
  
Cashing Out
+
==== Storing of Auth credentials ====
Money Transfer
+
* Standard Dropzone
Mobile Phone Charge
+
* Fast Flux Based
Pump and Dump
+
* Instant Messaging and P2P network
 +
 
 +
==== Hiding The Operations ====
 +
* Data Tunnelling
 +
* Modification of Contact Details
 +
* User Interface Restoring
 +
 
 +
==== Cashing Out ====
 +
* Money Transfer
 +
* Mobile Phone Charge
 +
* Pump and Dump
  
 
== Countermeasures ==
 
== Countermeasures ==
  
 
=== General strategy ===
 
=== General strategy ===
Narrowing the attack surface
+
* Narrowing the attack surface
Identification
+
* Identification
Blocking  
+
* Blocking  
Recovering
+
* Recovering
  
 
=== Actions to take for mitigating the Malware Attack Process ===
 
=== Actions to take for mitigating the Malware Attack Process ===
Containing the number of infected customers  
+
==== Containing the number of infected customers ====
Awareness (e.g. Remember to the users about Antivirus programs)
+
* Awareness (e.g. Remember to the users about Antivirus programs)
Check for software updates and potentially exposed customers
+
* Check for software updates and potentially exposed customers (e.g. Plugin Update)
Monitoring for Anomalies
+
* Guerrilla Awarness
 +
Es. http://phishme.com/
 +
 
 +
==== Unhide the Infection ====
 +
* Tell to your customers about the infections
 +
* Use systems for detecting compromised customers
 +
* Have in place a Malware response process
 +
 
 +
==== Counterfeat the Stealing of Auth credentials ====
 +
* Resilient Authentication
 +
* Invest in user Informative (e.g. SMS with Token and Transaction details)
 +
* Multi factor and Multi channel authentication
  
Unhide the Infection
+
==== Against the Remote Storaging of Auth Credentials ====
Tell to your customers about the infections
+
* Identification and Alerting about Dropzones
Use systems for detecting compromised clients
+
* Browser Sand boxing
Have in place a security response process to assist customers
+
* Dropzone security response
  
Counterfeat the Stealing of Auth credentials
+
====  Reveal Malicious Operations ====
Resilient Authentication
+
* Track transaction anomalies (Protocols, Geo Location, Bot –Like Requests)
Inform the user about their own operations
+
* Establish a protected user informative (e.g. protecting phone numb. details update)
Multi factor and Multi channel
+
* Detect UI modification
  
Against the Remote Storaging of Auth Credentials
+
==== Against Cashing Out ====
Identification and Alerting about Dropzones
+
* Mule accounts monitoring
Dropzone security response
+
* Get money back from other banks
Browser Sand boxing
+
* Monitor and correlate sources for any disposal operation
  
Against Cashing Out
+
== Evaluate your organization ==
Mule accounts monitoring
+
Your organization can be evaluated along the adoption of the countereasures described above and on the effort to mitigate each malware attack step
Monitor money transfer sources
+
Monitor and correlate sources for any disposal operation
+

Latest revision as of 19:22, 1 February 2012

Contents

Introduction

What is Banking Malware

What is Banking Malware Awarness Program

How Banking malware deals with Web Application Security

Banking Malware Attack Process

The process involving Malware attack require the subsequent verification of each of the following steps to be successful. We consider an attack to be successful if the attacker obtain a financial gain from the initial client attack. The very steps (e.g. Infection of clients) usually do not involve the Banking infrastrucure, while others are tightly connected to it. Attackers absolutely need the functionalities offered by the hacked online bank accounts to do cash outs.

From user infection to cash out

(Image is missing)

This is a chain of required steps. Attackers need to perform successfully each of these for turning the attack into a monetary gain. For this reason the process can be reasonably stopped at any level. As in other cases a defense in depth approach is suggested to be effective against the weakest link of each part of the attack.

Interesting Resources for further reading:


Infection of clients and pcs

  • Exploitation of client side vulnerabilities (during internet browsing)
  • Spam (Infection delivered via Email)

Hiding The Infection and creating the Permanent threat

  • Packers
  • Modded Builds
  • Rootkit (and Bootkit)

Stealing of Auth credentials

  • KeyLogging and Form Grabbing
  • Video Grabbing
  • WebInjects

Storing of Auth credentials

  • Standard Dropzone
  • Fast Flux Based
  • Instant Messaging and P2P network

Hiding The Operations

  • Data Tunnelling
  • Modification of Contact Details
  • User Interface Restoring

Cashing Out

  • Money Transfer
  • Mobile Phone Charge
  • Pump and Dump

Countermeasures

General strategy

  • Narrowing the attack surface
  • Identification
  • Blocking
  • Recovering

Actions to take for mitigating the Malware Attack Process

Containing the number of infected customers

  • Awareness (e.g. Remember to the users about Antivirus programs)
  • Check for software updates and potentially exposed customers (e.g. Plugin Update)
  • Guerrilla Awarness

Es. http://phishme.com/

Unhide the Infection

  • Tell to your customers about the infections
  • Use systems for detecting compromised customers
  • Have in place a Malware response process

Counterfeat the Stealing of Auth credentials

  • Resilient Authentication
  • Invest in user Informative (e.g. SMS with Token and Transaction details)
  • Multi factor and Multi channel authentication

Against the Remote Storaging of Auth Credentials

  • Identification and Alerting about Dropzones
  • Browser Sand boxing
  • Dropzone security response

Reveal Malicious Operations

  • Track transaction anomalies (Protocols, Geo Location, Bot –Like Requests)
  • Establish a protected user informative (e.g. protecting phone numb. details update)
  • Detect UI modification

Against Cashing Out

  • Mule accounts monitoring
  • Get money back from other banks
  • Monitor and correlate sources for any disposal operation

Evaluate your organization

Your organization can be evaluated along the adoption of the countereasures described above and on the effort to mitigate each malware attack step