In this scheme, crooks are creating virtual machines that are clones of customers’ real computers or mobile devices, including their IP addresses. Then many of the methods banks use to authenticate a customer can be compromised without the bank or consumer being aware. “This is an ‘in browser’ attack that uses an existing device …The device is identified as legitimate. So if that bank is relying on [device identification], the attack will work,” says Avivah Litan, a vice president and security specialist from Gartner.
RSA (EMC) reported it found a malware variant called Prinimalka-Gozi that reportedly will soon be used in a massive attack on banks. RSA, which has not identified targeted banks publically and did not return requests for common by Thursday, said that criminals will use the attack method to bypass device fingerprinting, or information such as web browser configuration, that’s used to identify a user’s computing device.
According to a white paper from device identification firm ThreatMetrix, there are several ways to “fingerprint” a computing device. Fingerprinting most commonly refers to the measurement of a browser, operating system and connection attributes to generate a risk profile of a device. There are a couple of ways to do this, including installing software on the device or using a remote profiling server.
These programs can identify a device by tagging browsers; using HTML, JavaScript or other methods to profile based on screen resolution, browser type, time zone, language and media supported; deploying HTTP fingerprinting that extracts types of compression supported and language; profiling connection information to determine the operating system used to connect to the Internet; and the accumulating information on the type of connection services.
In an attempt to get around device fingerprinting, crooks will install malware on a device to steal online banking credentials and clone the user’s computer using a virtual machine synching module. That allows cybercriminals to target accounts based on information such as balances, and a faux web banking session started via the cloned computer and proxied through the victim’s machine will be able to use the victim’s real IP address when authenticating to online banking.
Security firm Trusteer contends the new attack is a relative of a Gozi attack, or a Russian-built Trojan attack that steals secure socket layer data that’s used to encrypt information on the Internet. What’s new in the Prinimalka-Gozi is the format of the HTML injection, configuration elements and machine code injected into the browser is different from the older Gozi attack. Trusteer says the clone created by the new attack has settings that are identical to the original device, so the fraudsters can route all web communications through the victim’s device. “Once they get into the device, it looks a lot like the original device. There are similar attributes, and transactions seem to be generated from the original device,” says Oren Kedem, a director at Trusteer.
Among the firms active in device identification malware detection and navigation detection are Silver Tail Systems, Digital Resolve, Trusteer, SAS and NICE Actimize.
Litan suggests deploying software that searches for malware while the user is in session, and using navigation and fraud detection software to determine if a session is moving or behaving abnormally based on that user’s profile. “You want to look for linkages between certain transactions and other transactions to identify possible fraud. You can never rely on one measure like device identification. It’s a good measure to start with, but it can be beaten by good crooks, so you need a layered approach,” Litan says. “Use a layered approach because each layer can be broken.”
ShareOCT
2012