Protecting Your Business from Online Banking Fraud

Transcription

1 Protecting Your Business from Online Banking Fraud STI Joint Written Project Authors: Rob Comella, Greg Farnham, John Jarocki Advisor: Stephen Northcutt Accepted: October 3, 2009 Abstract Recently, small and medium businesses have lost millions of dollars from fraudulent electronic financial transactions. This paper reviews the threat and provides guidance for mitigating the threat. These crimes typically begin with a phishing targeted at the comptroller or other staff in the finance department. After the comptroller's computer is compromised, sophisticated malware is used to eavesdrop on the comptroller's activity and account credentials for financial systems. Once the attackers have the required information, they begin to steal money with fraudulent transactions in amounts below $10,000. These smaller amounts fly under the laundering detection mechanisms in the US Bank Secrecy Act. In many cases, repeated transactions have added up to hundreds of thousands of dollars lost by individual organizations. The paper provides a number of possible ways to mitigate these types of attacks. A defense in depth approach is used to provide multiple mitigation recommendations. The number one recommended mitigation is to use a read-only bootable alternative media (ROBAM) as an isolated environment for financial transactions. The mitigation steps also include protecting the address of the comptroller, network protection, endpoint protection, virtual machines, awareness training, policy changes and monitoring financial transactions.

2 Protecting Your Business from Online Banking Fraud 2 1. Executive Summary Recently, small and medium businesses have lost millions of dollars from fraudulent electronic financial transactions. These crimes typically begin with a phishing targeted at the comptroller or other staff in the finance department. After the comptroller's computer is compromised, sophisticated malware is used to eavesdrop on the comptroller's activity and account credentials for financial systems. Once the attackers have the required information, they begin to steal money with fraudulent transactions in amounts below $10,000. These smaller amounts fly under the laundering detection mechanisms in the US Bank Secrecy Act. In many cases, repeated transactions have added up to hundreds of thousands of dollars lost by individual organizations. The paper provides a number of possible ways to mitigate these types of attacks. A defense in depth approach is used to provide multiple mitigation recommendations. The number one recommended mitigation is to use a read-only bootable alternative media (ROBAM) as an isolated environment for financial transactions. The mitigation steps also include protecting the address of the comptroller, network protection, endpoint protection, virtual machines, awareness training, policy changes and monitoring financial transactions. 2. Problem Description 2.1. Typical Target The typical company concerned with this threat is a small or medium sized business (SMB) that uses electronic banking such as web banking, ACH (Automated Clearing House), or EFT (Electronic Funds Transfer) employees: Known as very small or micro business, they represent 75% of the businesses in the US (Shane, S. A. 2009, August 05): These are mom and pop stores and include sole proprietorships of all kinds. Examples would be things like Auto repair, jewelry stores, restaurants, inns, clubs, micro manufacturing, accountants, IT service shops, and churches. These businesses utilize one computer for everything. They rarely have any IT staff at all (except for the IT service shops). The users can vary in expertise

3 Protecting Your Business from Online Banking Fraud 3 from competent to afraid of the computer. Solutions for this group need to be plug and play as much as possible. The other option is to find and purchase a security service. They may have a old, spare computer around, so separate computers for certain tasks may be possible employees: Experts classify these as small businesses. They account for about 17% of the businesses in the US (Shane, S. A. 2009, August 05): They usually have several machines and maybe a small network. They also usually have one person who knows about computers. IT solutions here are often more complex. They may have several sites requiring Virtual Private Networks (VPNs) and other complexities that leave them more open to attack. Even though they may have a computer person who can help with fingers on keyboard, they may not know enough to analyze data from an Intrusion Detection System (IDS). These businesses are usually more open to spending money on security. Still, the smallness of the business can limit capital expenditure. Businesses in this group include small manufacturing, small hotel/conference centers, large restaurants, and radio producers employees: Accounting for about 4% of the businesses in the US are medium sized businesses (Shane, S. A. 2009, August 05). Once a business reaches this size, it has all the needs of a large corporation but often does not have as much capital. Companies of this size have small IT staffs that grow as the size of the business increases is a large range, so this group is very diverse. These businesses usually employ some sort of Enterprise Resource Planning (ERP) package and support a network with a windows domain. They may have several sites that need to be connected via the Internet. They may have enough staff to be able to correctly administer an IDS and review logs. Thieves seem to target the businesses with about employees. These businesses lie on the border between the last two groups. In this area are the businesses that are transitioning between small and medium size. Their intake of capital is growing, so they have larger bank accounts to empty. Finally, the people in these growing businesses must wear so many hats that they may not be able to look at everything

4 Protecting Your Business from Online Banking Fraud 4 closely all the time. In short, they have serious money to steal, but they have not gotten big enough yet to lock things down tightly Threat Description In the past several months, the numbers of cyber attacks on small and medium sized business are increasing (Krebs, 2009). According to Brian Krebs from The Washington Post, one example of these attacks are Cyber-Gangs from Eastern Europe who find ways to exploit the computers systems of comptrollers to attain their online banking user-names and passwords. Once they have obtained the information, they empty as much money from the accounts as possible. The attackers start by sending a targeted to the comptroller (Krebs, 2009). It is not hard for the attackers to ascertain who the comptroller is. Many businesses post information about their accounting departments on their websites. If a quick Google search is not enough to turn up the information, some well-placed phone calls may work. Companies do not consider this sort of information particularly sensitive and are willing to give it to just about all who ask. In very small businesses, there may not be many people from which to choose. The contains a link to an apparently legitimate site or contains an attachment that the comptroller opens, such as an image of an invoice (Krebs, Brian 2009). When the comptroller opens the attachment, malware embedded in the file or website executes and infects their computer. The malware can be any of several packages, but a common one is ZeuS. ZeuS is a "Crimeware" suite available for purchase. For about $2400, a group can purchase this package of tools and use it (Mather, L. 2009). The authors even provide a EULA in the package, but how they plan on enforcing it is unclear (Doctorow, C. 2008, April 29). The authors of ZeuS did not bother to write into the software a method to exploit systems. Instead they leave that up to the purchaser. Once installed on the victim's machine, it hides itself in the OS. ZeuS is very good at hiding because it creates new files for each infestation. The altered files make detection by anti-virus software extremely difficult, and registry modifications ensure that it restarts at boot time

5 Protecting Your Business from Online Banking Fraud 5 (Maimon, U. 2008, April 21). ZeuS also gives the attacker remote access to the following capabilities on the infected machine (Mieres, J. 2009, July 16). Remotely controlled configuration Interception of HTTP and HTTPS requests from all applications that work with the library wininet.dll Interception of FTP and POP3 connections from any port Proxy service vi Socks 4, 4a, and 5 Reverse connection for all infected computer services (RDP, Socks, FTP, etc.) Screenshots in real time Conduct further phishing attacks Create trojan files to infect other machines Polymorphic encryption Kos (Kill Operating system) Network traffic sniffer What makes this program so dangerous are the first two. The software usually sits dormant waiting and watching. What does it watch for? It watches for whatever the attacker puts into the configuration. This feature prevents the attacker from overwhelming himself with useless information. ZeuS will wait until victim gets into a specific bank site then it springs to life. The second feature is more than it seems. It not only intercepts HTTP(s) traffic, but can also modify it on the fly (according to input from the configuration file). The result of this is the ability to add and subtract things from the site at which the user is viewing. Attackers use this feature to add fields to request further information from the user. For example, the bank may only want the username and password, but the attacker can also add a field to request a strong authentication code. (Some banks allow customers to request a one-time code to strongly authenticate the user). The trojan actually sends the attacker an instant message telling him that time sensitive logon information is available. Contained in the IM are all the credentials the victim has just entered. The attacker can use the information provided to log on directly or to send fraudulent information to the victim. In one documented case, the attacker changed the account balance field to show the amount of money that was in the account

6 Protecting Your Business from Online Banking Fraud 6 before he transferred it to his. When the user logged on, the website appeared to show the previous balance, even though the account had been emptied. Since the configuration file is per computer rather than per user, the victim discovered the fraud when his daughter -- who used the same bank -- checked her account and it showed the same balance as the victim (Doctorow, C. 2008, April 29). It is very likely though that the authors of ZeuS will correct this shortcoming in future versions of the software. Once the attacker owns the box without the knowledge of the user, he needs to sit, wait, and watch. The attacker may watch for a long time to learn about the victims habits and to see how much money they can steal. Only when he believes he has enough information to mount a successful attack will he do so. The attacker will usually move the money between accounts in the same bank. It is important that the transfers remain in the same bank, to avoid fund holds. This is as far as the attacker can go remotely, however. At this point, they need help to get the money out of the bank and sent to them. For this step of the attack, they enlist the help of others who are local to the bank branches. Experts call these people Money Mules (Krebs, 2009, September 4). Money mules are willing or unwilling accomplices usually hired through on line job listings. These work-at-home employees are the owners of the other accounts at the victim s bank. Some of the money mules know what they are doing is illegal, but others just cannot believe they found such an easy job (Krebs, 2009, September 4). Brian Krebs contacted one of the money mules used to steal money from Sign Designs, Inc., of Modesto, California. The money mule was able to describe the experience from her perspective. A company calling itself Acquaintance Dating Services hired 37-year-old Merian Terry to edit text files. Eventually she was asked to be a local agent to help move money for the company. After providing her bank account information, company transferred close to $10,000 into her account and sent her very specific instructions. The values are less than $10,000 so they criminals stay clear of the FBI money laundering checks. She was to go to the bank and remove all the deposited money in cash. The first 6% of the amount would be hers for her trouble. The remaining sum was to be split into three equal parts. Terry was then supposed to travel to three separate Western Union locations. At each location, the instructions asked her to wire

7 Protecting Your Business from Online Banking Fraud 7 one of the thirds to a different client in Eastern Europe. If asked by the western union staff if she knew the recipient she was to lie and say yes, as it would Speed up the transaction. The money mule was to follow these instructions as soon as possible and there was to be no more than two hours between the withdrawal of the money at the bank and the last Western Union send receipt (Krebs, 2009, September 4). The money mule who gave this story was alert enough to see that the instructions were suspicious and report them. It was a good thing for her, since the bank reversed the transaction a few days after she received the money. If she had followed the instructions sent to her, she would have been on the hook for almost $10,000. Not all money mules are as innocent, but the story is very similar. The individual answers an online employment request and follows the instructions he is given. Some know the activity is not legal and do their best to hide what they are doing. They create several bank accounts at the same bank and other banks to make it easier for the attackers to get them the money. These money mules, either cognizant or not, are an integral part of the theft because without them there is no way for the attackers to get the money they have stolen (Naraine, R. 2006, October 16). The thieves will target anyone they can but they are smart to focus on small business for a number of reasons: 1. A general lack of computer security exists at these locations. The proprietors of small business may be very good at their business but often they are not cyber security experts nor do they feel the need to spend the money to hire security professional or purchase boxed solutions. Their computers are used for both personal and business uses, remain un-patched, and have outdated or no security tools installed. The users are also not usually able to spot when infection has occurred if there are symptoms at all (Senior Vice President of Electronic Services for a bank in Western Pennsylvania, Personal Communication, September 13, 2009). 2. Consumed by their business, small business owners may not have time to review their financial data every day. This gives the criminals opportunity to get in, do

8 Protecting Your Business from Online Banking Fraud 8 their dirty work, and get out before the business has the chance to react (Black, Cindy, Personal Communication, 2009, September 7). 3. While home uses share the same lack of computer security, thieves cannot pilfer as much money from them. 4. Small business owners believe customers may lose confidence if it appears that the business does not have its own house in order. Therefore, many businesses hide the attack and robbery as it reflects badly on them (Krebs, 2009). These attackers are also smart about when they attack the business. If a business is closing for a few days, they attack while no one is around to see. For example, fraudsters attacked a school in western Pennsylvania during Christmas break (Krebs, Brian 2009). In general, attacks are more frequent just before or after holidays because the number of financial transactions on those days is higher. Attackers hope to be lost in the shuffle (Black, Cindy, Personal Communication, 2009, September 7). The fraudsters are very intelligent. They prey on the easiest of targets with very sophisticated tools. They have knowledge of how our banking and criminal justice system works and have engineered the attacks to avoid as many of the pitfalls as possible. With all the obfuscation it is very difficult to find and prosecute the orchestrators of the attack, only their minions are vulnerable, and there are enough of them that the attackers can just find new ones when the ones they are using are busted. While businesses are vulnerable to these attacks, there are some things they can do to protect themselves. The rest of this paper will take a look at some options. 3. Mitigation Recommendations Information security requires a defense in depth approach. The SANS What Works project (SANS, 2009) defines six defensive walls for information security. Defensive Wall 1: Proactive Software Assurance Defensive Wall 2: Blocking Attacks: Network Based Defensive Wall 3: Blocking Attacks: Host Based Defensive Wall 4: Eliminating Security Vulnerabilities

9 Protecting Your Business from Online Banking Fraud 9 Defensive Wall 5: Safely Supporting Authorized Users Defensive Wall 6: Tools to Manage Security and Maximize Effectiveness Many of the mitigation recommendations covered below For comprehensive information security, an organization needs to address all Defensive Walls. For the scope of this paper, selected mitigation recommendations relevant to the threat are provided. 4. Protect Comptroller Small businesses may have a full or part time financial comptroller who receives communication with financial transaction requests and information. He may also receive general business or even personal in the same inbox. This mixing of will eventually lead to confusion over whether from an unfamiliar source should be opened. As far as the phishing attacker is concerned, this is the point at which the game is afoot. To reduce this risk, finance staff can use two different addresses: one for official business and one for personal or casual . Official should be read only on a separate system configured specifically for reading this mail box. Reading this inside an ephemeral virtual machine and/or sandboxed with software like Sandboxie (Sandboxie, 2009) can mitigate the risk of client exploitation by limiting the browser from writing files or data outside its virtual sandbox. Using Sandboxie to virtualize the browser protects the underlying operating system (Misenar, 2009). Reading in plain text format will further reduce the risk. If HTMLformatted must be read, it should be reviewed first in plain text format (Plain Text s, 2009). In particular, links of the following form are suspicious because they are intentionally misleading: HTML source: <p>please change your password at the bank web site: <a href=" site.com">

10 Protecting Your Business from Online Banking Fraud 10 When rendered, this appears in the message as: Please change your password at the bank web site: The rendered version does not display any mention of the real destination web site, This simple technique can be surprisingly effective. Reading in plain-text format first both makes this ruse (and others) obvious and prevents the user from being duped into visiting a malicious site. According to (Provos, 2008), at the time of their research, 1.3 percent of all web transactions observed by Google contained at least one known malicious site link. Users can be cautious about sites they visit themselves, but when the is delivered directly to their inboxes, additional prudence is recommended. In other words: turn off HTML-parsing of messages for at least the organization's accounting staff. 5. Network Detection and Protection Being connected to the Internet has definite advantages. It allows small and medium businesses to take online orders, advertise on a web site, communicate with customers, and perform online financial transactions. Because of the current risk of financial fraud, these businesses must now consider the same network security detection and protection measures that were once used only by much larger organizations. The good news is that, over the years, many of these tools have become both more sophisticated and easier to deploy and use Web Security Proxy Since financial theft malware relies on Internet communications to extricate credential information and notify the botnet owners, web proxy technology can create barriers between the malware and its control hosts. However, the service should NOT be implemented a transparent proxy, so that the malware has to have the proper proxy host IP address in order to communicate with Internet hosts.

11 Protecting Your Business from Online Banking Fraud 11 The most effective way to ensure malware hosting sites are not contacted is to allow communication via the proxy only to white listed sites -- sites that are known, good sites. If black lists are to be used, the proxy should be configured to have semiautomated updates that are checked or authorized by human operators (to ensure a denial of service condition is not created). The ZeuS block list (abuse.ch ZeuS Tracker :: ZeuS blocklist, 2009) is an example of a well-maintained black list. Large organizations use proxy systems such as Bluecoat, Websense, and others to provide this protection. Smaller organizations that cannot afford expensive proxies can still use the free Squid proxy (squid : Optimising Web Delivery, 2009) or others. DansGuardian, a Squid add-on (SmoothWall, 2007), provides the ability to automate the update of black or white lists. A script ( exists for updating DansGuardian black lists with the latest ones from urlblacklist.com. No matter which proxy solution is used, the threat is reduced only if connections are denied to the Internet, by default, when they do not originate from the proxy server. Figure 1: Malware C&C communications blocked at firewall

12 Protecting Your Business from Online Banking Fraud 12 While this technique can be very successful in both blocking and detecting IRCbased bots such as Agobot and even more recent versions of Conficker (which uses edonkey peer-to-peer for C&C communication), browser-aware bots such as Torpig and Zlob will simply use the configured browser settings to traverse the firewall. If a separate host is used for banking activities, the proxy configuration can be taken a step further. If normal hosts are configured to communicate with the proxy server on, say, TCP port 3128, then banking hosts can use TCP port Any sessions to the proxy on port 4128 should only be banking activity. Reports on this activity, perhaps ed back to the end user, would provide a useful automated feedback loop. An example report might look like: +-======================================-+ ROBAM Web Proxy Login Session Summary: User: Bob Smith (bob), TCP port st connection 10:05am Last connection 12:22pm Top 10 Sites for this session: Connections Site Duration mins mins mins +-======================================-+ Figure 2: Example login session using proxy log information 5.2. Anti Spam and AV Gateway According to the 2008 Internet Crime Report from the US Internet Crime Complaint Center (IC3), 74% of all reported fraud was initiated via contact (Internet Crime Complaint Center, 2009). Detecting and blocking even some of this before it reaches the intended target would have a significant impact on Internet fraud.

13 Protecting Your Business from Online Banking Fraud 13 Businesses can use free, open-source software such as SpamAssassin to filter as it enters the organization. Brian Goldberg has written a step-by-step guide for building a spam gateway using Linux, Postfix, Mailscanner, SpamAssassin, and ClamAV (Goldberg, 2005). There are many indicators of spam-delivered crimeware in messages. Examples include spoofed F rom addresses, spoofed originating IP addresses or hostnames, URLs containing IP addresses in the message body, and others. SpamAssassin has a rule set that detects many of these oddities and gives incoming a score (SpamAssassin: Tests Performed: v3.2.x., 2009). When an receives a poor score, it can be flagged as spam. Here is a portion of the Cutwail spambot mail template from (Decker, 2009) that the bots use to generate the headers of spam messages they send. Each item in brackets is replaced with variables of the correct data type. Date: {DATE} From: {TAGMAILFROM} Return Path: <{_generic_ru_mail}> X Priority: 3 (Normal) Message Id: <{DIGIT[10]}.{DIGIT[14]}@{MAILFROM_DOMAIN}> To: {MAIL_TO} In Reply To: <{nhex[44]}@{mailto_domain}> References: <{nhex[44]}@{mailto_domain}> <{nhex[32 44]}@{MAILFROM_DOMAIN}> To illustrate the differences between valid and spam, here is an example of a valid notification from FedEx: Return path: <sysdeliv@fn3nds1.prod.fedex.com> Envelope to: john@xxxxxx.com Date: Mon, 28 Sep :39: From: <TrackingUpdates@fedex.com> Reply To: trackingmail@fedex.com To: john@xxxxxx.com Message ID: < JavaMail.nds@fn3nds1.prod.fedex.com> Subject: FedEx Shipment Notification And here are headers from known spam: Return Path: <lindaboccafuso1si@yahoo.com> Message ID: <8F324A04.54E843A4@yahoo.com>

14 Protecting Your Business from Online Banking Fraud 14 Date: Fri, 25 Sep :39: From: "Alice Smith" User Agent: Mozilla 4.72 [en] (Win95; I) To: Subject: How would you like 2 Million Sites linking to your ad? The From header in the known spam message is in quotation marks and does not bear any resemblance to the address, in angle brackets. The User-Agent is also unusual since it indicates an old platform and browser that never had very large market share as an client. Performing these checks would be tedious to do by hand, but SpamAssassin can perform them automatically for every received message. A variety of commercial solutions also exist, such as the Astaro Mail Gateway (Astaro Mail Gateway, 2009) and Symantec Brightmail (Brightmail Gateway Small Business Edition, 2009). These solutions cost between $5,000 and $10,000, but might be worth the expense given the recent rash of small-business-targeted attacks 6. Detect Outbound Loss Intrusion Detection Systems, such as Snort, can be used to detect attempts to exfiltrate credentials and other sensitive information, such as Social Security Numbers and credit card information. Additionally, IDS can detect known Command and Control communication patterns. Snort is an open source Network Intrusion Detection System (Network IDS) that was developed by Martin Roesch. Mr. Roesch is now the CTO of Sourcefire, the makers of a commercial version of Snort. While Sourcefire is a popular intrusion detection/prevention platform, at over 225,000 registered users, Snort remains the most popular IDS in use today. This has led to a strong community that can be leveraged for nearly immediate assistance on any aspect of installation or configuration of Snort (Snort :: Community, 2009). Snort signatures maintained by Matt Jonkman, et al at Emerging Threats ( can detect connections made by known malware as

15 Protecting Your Business from Online Banking Fraud 15 well as communication to known Russian Business Network and other Command and Control sites. To detect potential banking fraud in a business specific signatures should also be added to watch for the following private or credential information: credit card numbers, Social Security Numbers, usernames and passwords, and any other personally identifying information. Eric Conrad, et al (Conrad, 2008) describe the use of Emerging Threats emerging-policy rules ( for this purpose. For example, the following Emerging Threats snort rule detects one of several different varieties of credit card numbers: / (6011 5[1 5]\d{2} 4\d{3} 3\d{3}) \d{4} \d{4} \d{4}/ As long as the attacking malware is not using encrypted transmission of data, the network IDS sensor can watch for leakage of unexpected information. More information on valid credit card numbers can be found at this site Harrell Stile's Credit Card Check Validation web site: Besides looking for specific signatures, companies can look for patterns of suspicious network traffic. Bot infections can be hard to identify and prevent because the code is constantly changing and being packed to evade detection by static anti-virus signature sets. BotHunter from SRI International's Malware Threat Center (Gu, G., et al, 2007) was created to provide a tool for detecting behavioral patterns that might indicate botnet activity. Network detection of malware infections leading to botnets can be performed by looking at exfiltration attempts or attempts to communicate with Command and Control (C&C) servers. BotHunter uses five different categories of snort-based intrusion detection signatures to detect bot-like activity on the network organized into five typical botnet dialog phases:

16 Protecting Your Business from Online Banking Fraud 16 E1: External to Internal Inbound Scan E2: External to Internal Inbound Exploit E3: Internal to External Binary Acquisition E4: Internal to External C&C Communication E5: Internal to External Outbound Infection Scanning Unfortunately, BotHunter has an inflexible model for these state transitions, so defeating its detection is simply a matter of modifying the state diagram or timing for a new bot (Stinson, E., & Mitchell, J. C., 2008). Additionally, BotHunter's authors state, "bots could use encrypted communication channels for C&C." In fact, several bots have done just that (Grizzard, J.B., et al, 2007). In the constant botnet arms race, we must assume that research will be read and incorporated into the adversary's bag of tricks. 7. Endpoint Protection Protecting the endpoint is an important part of overall security. Endpoint protection is defined as...anti-virus, anti-spyware, personal firewalls, host-based IPS, and related technologies that are installed on devices used by employees. (SANS, 2009) There are a number of different features of endpoint protection. Endpoint protection can include signature based AV, behavior based AV, reputation filtering and application white listing. Many commercial AV applications provide some combination of protection. A recent SANS Technology Institute paper reviews specific vendor products and recommends the use of Bit9 Parity (Beechey, 2008) Signature Based AV Signature based AV is the core protection of classic AV solution. This protection comes in the form of malware signatures. Signatures are created by capturing samples of malware and creating a signature for the file or some section of it. Once the signatures are defined by the vendor, the updated signatures are delivered to the client to provide protection. Scanning for the signature can be done on a scheduled basis as well as event based. Event based scanning can occur for file operations, receipt of and downloading files from the network. This is one of the earliest available types of

17 Protecting Your Business from Online Banking Fraud 17 protection from AV applications. The need to define and update signatures creates a protection gap where host is unprotected from new malware until a signature is provided. Examples of vendors that provide this type of protection are Symantec (Symantec, 2009, McAfee (McAfee, 2009) and TrendMicro (TrendMicro, 2009). These vendors are also provided products with advanced protection described below. The targeted attacks against SMB can use polymorphic malware to bypass signature based AV. Therefore, signature based protection alone is not an adequate endpoint defense (Northcutt, 2009) Behavior Based AV Behavior based protection is another type of malware protection. This protection is based on the behavior of applications related to memory, registry, file system and network. By intercepting operating system calls to various functions, behavior based protection can block or allow actions based on a policy. A policy may allow broad permissions for a trusted application, but very limited permissions for a program just downloaded. An example of a behavior that would be blocked by policy is when one program tries to modify memory of another program. This is a typical behavior of malware when trying to inject malicious code into privileged processes. Behavior based protection is effective without relying on signature updates (Farnham, 2009). Examples of behavior based protection are Cisco Security Agent (Cisco, 2009), ThreatFire (ThreatFire, 2009), SafeConnect (Sana Security, 2009) and NovaShield (NovaShield, 2009) Reputation Filtering Reputation filtering provides protection based on the reputation of an Internet Protocol (IP) address. Reputations are based on input from millions of sensors across the Internet. Sensor input is provided by deployed security solutions and other input. Reputation filtering is often used for blocking spam s. By blocking from IP addresses with a negative reputation, malware can be blocked from getting to the host. The same reputation data can be used to protect the endpoint. Endpoint protection by reputation can block access to web sites with negative reputations. This protection prevents users from going to websites with browser exploits and prevents them from

18 Protecting Your Business from Online Banking Fraud 18 downloading malware. Reputation filtering can only provide protection from IP addresses with known bad reputation and is therefore not effective against targeted attacks White list Applications Application white listing provides protection by only allowing approved applications to execute. This is the opposite of signature based or black listing protection which only stops known bad applications from executing. White listing protection will not allow applications to run unless they are on the white list. Different methods can be used to identify applications. For example AppLocker which is built in to Window 7 and Windows 2008-R2 can identify applications based on filename, file hash and certificates (Wettern, 2009). Some white listing applications provide a database of predefined categorization of millions of applications. This significantly reduces the implementation effort. Application white listing can be used to tightly lockdown an endpoint. Applications that provide protection via white listing are AppLocker, Bit9 (Bit9, 2009). 8. Managed Security Services Managed Security Services (MSS) is a mitigation option where an organization outsources some level of security services to an outside party. Several different levels of service are available. A basic level of service would provide monitoring of firewall and ids logs. More extensive levels of service could include full management of an organizations information security infrastructure. This may be an attractive option for SMB organizations since they likely do not have information security experts on staff. Using MSS a SMB organization can achieve far superior security than attempting to do it on their own (Allen, 2003). 9. Dedicated Host for Financial Transactions Another method of reducing risks to financial transactions is to provide a dedicated secure host for financial transactions. For example, this is recommended by Secureworks as a defense against Clampi (Stewart, 2009). The dedicated host could be hardened with functionality limited to support only financial transactions. Another

19 Protecting Your Business from Online Banking Fraud 19 standard host could be used for everyday activities such as general web browsing. This would isolate the host for financial transactions and provide greater security. A dedicated host for financial transactions would be hardened using several techniques. Unnecessary services would be removed or disabled. Only required applications would be installed. Any changes to the system would be non-persistent. The dedicated host would be restricted from connecting to only white listed web sites via a network firewall or proxy. The dedicated host for financial transactions could be a separate physical host, dual boot, virtual machine or bootable alternative media Separate Physical Host The simplest and most direct way is to use a second physical computer for high security tasks. The user has one computer that does Internet browsing, , and other office activities. Another computer is used to access secure items and data. The secure computer can be locked down so that it only accesses appropriate material. If it is part of a Microsoft Windows domain, then group policy can be used to restrict which websites it can access or what software it can run. Otherwise, it is up to the administrator to lock down the machine individually. Local AV, personal firewalls, and anti-spyware can be installed and the computer can be set to only communicate with certain computers on the network. The advantages of this option are complete segmentation of computers and simultaneous use. Since the computers are different machines altogether the attacker must hack the secure computer directly or from the compromised host without the help of user attacks via and web browsing. Secondly the user has the ability to use both computers at the same time no rebooting between is required. The main disadvantage to this method is cost. Each person with high security work must be issued two computers which can get expensive. Companies can save capital by using open source software like Linux so that each new machine does not increase license costs. They may also designate one secure computer for several employees, each of whom log on with a separate user-name.

20 Protecting Your Business from Online Banking Fraud Dual Boot Another option is to provide a single physical computer with two separate operating system installations. It is possible to install a second operating system on the same hard drive thus allowing for a dual boot situation. In that case the computer will ask you when it starts how you wish it to boot. If the user chooses the secure method they get a locked down computer that can used for high security tasks. Otherwise they can choose to get normal computer use. Again the second operating system need not be a Microsoft product although it can be. And the high security computer must follow all the rules as the separate computer idea above. The advantages here are savings on hardware and software costs while still implementing fairly good security. The disadvantage is a big one though. If an attacker gains access to one of the operating systems they more or less have physical access to the other. Even if you configure the computer so each installation can not see the other, an attacker with administrative rights can change your settings in order to access the other operating system. With that access the attacker can compromise the other operating system as well. This option raises the bar, but a determined attacker could compromise the second installation after gaining access to the first Virtual Machine There are several options for implementing a separate hosts using virtualization technology. The host used for everyday office activities and web browsing is referred to as the Standard Host and the host used exclusively for financial transactions is referred to as the Financial Host. For the scope of this paper, VMWare solutions are used. There are other products available as well. Virtualization technology can be provided by hosting the virtual machine on the local workstation using VMWare Workstation, VMWare Player or VMWare Server. These solutions are generally referred to as Local Virtual Machine. Virtual Machines can also be hosted on a server and access from the desktop using a thin client. This solution is referred to as Virtual Desktop Infrastructure (VDI) (Rouse, 2006). There are a number of options for using a virtual machine to isolate the financial transactions. 1. Standard Host on physical machine and Financial Host using VDI

21 Protecting Your Business from Online Banking Fraud Thin Client physical machine with both Standard Host via VDI and Financial Host via VDI 3. Standard Host on physical machine and Financial Host on Local Virtual Machine 4. Standard Host on Local Virtual Machine and Financial Host on physical machine. There are general attack vectors to discuss for these options. For options 1, 2 and 3 a hardened Financial Host virtual machine is accessed from a Standard Host or a Thin Client physical machine. For these options if the physical host is compromised the Financial Host virtual machine is vulnerable. For example, a key logger on the physical machine could capture account credentials typed into the virtual machine. For option 2, if the Standard Host virtual machine is compromised, a vulnerability in VDI could allow it to compromise the Financial Host virtual machine. For option 4, if the Standard Host virtual machine is compromised it could access the Financial Host physical machine through a vulnerability in the virtualization software. Each of the above options has different cost, administrative and security characteristics. Options 1 and 2 require back end VMWare servers that would require capital investment and administrative know how out of reach for most small and medium sized business. Using VDI would have the advantage that all the virtual machines are located in the data center. They could be centrally managed and controlled by IT staff. Options 3 and 4 can be implemented using the free VMWare Player. Option 4 would be more secure than option 3 because for option 4 the less secure Standard Host is the guest host of the more secure Financial Host. Small and medium sized businesses would probably find it easier to implement option 3 because they could just add the virtual Financial Host to their existing physical Standard Hosts. An example implementation of option 3 is the Browser Appliance available from the VMWare website (VMWare, 2009). For this implementation, VMWare player could be installed on the Standard Host physical machine and the Browser Appliance could be hosted locally as a guest operating system. The finance staff would use the Browser Appliance for financial transactions. It would be configured to not save any changes to the virtual machine. Every time it is restarted, it will have a fresh boot of a clean operating system. This would eliminate the possibility of a persistent infection. A

22 Protecting Your Business from Online Banking Fraud 22 challenge with this solution is that if vulnerabilities are discovered in the virtual machine, it would need to be updated and distributed. If the machine did have vulnerabilities, it could possibly be compromised each time it is used. The advantage to this approach is low cost. VMWare player is free and no additional server resources are required. Figure 3: Browser Appliance While the currently available Browser Appliance could be used for a proof of concept exercise, it should not be used for a production deployment. It has old versions of the operating system and Firefox browser installed. For a production deployment, a new virtual machine would need to be created. In order to make this solution effective, the appliances should be kept up-to-date with the latest OS and browser patches.

23 Protecting Your Business from Online Banking Fraud 23 There are a number of configuration steps to enhance the security. The virtual machine would need to be kept up to date either by updating in place or updating a master and distributing new copies. The following steps should also be taken. 1. Install the NoScript browser plug-in 2. Configure proxy settings. If possible, the proxy should allow only access to the necessary financial sites. 3. Set the home page to the financial/banking web site to be used. Remove all bookmarks and add only those that are needed. 4. Modify the appliance virtual machine configuration file to revert to its original state after each shutdown. For VMware, this is Browser-Appliance.vmx. Shutdown the Appliance, then add the following lines: scsi0:0.mode = "independent-nonpersistent" snapshot.action = "autorevert" snapshot.disabled = "TRUE" 5. Make sure the users of the appliance are trained to power off the virtual machine so that the system and browser state are not maintained between sessions Read-Only Bootable Alternative Media (ROBAM) Another method to provide a dedicated host for financial transactions is to use bootable read-only media. The user is provided a CD or USB Flash drive with a bootable operating system. A CD is inherently read only, if a USB Flash drive is used, it can also be configured as a read only file system. A bootable CD is recommended since there is no possibility of changing the files once created. The bootable system would be configured with only the services and applications required to perform financial transactions. When the user needs to execute financial transactions, they would boot the read only media on their existing desktop or possibly a separate physical machine. This bootable media would be configured not to access the local hard drive. Any malware on the local machine would not impact the user when using the bootable media. If a vulnerability exists on the bootable CD, the host could be compromised every time it is booted. To mitigate this possibility a robust update process is required. To implement this solution a master installation is created on a USB drive. This drive is handled securely and only used to update the master installation. The master installation would be updating using normal updating mechanisms and securely stored when not in use.

24 Protecting Your Business from Online Banking Fraud 24 Once the master is updated, new bootable CDs would be created and distributed. The process for creating a bootable CD is documented in Appendix B. Figure 4: Process to create Bootable Alternative Media This option has several advantages. There is no requirement for additional infrastructure. There is no requirement for a second computer for users. While some light user training may be required. Using a separate environment for a dedicated task is relatively easy. There is some administrative overhead required for managing the master installation and distributing CDs, but it is easily manageable. One disadvantage is that users will not be able to access information on their Standard Host when using the bootable CD as their Financial Host. Given the advantages of the ROBAM technique, this option provides an essentially free way for small and medium businesses to increase the security of their financial transactions and is the primary recommended option. 10. Detect Fraud based on transactions Businesses are not alone in this fight against these attackers. The banks too are doing what they can to protect their customers. Even though the laws that protect

25 Protecting Your Business from Online Banking Fraud 25 consumers are more complete than the ones that protect business banks understand that protecting their business customers is important part of their business plan. There are several pieces of technology banks use to protect their customers. The first is based on examining transactions as they occur. There are two major types of technology banks use to examine customers' transactions to protect them from possible fraud. The first is rules based transaction monitoring. The second is called Neural Net transaction monitoring. With rules based monitoring each transaction is examined by the computer based on a set of rules. The rules vary from bank to bank and no bank is willing (nor should they ever) to divulge the rules to the public. The computer looks at transaction properties such as location of the payee, amount of the transaction, date, and type of transaction. These rules are not just atomic. They can recognize patterns as well. For example they measure the number transactions in a given time period (day/week/month) and the total amount of money transferred to different payees. Based on how irregular these indicators are the computer assigns a rank to the transaction. Transactions with a very high rank are immediately blocked and the customer informed. Banks must be careful about doing this though because customers who are conducting legitimate business are angered when their transactions are blocked. When the transaction score is high enough to be noticed but not automatically blocked it is turned over to a fraud analyst who examines each case individually. They make a determination on whether or not to honor the transaction and that decision may involve a call to the customer. Most banks, even smaller local ones, offer this sort of protection and it is helpful. This protection, however, is not perfect and can err on both sides of the issue. Banks ask that customers please be understanding if their legitimate transactions are blocked as it is for the protection of the customer. Unfortunately that is not the worst issue. Since this system usually comes down to a person manually looking at an account he or she can often be fooled or overwhelmed. Despite the bank s unwillingness to divulge the rule set they employ the thieves have a rather good idea of what it is. They disguise their activity so they can keep the score low. Attacks also usually occur at traditionally busy times like