Transaction Anomaly Protection Stopping Malware At The Door. White Paper

Transcription

1 Transaction Anomaly Protection Stopping Malware At The Door White Paper

2 Table of Contents Overview 3 Programmable Crime Logic Alter Web Application Flow & Content 3 Programmable Crime Logic Defeats Server-Side Security Controls 4 Geo-Location and Device Identification 4 Account Profiling 4 Transaction Verification/Signing 4 Two Factor Authentication Systems 5 The Technology of Trusteer Pinpoint 5 Deploying Trusteer Pinpoint 6 Trusteer Pinpoint Fraud Prevention Methodology 6 Step 1: Malware Detection 6 Step 2: Receive Detection Results 7 Step 3: Act on Detection Information to Stop Fraud 8 Trusteer Pinpoint and Trusteer Rapport: Complementary Solutions 8 About Trusteer 9 Transaction Anomaly Protection Stopping Malware At The Door 2

3 Overview Trojans such as Zeus and SpeEye on desktops and mobile devices are the leading source of Cybercrime. Malware infected endpoints are responsible for most financial fraud and can effectively execute Man-in-the- Middle (MitM) and Man-in-the-Browser (MitB) attacks. Traditional web protection solutions are easily defeated by the combination of malicious technology and social engineering. Anti-Virus solutions poorly detect advanced malware targeting online banking and employee remote access websites. Trusteer Pinpoint is a clientless solution that accurately detects malware infected devices. Trusteer Pinpoint malware analysis determines the presence of malware and its configuration to qualify the threat it represents to the business. Organizations can prevent potential fraud or data theft by using Trusteer Pinpoint s risk score to alert their fraud teams or restrict access to sensitive transactions to prevent potential fraud or data theft. Trusteer Pinpoint is completely transparent to users and does not require any installation of software on the endpoint. Programmable Crime Logic Alter Web Application Flow & Content Bugat, Carberp, OddJob, Tatanga, and Shylock are but a few new malware families that join incumbent leaders of the financial malware market like Zeus and SpyEye. Although each malicious software was coded by a different team of developers, they all share a common malicious functionality Programmable Crime Logic. Programmable Crime Logic is the core technology behind what is referred to as Man-in-the-Browser attacks. It is what makes financial malware so effective in bypassing authentication and other security controls. In a nutshell, this is the fraudster s ability to alter web communication between victims and specific websites. Malware that applies Programmable Crime Logic is centrally controlled and updated by fraudsters. Once users are infected, the malware begins communicating with its command and control (C&C) servers on the web. The malware downloads a Crime Logic payload from the C&C consisting of a list of URLs and instructions on how to alter web pages and web communication in the target application. These instructions are the Crime Logic. The fraudsters ability to centrally control and dynamically change Crime Logic is what makes it programmable. Fraudsters use Programmable Crime Logic for three main purposes: Information Theft: By using Programmable Crime Logic, fraudsters can add fields to the login or any other page on the web site. They can use these fields to ask for sensitive information such as credentials, contact information and payment card information. The malware then collects this information and transmits it to the fraudsters. Transaction Anomaly Protection Stopping Malware At The Door 3

4 Drive Victim Actions: To overcome strong security controls (e.g. One Time Password and Transaction Signing), fraudsters use Programmable Crime Logic to fool customers into undergoing security training or device calibration activities. End users are asked to generate a transaction signing key, type an out-ofband OTP or install software on a mobile device. Transaction Tampering: Using Programmable Crime Logic, the malware can alter transactions that are sent by users to the bank s website. For example, malware can add a payee or change the details of a transaction without end user or the bank s knowledge. Crime Logic is dynamic. Fraudsters develop new Crime Logic all the time, making it more sophisticated and more efficient in committing fraud. An infected computer will constantly connect to its C&C server and receive the latest Crime Logic. Programmable Crime Logic Defeats Server-Side Security Controls Programmable Crime Logic based attacks are widely used to commit fraud. Their popularity largely stems from their effectiveness in evading most server side security solutions currently deployed by banks. Geo-Location and Device Identification Many security solutions maintain a list of known user devices and locations. New devices or locations used to access an application raise the risk level of corresponding transactions. This approach is partially effective against offline transaction theft (e.g. Phishing) but ineffective against Programmable Crime Logic, as fraud is executed from end user machines typically leveraging an already authenticated session. Account Profiling Account profiling system is used to track account business transactions and maintain a profile of normal transactions. When users perform an abnormal transaction, the system rates it as risky. Malware, persistently residing on end user machines, monitors user accounts and studies their user profile. It can then carefully craft a transaction that flies under the radar (using normal transaction amounts and payee locations). Even if one attack fails, fraudsters can continue to improve their Crime Logic until they succeed. Transaction Verification/Signing Various transaction verification systems, including those based on SMS text messages and dedicated hardware devices, are constantly bypassed by Programmable Crime Logic through a variety of social engineering tactics. In these attacks, fraudsters change the webpage to include text that convinces users to unknowingly approve fraudulent transactions. Transaction Anomaly Protection Stopping Malware At The Door 4

5 Two Factor Authentication Systems Two factor authentication systems are easily bypassed, as Crime Logic is executed post login. Once users have been authenticated, fraudsters can control their sessions and tamper with transactions. The Technology of Trusteer Pinpoint Trusteer Pinpoint consists of three main components: a sensor, a cloud service and a harvesting and analysis service. The sensor is the only component requiring integration. The sensor s code is copied to the target web page. It runs as part of the web application and monitors devices accessing sensitive web pages, comparing their behavior with known Crime Logic. Trusteer runs a complex operation in which malware code is obtained through other services that the company operates. The malware code is analyzed by automated and manual processes, and allows Trusteer to extract the Crime Logic hosted by the C&C at any given moment. Trusteer extracts Crime Logic from malware C&C and builds rules that identify infected devices. New rules are constantly developed as Trusteer gains access to new types of malware and to additional malware C&C servers that apply different Crime Logic. When an infected endpoint device visits the bank s website, Trusteer Pinpoint s sensors running as part of the bank s website monitor device behavior during the session, applying preconfigured rules to identify Crime Logic. When a match is found, Trusteer Pinpoint detects the malware type and its impact on the website. For example, Trusteer Pinpoint can provide an alert when it detects a device infected with SpyEye and captures user login information. Infected Device Pinpoint Sensor Website Malwere Behavioral Rules Pinpoint Cloud Service Transaction Anomaly Protection Stopping Malware At The Door 5

6 Deploying Trusteer Pinpoint Trusteer offers a few deployment options for Trusteer Pinpoint. The most common integration option is using Trusteer s web application library. In this mode, the bank s web application invokes Trusteer Pinpoint library from specific webpages, receives a malware infection indication and adjusts application logic as necessary (such as restricting access). Once integrated, Trusteer Pinpoint immediately starts detecting malware with no learning period required. Trusteer Pinpoint is completely transparent to end users, working silently in the background. The entire process takes less than a second to complete and has no visual impact on the browsing experience. Trusteer Pinpoint supports all browsers and operating systems, including mobile devices, and does not require installation of any software such as Flash, Java or ActiveX. Trusteer Pinpoint Fraud Prevention Methodology Trusteer Pinpoint fraud prevention process consists of three major steps: Step 1: Malware Detection While users browses the bank s web site, Trusteer Pinpoint identifies anomalous behaviors attributed to malware. The detection process delivers the following data: Risk Score - Low Risk: No Malware was identified on the machine - Medium Risk: Anomalous behavior was identified but cannot be conclusively identified as malware - High Risk: Malware was identified but is not currently configured to attack the bank s web site - Very High Risk: Malware is configured to attack the bank s web site Malware Details - Type of Malware: e.g. Zeus, SpyEye. - Attack Type: Credential Theft, Transaction Tampering Transaction Anomaly Protection Stopping Malware At The Door 6

7 Step 2: Receive Detection Results Results of the detection process are delivered to the bank in any one or all of the following ways: Trusteer Pinpoint API: Once malware is detected, detection results are sent directly to the bank s web application for further processing. Feeds: Once malware is detected, an feed is sent to the recipients that were configured for the bank in the Trusteer Management Application (TMA). Trusteer Management Application (TMA) Reports: A report is displayed in both chart and table formats, showing malware related data detected by the service. Trusteer Flat File Feeds: A flat file with a list of all detection events is sent regularly to the customer Transaction Anomaly Protection Stopping Malware At The Door 7

8 Step 3: Act on Detection Information to Stop Fraud Upon malware detection, banks can take action as follows: Offline Mark users as infected and recredential for next login Contact infected users for machine cleanup and transaction verification. Trusteer Rapport customers can instruct end users to install Rapport for malware removal. In cases where malware removal cannot take place in a timely manner, users can be instructed to use alternative devices in the meantime. In Real Time Based on transaction business sensitivity and risk scores provided by the Pinpoint API, the following actions can be taken: Restrict Access: Users can be blocked from transacting or performing sensitive operations. Elevate Risk in 3rd Party Risk Engines: When using a risk engine such as RSA Adaptive Authentication or Nice Actimize, it is possible to have Trusteer Pinpoint deliver its data to the risk engine and associate it with specific fraud detection rules. The integration of Trusteer Pinpoint with risk engines is straightforward and supported by APIs from both vendors. Trusteer Pinpoint and Trusteer Rapport: Complementary Solutions For organizations using Trusteer Rapport, Trusteer Pinpoint adds the ability to address users who are unable or unwilling to use client software. Both products complement each other, providing comprehensive coverage of the entire user base. However, the benefit of using both products extends well beyond this. Trusteer Rapport and Trusteer Pinpoint form a complete malware protection suite, detecting malware infected devices and protecting them by blocking and removing malware on the device, making them safe to perform sensitive operations (such as online banking). Transaction Anomaly Protection Stopping Malware At The Door 8

9 About Trusteer Trusteer is the leading provider of cybercrime prevention solutions that protect organizations against financial fraud and data breaches. Hundreds of organizations and millions of end users rely on Trusteer to protect their computers and mobile devices from online threats that are invisible to legacy security solutions. Trusteer s Cybercrime Prevention Architecture combines multi-layer security software and realtime threat intelligence to defeat zero-day malware and phishing attacks, and help organizations meet regulatory compliance requirements. Leading organizations such as HSBC, Santander, The Royal Bank of Scotland, SunTrust and Fifth Third are among Trusteer s clients. For more information visit: Transaction Anomaly Protection Stopping Malware At The Door 9