Transaction Anomaly Protection Stopping Malware At The Door. White Paper



Similar documents
Securing Your Business s Bank Account

Protect Your Business and Customers from Online Fraud

Prevent Malware attacks with F5 WebSafe and MobileSafe. Alfredo Vistola Security Solution Architect, EMEA

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

ACI Response to FFIEC Guidance

IBM Security re-defines enterprise endpoint protection against advanced malware

White Paper. FFIEC Authentication Compliance Using SecureAuth IdP

Electronic Fraud Awareness Advisory

The Key to Secure Online Financial Transactions

BioCatch Fraud Detection CHECKLIST. 6 Use Cases Solved with Behavioral Biometrics Technology

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

Protecting Against Online Fraud with F5

The evolution of virtual endpoint security. Comparing vsentry with traditional endpoint virtualization security solutions

TrustDefender Mobile Technical Brief

Gladiator NetTeller Enterprise Security Monitoring Online Fraud Detection INFORMATION SECURITY & RISK MANAGEMENT

Protecting Online Customers from Man-inthe-Browser and Man-in-the-Middle Attacks

Selecting the right cybercrime-prevention solution

Five Trends to Track in E-Commerce Fraud

KASPERSKY FRAUD PREVENTION PLATFORM COVERING ONLINE AND MOBILE BANKING RISKS

ADAPTIVE AUTHENTICATION ADAPTER FOR JUNIPER SSL VPNS. Adaptive Authentication in Juniper SSL VPN Environments. Solution Brief

How CA Arcot Solutions Protect Against Internet Threats

WHITEPAPER. Fraud Protection for Native Mobile Applications Benefits for Business Owners and End Users

Under the Hood of the IBM Threat Protection System

KASPERSKY FRAUD PREVENTION FOR ENDPOINTS

isheriff CLOUD SECURITY

PortWise Access Management Suite

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

End-user Security Analytics Strengthens Protection with ArcSight

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

FSOEP Web Banking & Fraud: Corporate Treasury Attacks

IBM Advanced Threat Protection Solution

Spear Phishing Attacks Why They are Successful and How to Stop Them

How To Protect Your Online Banking From Fraud

BUGAT TROJAN JOINS THE MOBILE REVOLUTION

10 Things Every Web Application Firewall Should Provide Share this ebook

Device Fingerprinting and Fraud Protection Whitepaper

RSA Adaptive Authentication and Citrix NetScaler SDX Platform Overview

IBM Security Strategy

WHITE PAPER Moving Beyond the FFIEC Guidelines

PortWise Access Management Suite

The Hillstone and Trend Micro Joint Solution

Entrust IdentityGuard

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

WHITE PAPER. VeriSign Identity Protection Fraud Detection Service An Overview

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

Online Banking Risks efraud: Hands off my Account!

WEBTHREATS. Constantly Evolving Web Threats Require Revolutionary Security. Securing Your Web World

Security Intelligence

F5 (Security) Web Fraud Detection. Keiron Shepherd Security Systems Engineer

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

Supplement to Authentication in an Internet Banking Environment

場 次 :C-3 公 司 名 稱 :RSA, The Security Division of EMC 主 題 : 如 何 應 用 網 路 封 包 分 析 對 付 資 安 威 脅 主 講 人 :Jerry.Huang@rsa.com Sr. Technology Consultant GCR

Fraud Threat Intelligence

WHITE PAPER. Understanding How File Size Affects Malware Detection

you us MSSP are a Managed Security Service Provider looking to offer Advanced Malware Protection Services

Online Payments Threats

Cloud Services Prevent Zero-day and Targeted Attacks

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

Managing Web Security in an Increasingly Challenging Threat Landscape

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and Advanced Persistent Threats

Monitoring mobile communication network, how does it work? How to prevent such thing about that?

A Proposed Architecture of Intrusion Detection Systems for Internet Banking

MITB Grabbing Login Credentials

MRG Effitas Online Banking / Browser Security Assessment Project Q Results

Securing Online Payments in ACH Client and Remote Deposit Express

INTRODUCING isheriff CLOUD SECURITY

Enterprise Cybersecurity: Building an Effective Defense

Security A to Z the most important terms

BEST SECURITY PRACTICES IN ONLINE BANKING PLATFORMS

RSA Web Threat Detection

AVeS Cloud Security powered by SYMANTEC TM

Internet Banking Attacks. Karel Miko, CISA DCIT, a.s. (Prague, Czech Republic)

WEBSENSE SECURITY SOLUTIONS OVERVIEW

Trusteer Rapport. User Guide. Version April 2014

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

Sophistication of attacks will keep improving, especially APT and zero-day exploits

Unified Security, ATP and more

Cisco Cloud Web Security Key Functionality [NOTE: Place caption above figure.]

XYPRO Technology Brief: Stronger User Security with Device-centric Authentication

24/7 Visibility into Advanced Malware on Networks and Endpoints

Transcription:

Transaction Anomaly Protection Stopping Malware At The Door White Paper

Table of Contents Overview 3 Programmable Crime Logic Alter Web Application Flow & Content 3 Programmable Crime Logic Defeats Server-Side Security Controls 4 Geo-Location and Device Identification 4 Account Profiling 4 Transaction Verification/Signing 4 Two Factor Authentication Systems 5 The Technology of Trusteer Pinpoint 5 Deploying Trusteer Pinpoint 6 Trusteer Pinpoint Fraud Prevention Methodology 6 Step 1: Malware Detection 6 Step 2: Receive Detection Results 7 Step 3: Act on Detection Information to Stop Fraud 8 Trusteer Pinpoint and Trusteer Rapport: Complementary Solutions 8 About Trusteer 9 Transaction Anomaly Protection Stopping Malware At The Door 2

Overview Trojans such as Zeus and SpeEye on desktops and mobile devices are the leading source of Cybercrime. Malware infected endpoints are responsible for most financial fraud and can effectively execute Man-in-the- Middle (MitM) and Man-in-the-Browser (MitB) attacks. Traditional web protection solutions are easily defeated by the combination of malicious technology and social engineering. Anti-Virus solutions poorly detect advanced malware targeting online banking and employee remote access websites. Trusteer Pinpoint is a clientless solution that accurately detects malware infected devices. Trusteer Pinpoint malware analysis determines the presence of malware and its configuration to qualify the threat it represents to the business. Organizations can prevent potential fraud or data theft by using Trusteer Pinpoint s risk score to alert their fraud teams or restrict access to sensitive transactions to prevent potential fraud or data theft. Trusteer Pinpoint is completely transparent to users and does not require any installation of software on the endpoint. Programmable Crime Logic Alter Web Application Flow & Content Bugat, Carberp, OddJob, Tatanga, and Shylock are but a few new malware families that join incumbent leaders of the financial malware market like Zeus and SpyEye. Although each malicious software was coded by a different team of developers, they all share a common malicious functionality Programmable Crime Logic. Programmable Crime Logic is the core technology behind what is referred to as Man-in-the-Browser attacks. It is what makes financial malware so effective in bypassing authentication and other security controls. In a nutshell, this is the fraudster s ability to alter web communication between victims and specific websites. Malware that applies Programmable Crime Logic is centrally controlled and updated by fraudsters. Once users are infected, the malware begins communicating with its command and control (C&C) servers on the web. The malware downloads a Crime Logic payload from the C&C consisting of a list of URLs and instructions on how to alter web pages and web communication in the target application. These instructions are the Crime Logic. The fraudsters ability to centrally control and dynamically change Crime Logic is what makes it programmable. Fraudsters use Programmable Crime Logic for three main purposes: Information Theft: By using Programmable Crime Logic, fraudsters can add fields to the login or any other page on the web site. They can use these fields to ask for sensitive information such as credentials, contact information and payment card information. The malware then collects this information and transmits it to the fraudsters. Transaction Anomaly Protection Stopping Malware At The Door 3

Drive Victim Actions: To overcome strong security controls (e.g. One Time Password and Transaction Signing), fraudsters use Programmable Crime Logic to fool customers into undergoing security training or device calibration activities. End users are asked to generate a transaction signing key, type an out-ofband OTP or install software on a mobile device. Transaction Tampering: Using Programmable Crime Logic, the malware can alter transactions that are sent by users to the bank s website. For example, malware can add a payee or change the details of a transaction without end user or the bank s knowledge. Crime Logic is dynamic. Fraudsters develop new Crime Logic all the time, making it more sophisticated and more efficient in committing fraud. An infected computer will constantly connect to its C&C server and receive the latest Crime Logic. Programmable Crime Logic Defeats Server-Side Security Controls Programmable Crime Logic based attacks are widely used to commit fraud. Their popularity largely stems from their effectiveness in evading most server side security solutions currently deployed by banks. Geo-Location and Device Identification Many security solutions maintain a list of known user devices and locations. New devices or locations used to access an application raise the risk level of corresponding transactions. This approach is partially effective against offline transaction theft (e.g. Phishing) but ineffective against Programmable Crime Logic, as fraud is executed from end user machines typically leveraging an already authenticated session. Account Profiling Account profiling system is used to track account business transactions and maintain a profile of normal transactions. When users perform an abnormal transaction, the system rates it as risky. Malware, persistently residing on end user machines, monitors user accounts and studies their user profile. It can then carefully craft a transaction that flies under the radar (using normal transaction amounts and payee locations). Even if one attack fails, fraudsters can continue to improve their Crime Logic until they succeed. Transaction Verification/Signing Various transaction verification systems, including those based on SMS text messages and dedicated hardware devices, are constantly bypassed by Programmable Crime Logic through a variety of social engineering tactics. In these attacks, fraudsters change the webpage to include text that convinces users to unknowingly approve fraudulent transactions. Transaction Anomaly Protection Stopping Malware At The Door 4

Two Factor Authentication Systems Two factor authentication systems are easily bypassed, as Crime Logic is executed post login. Once users have been authenticated, fraudsters can control their sessions and tamper with transactions. The Technology of Trusteer Pinpoint Trusteer Pinpoint consists of three main components: a sensor, a cloud service and a harvesting and analysis service. The sensor is the only component requiring integration. The sensor s code is copied to the target web page. It runs as part of the web application and monitors devices accessing sensitive web pages, comparing their behavior with known Crime Logic. Trusteer runs a complex operation in which malware code is obtained through other services that the company operates. The malware code is analyzed by automated and manual processes, and allows Trusteer to extract the Crime Logic hosted by the C&C at any given moment. Trusteer extracts Crime Logic from malware C&C and builds rules that identify infected devices. New rules are constantly developed as Trusteer gains access to new types of malware and to additional malware C&C servers that apply different Crime Logic. When an infected endpoint device visits the bank s website, Trusteer Pinpoint s sensors running as part of the bank s website monitor device behavior during the session, applying preconfigured rules to identify Crime Logic. When a match is found, Trusteer Pinpoint detects the malware type and its impact on the website. For example, Trusteer Pinpoint can provide an alert when it detects a device infected with SpyEye and captures user login information. Infected Device Pinpoint Sensor Website Malwere Behavioral Rules Pinpoint Cloud Service Transaction Anomaly Protection Stopping Malware At The Door 5

Deploying Trusteer Pinpoint Trusteer offers a few deployment options for Trusteer Pinpoint. The most common integration option is using Trusteer s web application library. In this mode, the bank s web application invokes Trusteer Pinpoint library from specific webpages, receives a malware infection indication and adjusts application logic as necessary (such as restricting access). Once integrated, Trusteer Pinpoint immediately starts detecting malware with no learning period required. Trusteer Pinpoint is completely transparent to end users, working silently in the background. The entire process takes less than a second to complete and has no visual impact on the browsing experience. Trusteer Pinpoint supports all browsers and operating systems, including mobile devices, and does not require installation of any software such as Flash, Java or ActiveX. Trusteer Pinpoint Fraud Prevention Methodology Trusteer Pinpoint fraud prevention process consists of three major steps: Step 1: Malware Detection While users browses the bank s web site, Trusteer Pinpoint identifies anomalous behaviors attributed to malware. The detection process delivers the following data: Risk Score - Low Risk: No Malware was identified on the machine - Medium Risk: Anomalous behavior was identified but cannot be conclusively identified as malware - High Risk: Malware was identified but is not currently configured to attack the bank s web site - Very High Risk: Malware is configured to attack the bank s web site Malware Details - Type of Malware: e.g. Zeus, SpyEye. - Attack Type: Credential Theft, Transaction Tampering Transaction Anomaly Protection Stopping Malware At The Door 6

Step 2: Receive Detection Results Results of the detection process are delivered to the bank in any one or all of the following ways: Trusteer Pinpoint API: Once malware is detected, detection results are sent directly to the bank s web application for further processing. Email Feeds: Once malware is detected, an email feed is sent to the recipients that were configured for the bank in the Trusteer Management Application (TMA). Trusteer Management Application (TMA) Reports: A report is displayed in both chart and table formats, showing malware related data detected by the service. Trusteer Flat File Feeds: A flat file with a list of all detection events is sent regularly to the customer Transaction Anomaly Protection Stopping Malware At The Door 7

Step 3: Act on Detection Information to Stop Fraud Upon malware detection, banks can take action as follows: Offline Mark users as infected and recredential for next login Contact infected users for machine cleanup and transaction verification. Trusteer Rapport customers can instruct end users to install Rapport for malware removal. In cases where malware removal cannot take place in a timely manner, users can be instructed to use alternative devices in the meantime. In Real Time Based on transaction business sensitivity and risk scores provided by the Pinpoint API, the following actions can be taken: Restrict Access: Users can be blocked from transacting or performing sensitive operations. Elevate Risk in 3rd Party Risk Engines: When using a risk engine such as RSA Adaptive Authentication or Nice Actimize, it is possible to have Trusteer Pinpoint deliver its data to the risk engine and associate it with specific fraud detection rules. The integration of Trusteer Pinpoint with risk engines is straightforward and supported by APIs from both vendors. Trusteer Pinpoint and Trusteer Rapport: Complementary Solutions For organizations using Trusteer Rapport, Trusteer Pinpoint adds the ability to address users who are unable or unwilling to use client software. Both products complement each other, providing comprehensive coverage of the entire user base. However, the benefit of using both products extends well beyond this. Trusteer Rapport and Trusteer Pinpoint form a complete malware protection suite, detecting malware infected devices and protecting them by blocking and removing malware on the device, making them safe to perform sensitive operations (such as online banking). Transaction Anomaly Protection Stopping Malware At The Door 8

About Trusteer Trusteer is the leading provider of cybercrime prevention solutions that protect organizations against financial fraud and data breaches. Hundreds of organizations and millions of end users rely on Trusteer to protect their computers and mobile devices from online threats that are invisible to legacy security solutions. Trusteer s Cybercrime Prevention Architecture combines multi-layer security software and realtime threat intelligence to defeat zero-day malware and phishing attacks, and help organizations meet regulatory compliance requirements. Leading organizations such as HSBC, Santander, The Royal Bank of Scotland, SunTrust and Fifth Third are among Trusteer s clients. For more information visit: www.trusteer.com. Transaction Anomaly Protection Stopping Malware At The Door 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information