FSOEP Web Banking & Fraud: Corporate Treasury Attacks

Similar documents
Protecting Your Organisation from Targeted Cyber Intrusion

WEB ATTACKS AND COUNTERMEASURES

How To Protect Your Online Banking From Fraud

Targeted attacks: Tools and techniques

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

September 20, 2013 Senior IT Examiner Gene Lilienthal

SPEAR PHISHING UNDERSTANDING THE THREAT

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Malicious Network Traffic Analysis

The Top Web Application Attacks: Are you vulnerable?

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

ACH AND WIRE FRAUD LOSSES

Property of Secure Network Technologies-Do Not Distribute or Post Without Written Permission-Copyrights and Trademark Apply

Security Bank of California Internet Banking Security Awareness

Transaction Anomaly Protection Stopping Malware At The Door. White Paper

Remote Deposit Quick Start Guide

CYBERTRON NETWORK SOLUTIONS

Security Evaluation CLX.Sentinel

IBM Protocol Analysis Module

Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Defending Against Data Beaches: Internal Controls for Cybersecurity

IBM Security Strategy

A Decision Maker s Guide to Securing an IT Infrastructure

IT Security Risks & Trends

Application Security Best Practices. Wally LEE Principal Consultant

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Your security is our priority

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Computer and Network Security Policy

The Key to Secure Online Financial Transactions

Where every interaction matters.

Overview of the Penetration Test Implementation and Service. Peter Kanters

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Questions You Should be Asking NOW to Protect Your Business!

Spear Phishing Attacks Why They are Successful and How to Stop Them

Under the Hood of the IBM Threat Protection System

Analytics, Big Data, & Threat Intelligence: How Security is Transforming

Why The Security You Bought Yesterday, Won t Save You Today

G/On. Basic Best Practice Reference Guide Version 6. For Public Use. Make Connectivity Easy

Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID

Fraud Detection and Prevention. Timothy P. Minahan Vice President Government Banking TD Bank

White paper. Phishing, Vishing and Smishing: Old Threats Present New Risks

RSA Security Anatomy of an Attack Lessons learned

Web Engineering Web Application Security Issues

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

UNCLASSIFIED. Briefing to Critical Infrastructure Sector Organizations on the Canadian Cyber Incident Response Centre (CCIRC)

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

OWASP Top Ten Tools and Tactics

CYBER ATTACKS EXPLAINED: THE MAN IN THE MIDDLE

Business ebanking Fraud Prevention Best Practices

Innovations in Network Security

SK International Journal of Multidisciplinary Research Hub

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Payment Fraud and Risk Management

Fighting Advanced Threats

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Don t Fall Victim to Cybercrime:

ZNetLive Malware Monitoring

Web Application Security

What Do You Mean My Cloud Data Isn t Secure?

Prevent Malware attacks with F5 WebSafe and MobileSafe. Alfredo Vistola Security Solution Architect, EMEA

MITIGATING LARGE MERCHANT DATA BREACHES

Corporate Account Take Over (CATO) Guide

Common Security Vulnerabilities in Online Payment Systems

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

Cyber Security Presentation Cyber Security Month Curtis McNay, Director of IT Security

2012 Global Threats and Trends

When less is more (Spear-Phishing and Other Methods to Steal Data) Alexander Raczyński

Cloud Security:Threats & Mitgations

THE ROLE OF IDS & ADS IN NETWORK SECURITY

Basic Security Considerations for and Web Browsing

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Presented by:!!dave Kennedy (RELIK)"!!!!!Ryan Macfarlane "

Phishing for Fraud: Don't Let your Company Get Hooked!

Business Internet Banking / Cash Management Fraud Prevention Best Practices

Attackers are highly skilled, persistent, and very motivated at finding and exploiting new vectors. Microsoft Confidential for internal use only

Rational AppScan & Ounce Products

CUSTOMERS & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT WHO IS WHO ONLINE

VIDEO Intypedia013en LESSON 13: DNS SECURITY. AUTHOR: Javier Osuna García-Malo de Molina. GMV Head of Security and Process Consulting Division

Protect Your Business and Customers from Online Fraud

Botnets: The Advanced Malware Threat in Kenya's Cyberspace

Using big data analytics to identify malicious content: a case study on spam s

Course Content: Session 1. Ethics & Hacking

Advanced Persistent Threats

Transcription:

FSOEP Web Banking & Fraud: Corporate Treasury Attacks

Your Presenters Who Are We? Tim Wainwright Managing Director Chris Salerno Senior Consultant Led 200+ penetration tests Mobile security specialist Speaker at RSA efraud Forum and ISC(2) DLP / data protection strategy 150+ penetration tests including Financial Web Applications Mobile application specialist Researcher and director of content and knowledge management

Banking & Corporate Treasury Fraud Today s Discussion General Fraud Statistics Corporate Treasury Attack Lifecycle Exploitation Techniques Common Vulnerabilities Covering Tracks Defending & Monitoring Q&A

Statistics 2012 Business Banking Trust Study 75% of participating businesses experienced online ATO and/or fraud 54% increase in businesses accessing online banking from mobile devices. 43% of banks did not change security practices at all following a fraud. 40% of businesses said they have moved their banking activities elsewhere after a fraud incident 72% of businesses still feel that their institution should be ultimately responsible for securing online accounts 70% of businesses that suffered fraud losses were not fully reimbursed by their financial institution. Source: Ponemon Institute

Banking Fraud Attacker Lifecycle Identify corporate targets Get Caught? Stage Attack (Waterhole, Spear-phish) Transfer Funds Exploit

Reconnaissance Building a Target List Google search to obtain the email address format

Identification Building a Target List Use free services to create a list (Jigsaw, Google, LinkedIn, etc)

Exploitation Techniques: Watering Hole ID Targets Discover Vulnerability Exploit Vulnerability Wait for Victims 1. The attacker identifies and profiles who they want to target 2. Attacker tests and identifies sites for vulnerabilities 3. Attacker injects JavaScript redirection code into the site 4. Attacker waits for victims to visit the website. Once someone visits, they are prompted to run malicious Java code, download malware or are redirected to a malicious site. 5. The attacker can redirect the user to a replica banking site that captures customer banking credentials

Exploitation Techniques: Spear Phishing ID Targets Compile Exploits Send Phishing Attack Wait for Victims 1. The attacker identifies and profiles who they want to target 2. Attacker identifies a flaw in common 3 rd party or Operating System software such as Java or Windows 3. Attacker sends a convincing phishing attack to the victim s that may include a custom domain name and malicious replica site. 4. Attacker waits for victims to click the link inside the email and gain full control over the victim machine. 5. Once full control is obtained, the attacker can run a keystroke logger that captures banking credentials

Case Studies Good Examples! EMI v. Comerica Bank $1.9mm in fraudulent transactions, 560k reimbursed by bank Bank should have detected volume and anomalies Comerica s client were experience phishing attacks Village View Escrow v. Professional Business Bank Settlement > 400k (more than actual losses!) 26 unauthorized wire transfers Simple user name and password login for bank website Hackers disabled email alerts No procedures to recover funds (incident response)

Exploitation Techniques: Man in the Middle Connect to Network Spoof and Sniff Traffic Banking Login Capture Password 1. Attacker connects to the same network as a victim (airport, coffee shop, home, local office network) 2. Attacker spoofs and sniffs traffic between the victim and the Internet 3. Victim visits treasury sites and systems not protected against MiTM attacks. 4. Attacker captures banking login credentials

Hiding Tracks Techniques: Denial of Service Compromise Target Transfer Money Confuse Victim Perform DDoS 1. Attacker obtains access to victim workstation and online banking site through an exploitation technique 2. Use Mule s to initiate transfers for money from the victim to an offshore account. 3. Use access to victim s machine to prevent them from accessing their bank account 4. Perform a Distributed Denial of Service (DDoS) attack on the victim s banking site to mask the money transfers and prevent others from authenticating

Case Studies Legal Lessons PATCO v. Ocean Bank Originally ruled for bank, but appealed and settled for undisclosed amount ATO was not prevented due to one size fits all controls Dispute over simple user name and password login for bank website. Originally, court found it adequate. Article 4A: banks typically liable for losses in unauthorized transfers

Exploitation Common Attacks Using Your Resources Against You Cross-site Scripting (XSS) URL Redirection Social Engineering Your employees (Helpdesk, Support) Insider Jobs Your 3 rd parties (hosting and service providers, partners) Banking Specific Trojans Zeus / Spyeye Citadel Guass Gozi

Exploitation Exploits Used in 2011 / 2012 Exploit Pack Java Exploit Adobe Exploit Microsoft Exploit Blackhole X X X Kein X X Sakura X Nuclear X Redkit X Neosploit X Gong DA X X X Sweet Orange X Crimeboss X Cool Pack X X Phoenix X X Source: Deepend Research (2012)

Defending and Monitoring Spear-phishing controls Desktop Controls Patch the operating system and browsers Update 3 rd party apps (Java, Flash, etc) Email Filter Don t allow risky attachments Executables, scripts, PDF s with java code, office documents with macros Web Proxy Restrict known unsafe sites, be proactive Firewall & IDS/IPS Restrict outbound traffic on unknown ports Baseline and alert on anomalies Advanced malware detection Firewall & IDS/IPS Web Proxy Email Filter Desktop Controls

Defending and Monitoring Hardening Cash Mgmt Systems Treasury & Cash Management Systems Segment / isolate banking workstations Increase workstation logging and monitoring Additional security software Secure password management software for users Limited outbound access Banking Partners Strong authentication to treasury systems and bank websites Trusteer or custom from the bank Whitelisted payees / confirmations from bank Procedures Do reconciliation frequently Expect attacks to be staged on Friday and carried out over the weekend

Q&A You Ask, We Answer

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information