Using Traffic Direction Systems to simplify fraud... and complicate investigations!

Similar documents

TRAFFIC DIRECTION SYSTEMS AS MALWARE DISTRIBUTION TOOLS

No. Time Source Destination Protocol Info HTTP GET /ethereal-labs/http-ethereal-file1.html HTTP/1.

THE PROXY SERVER 1 1 PURPOSE 3 2 USAGE EXAMPLES 4 3 STARTING THE PROXY SERVER 5 4 READING THE LOG 6

Arnaud Becart ip- label 11/9/11

Securing SharePoint Server with Windows Azure Multi- Factor Authentication

Crowbar: New generation web application brute force attack tool

Combating Web Fraud with Predictive Analytics. Dave Moore Novetta Solutions

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Multifactor Authentication

reference: HTTP: The Definitive Guide by David Gourley and Brian Totty (O Reilly, 2002)

Alteon Browser-Smart Load Balancing

Cyclope Internet Filtering Proxy. - Installation Guide -

HTTP Authentication. RFC 2617 obsoletes RFC 2069

DNS Pinning and Web Proxies

Security-Assessment.com White Paper Leveraging XSRF with Apache Web Server Compatibility with older browser feature and Java Applet

Web Security: SSL/TLS

Botnets. Sponsored by: ISSA Web Conference. October 26, 2010 Start Time: 9 am US Pacific, Noon US Eastern, 5 pm London

Effiziente Filter gegen Kinderpornos und andere Internetinhalte. Lukas Grunwald DN-Systems GmbH CeBIT Heise Forum 2010 Hannover

HTTP/2: Operable and Performant. Mark

Our My first DDoS attack. Velocity Europe 2011 Berlin Cosimo Streppone Operations Lead

TCP/IP Networking An Example

Web Application Forensics:

G-Cloud Service Definition Version 1.0 April Worship Street London, EC2A 2DX Tel: +44(203) Fax: +44(203)

G DATA SECURITYLABS CASE STUDY OPERATION TOOHASH HOW TARGETED ATTACKS WORK

T14 SECURITY TESTING: ARE YOU A DEER IN THE HEADLIGHTS? Ryan English SPI Dynamics Inc BIO PRESENTATION. Thursday, May 18, :30PM

Cyber Security Workshop Ethical Web Hacking

UNMASKCONTENT: THE CASE STUDY

Protocolo HTTP. Web and HTTP. HTTP overview. HTTP overview

Architecture of So-ware Systems HTTP Protocol. Mar8n Rehák

FortKnox Personal Firewall

Manual. Traffic Exchange

Java Web Application Security

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Deployment Guide. Caching (Static & Dynamic) Deployment Guide. A Step-by-Step Technical Guide

Project #2. CSE 123b Communications Software. HTTP Messages. HTTP Basics. HTTP Request. HTTP Request. Spring Four parts

The Dark Side of Trusting Web Searches From Blackhat SEO to System Infection

Rogue DNS servers a case study

MALWARE ANALYSIS 1. STYX EXPLOIT PACK: INSIDIOUS DESIGN Aditya K. Sood & Richard J. Enbody Michigan State University, USA COMMUNICATION DESIGN

Exploring the Black Hole Exploit Kit

Security Testing: Step by Step System Audit with Rational Tools. First Presented for:

*[Bug hunting ] Jose Miguel Esparza 7th November 2007 Pamplona S21sec

VISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE. Summary. Distribution and Installation

Anatomy of a Pass-Back-Attack: Intercepting Authentication Credentials Stored in Multifunction Printers

Volume SYSLOG JUNCTION. User s Guide. User s Guide

Network Detection Evasion Methods

Web Security Threat Report: January April Ryan C. Barnett WASC Member Project Lead: Distributed Open Proxy Honeypots

This report is a detailed analysis of the dropper and the payload of the HIMAN malware.

Search engine optimization: Black hat Cloaking Detection technique

Developing Applications With The Web Server Gateway Interface. James Gardner EuroPython 3 rd July

Load balancing Microsoft IAG

Pulse Secure Desktop Client Supported Platforms Guide

Configuring Advanced Server Load Balancing

BCR Export Protocol SHAPE 2012

Cyclope Internet Filtering Proxy

Tidspunkt : : :59 (49 dag(e)) Operativsystem (OS) fordelt på browsere Total: Safari9 ios %

Radware Security Research. Reverse Engineering a Sophisticated DDoS Attack Bot. Author: Zeev Ravid

Pulse Secure Desktop Client

CSCI Computer Network Attacks and Defenses

Protecting the Infrastructure: Symantec Web Gateway

LBL Application Availability Infrastructure Unified Secure Reverse Proxy

Security Analytics The Beginning of the End(Point)

Junos Pulse Supported Platforms Guide

Network Monitoring using MMT:

Method of control. Lots of ways to architect C&C: Star topology; hierarchical; peer-to-peer Encrypted/stealthy communication.

Securing OS Legacy Systems Alexander Rau

CS 213, Fall 2000 Lab Assignment L5: Logging Web Proxy Assigned: Nov. 28, Due: Mon. Dec. 11, 11:59PM

Device Fingerprinting and Fraud Protection Whitepaper

1945: 1989: ! Tim Berners-Lee (CERN) writes internal proposal to develop a. 1990:! Tim BL writes a graphical browser for Next machines.

e Merchant Plug-in (MPI) Integration & User Guide

Using TestLogServer for Web Security Troubleshooting

GET /FB/index.html HTTP/1.1 Host: lmi32.cnam.fr

Collax Web Security. Howto. This howto describes the setup of a Web proxy server as Web content filter.

Authentication and Single Sign-On. Patrick Hildenbrand NW PM Security, SAP AG

Network Security Testing using MMT: A case study in IDOLE project

Rise of the Machines: An Internet-Wide Analysis of Web Bots in 2014

Steps for Basic Configuration

Exploitation of Server Log Files of User Behavior in Order to Inform Administrator

05 June 2015 A MW TLP: GREEN

Pulse Secure Desktop Client Supported Platforms Guide

Penetration Testing with Kali Linux

Using SAML for Single Sign-On in the SOA Software Platform

P Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis

LEVERAGING PROACTIVE DEFENSE TO DEFEAT MODERN ADVERSARIES. Jared Greenhill RSA Incident Response. September 17 th, 2015

Where every interaction matters.

COMP 112 Assignment 1: HTTP Servers

DECLARATION OF PERFORMANCE NO. HU-DOP_TD-25_001

HTTP. Internet Engineering. Fall Bahador Bakhshi CE & IT Department, Amirkabir University of Technology

Endpoint Business Products Testing Report. Performed by AV-Test GmbH

Pwning Intranets with HTML5

Network Probe User Guide

This document provides the first-priority information on Parallels Virtuozzo Containers 4.0 for Windows and supplements the included documentation.

How to Remotely Access Hikvision Devices User Manual

Errors Log Magento Extension User Guide Official extension page: Errors Log

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Apache Usage. Apache is used to serve static and dynamic content

Symantec Protection Suite Small Business Edition

TP-LINK TD-W8901G. Wireless Modem Router. Advanced Troubleshooting Guide

Transcription:

Using Traffic Direction Systems to simplify fraud... and complicate investigations! Maxim Goncharov

What is web traffic? User Site

Separate Web traffic? Site User Script-in-the-middle Site Site

System to separate traffic? Database Control Panel User Script-in-the-middle Site Statistics Filtering

Traffic Direction System? Database Control Panel Site User Traffic Direction System Site Statistics Filtering Site

Fingerprint referer GET /1/1/typical.php HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, application/x-shockwave-flash, */* Referer: http://www.trendmicro.com/news Accept-Language: en-us UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;.NET CLR 2.0.50727) Host: www.just-a-stie.com Connection: Keep-Alive browser language OS

Main TDS functionality Traffic Direction System

Main TDS functionality Traffic Direction System Control traffic directions By Browser By OS By Geo location By Time By Referrer

Main TDS functionality Traffic Direction System Control traffic directions Filter non wished traffic By Browser By OS By Geo location By Know IP Subnets By Search Engine Ref. By already seen IPs By Time By Referrer

Main TDS functionality Traffic Direction System Control traffic directions Filter non wished traffic Collect statistics By Browser By OS By Geo location By Time By Know IP Subnets By Search Engine Ref. By already seen IPs For Partnerka For Referrals Into Database By Referrer

Areas of usage. Traffic Direction System Farma Black SEO Exploit Adult SMS

Volume makes money Traffic Direction System

Web User Fraud : <IFrame/> iframe

Web User Fraud : <IFrame/> EN FR iframe DE EN

Web User Fraud : <IFrame/> DE iframe Traffic Direction System EN DE FR ES

Web User Fraud : <IFrame/> + XP DE iframe Traffic Direction System DE DE DE DE 95 XP V 7

Web User Fraud : <IFrame/> DE + XP + iframe Traffic Direction System DE DE DE DE 95 XP V 7 IE MZ IE IE

Malware Vector TDS XP + + DE iframe Traffic Direction System MPack Phenix Eleonore

Malware Vector multi layer TDS iframe Traffic Direction System #1 Eleonore MPack Phenix Traffic Direction System #3 Traffic Direction System #2

Partnerka - Possible fraud Partnerka is an affiliate marketing program, in which the partners are payed off for online distribution of legal or illegal content.

TDS Partnerka - Possible fraud TDS TDS Partnerka is an affiliate marketing program, in which the partners are payed off for exchange of the Web Traffic and its monetization

TDS Partnerka - Possible fraud

TDS Software Web Server Application Database

TDS Software Simple TDS Sutra TDS Crazy TDS Kalisto TDS ILTDS Advanced TDS Keitaro TDS

TDS Software Simple TDS Sutra TDS Crazy TDS Kalisto TDS ILTDS Advanced TDS Keitaro TDS

White to Black Sutra TDS Sutra TDS Sutra TDS Simple TDS Simple TDS

Traffic Fraud using TDS intentional unintentional traffic sold to PPI traffic sold to the traffic market traffic paid as usage fee of the TDS software traffic paid as usage fee of the TDS service stolen traffic

Traffic Fraud using TDS traffic sold to the traffic market User HTTP Request Web Site IFrame TDS sends to Traffic Market HTTP request bought by PPI HTTP Exploit attack the User

Traffic Fraud using TDS stolen traffic User HTTP Request Web Site IFrame TDS sends traffic to the hidden gateway Hidden gateway sale the traffic HTTP Exploit attack the User

TDS for ransomware

Ransomware example crawler US IP Address + en-gb header TDS Direct traffic by Geo IP and Language French IPs Mixed IPs Binary drop page Re-Sale traffic TDS

Ransomware example crawler RU IP Address + ru header TDS Direct traffic by Geo IP and Language French IPs Mixed IPs Binary drop page Re-Sale traffic TDS

Detecting TDS request Analytic Synthetic result

Detecting TDS Analytic

Detecting TDS Analytic IP 85.114.156.56

Detecting TDS Analytic IP 85.114.156.56 EN-US / DE / FR / RU Language

Detecting TDS Analytic IP 85.114.156.56 EN-US / DE / FR / RU Language Browser Mozilla / IE / Safari

Detecting TDS Analytic IP 85.114.156.56 EN-US / DE / FR / RU Language Browser Mozilla / IE / Safari Win95 / WinXP / MacOS OS

Detecting TDS Analytic IP 85.114.156.56 EN-US / DE / FR / RU Language Browser Mozilla / IE / Safari Win95 / WinXP / MacOS OS Date/Time AM / PM / Day / Night

Detecting TDS Synthetic

Detecting TDS Synthetic http://domain.com/path Web Server Structure

Detecting TDS Synthetic http://domain.com/path Web Server Structure Known File Names README.txt Version.TXT

Detecting TDS Synthetic http://domain.com/path Web Server Structure Known File Names README.txt Version.TXT /config/ /logs/ /temp Known Folder Names

Detecting TDS Synthetic http://domain.com/path Web Server Structure Known File Names README.txt Version.TXT /config/ /logs/ /temp Known Folder Names Variable Names GET /go.php?q=1

Statistics: Top 25 Hosts

Statistics: Top 25 Countries

Statistics: Top 25 Cities

Statistics: Top 25 ISPs

Conclusion Traffic Direction Services New form of underground business Really difficult to observe Mixed with legitimate traffic resale Challenge AV industry in investigations/sourcing Combined targeting

Questions?

Thanks! Maxim Goncharov TREND MICRO Inc.

Thanks! Maxim Goncharov TREND MICRO Inc.

Thanks! Maxim Goncharov TREND MICRO Inc.