RSAC 2015: Prevention is Not Dead
IBM Security’s Senior Fraud Prevention Strategist Etay Maor presented on Major Cyberfraud Innovations of the Last Twelve Months, primarily reporting on Dyre, the banking malware that has persisted month after month during 2014.
Maor made the point that you don’t have to be super technical or knowledgeable in order to carry out attacks, as long as you ask the right questions - there’s always someone willing to answer your hacking questions in underground forums.
In 2014, a few major malware families were prevalent, but most types of malware declined in the number of attacks over time. While malware usually spikes and then drops off after it’s noticed, Dyre has continued to work persistently over the past year.
Maor noted that attackers are moving out of the cloud, meaning they are no longer targeting banks’ websites hosted in the cloud. Attackers are targeting users’ computers, never touching the bank’s website. Criminals are also stealing credentials from login pages and users, which prove to be more valuable, as they allow malicious hackers to move throughout their environment undetected.
After a victim is infected with malware, when a user navigates to an online banking website, their credentials and any other personally identifiable information (PII) is sent to the criminal. Then the criminal logs onto their online banking site and transfers money to a mule account.
Endpoint solutions that protect devices and that can detect if a device has been compromised by malware can help deter the success of these attacks. Account takeover detection can also identify if a user is behaving oddly (making large wire transfers, adding new devices, etc.) - especially useful when attackers have legitimate credentials.
Then Maor did a video demo and data visualization of an account takeover case over a three month period, mapping four different users and their activity/devices they used to connect to online banking websites and accounts.
First, a malicious hacker sold the credentials he stole, then the accounts became connected with new and different devices. His data visualization showed one device was accessing multiple devices over the course of 24 hours - which should have informed security officials that something unusual was happening.
Dyre malware also has security mechanisms of its own, including a watchdog process. If it’s being tampered with, it will download a new version of malware. It also has controls in place for authentication; by encrypting their Command and Control (C&C) server, it refuses to accept commands from a new C&C.
It also checks to ensure it’s infecting a real user’s device, and not just a test device used by a security researcher by checking the hard drive and whether the device is a virtual device. Since researchers often use virtual devices (VDs) for testing, the malware will avoid these types of devices in order to avoid detection. The malware also reboots an infected device, installs a lightweight Linux kernal, and removes any security software it doesn’t like. Then, it reboots the device without security solutions.
Maor also covered a new wave of ransomware attacks, including Cryptolocker, that has collected nearly 24 million in ransom money - ransomware infects databases and encrypts websites until attackers are paid to decrypt.
To protect against malware infection and breach success, he suggests putting detection in place that relies on cross-channel event correlation. Connecting the dots between data that monitors unusual user and device behavior can help organizations spot criminal activity faster and move to secure their networks. He also recommends real-time mitigation, not just after a breach.
“Prevention is not dead.”