"This form of attack is more dangerous than previous forms of Phishing, which relied on fraudulent websites. Because this attack happens on the customers' own PC and is encrypted, it makes it extremely difficult to detect," said Yuval Ben-Itzhak, the CTO of Finjan, "After the customer fills in the login form on their website and clicks on the 'Log In' button, the crimeware, running on the infected user machine, intercepts the communication. The crimeware sends the intercepted UserID and password to the criminal's server, instead of sending to bank's server. The customer thinks they are still on the bank's website but they are actually sending data to the criminal's server over an encrypted connection. Even though the web page has the "look and feel" of a normal bank page in reality the page is reconstructed in real-time by the crimeware that took over the browser, and is displayed over a pre-established SSL connection. The same technique is used when browsing to several other online financial service providers. Thus, for each financial institution, the crimeware will send a customized set of crafted forms and pages, designed to harvest the specific information needed to log into that particular service (such as 'favourite' questions, memorable date, favourite word, etc.). Naturally, they will have the identical 'look and feel' of the financial institution they are scamming."
The customer's browser does not show any signs that this modified page is suspicious in any way, and the surfing activity appears to be normal. When opening the "secure" icon of the web browser to validate the SSL connection, the valid bank's certificate is presented. Once the victim clicked on the "sign on" button, the data is sent again through a secured session to the criminal's server in the background. After the data was successfully sent to the criminal's site, the original bank's response to the credentials used is presented. It should be noted here that the transmission to the attacker's site is being carried out in parallel in the background, and as such there is no delay whatsoever from the user's perspective.
Worryingly the Crimeware is spread by legitimate websites that have themselves been infected by toolkits that have embedded an iframe placed on the main page of the referring site, which points to the malicious code. Once the main page is loaded by the user's browser the embedded malicious code is loaded as well. This means that unsuspecting users that browse to an infected legitimate site are exposed to malicious crimeware code without even knowing, as the site they are browsing is commonly considered to be safe. From this moment on, the attacker has all the information needed to carry out a criminal activity - including making a direct ATM withdrawal by simply coding the required information onto the magnetic stripe of a blank card, and using the ATM PIN number. Customers of many online banks around the world were found vulnerable.
In addition to the theft of personal and financial data, the crimeware also uses a keylogger to post information back to an attacker host, using an encrypted file containing additional information on the ongoing activity of the PC.
Parting Advice
Cyber criminals are creating increasingly sophisticated crimeware to make sure that - from the victim's point of view - the experience is identical in every way to normal financial transactions. As there are no external indications that the machine has been infected, there is no reason why users should not continue to use the infected machine.
The criminal intent behind these infections is obvious as shown in the report. The use of SSL as a transportation layer for all the malicious activity should be noted as well, since standard security solutions are usually not configured to handle the SSL connections. In other words, a completely covert channel is left open for the crimeware applications to run on.
As attacks become more evasive and obfuscated, security companies find it more difficult to put their hands on malicious code, analyze it in their labs and create a signature for it. Anti-virus, reputation-based services and URL filtering solutions are potentially limited in their ability to cope with evasive attacks, which appear once and then vanish. Moreover, recent estimates indicate that some 80% of malicious code appears on sites categorized as legitimate. The fact that today's malicious code is constantly changing hosting locations is also an inhibitor for URL filtering and reputation services.
"The methods being used by today's cyber criminals can be identified and stopped by real-time content inspection techniques; by security solutions that are able to understand the intent of web content and make a decision on the fly regarding the content," said Ben-Itzhak. "Real-time analysis is required to protect users from malicious code the first time it strikes. By understanding the true intent of web content, Finjan's real-time content inspection technology detects and prevents crimeware despite the propagation techniques and anti-forensic methods in use. This prevents malicious web content from entering the corporate network, protecting enterprises from crimeware that may result in severe business damage."
