Man in the browser attack mitigation

Malware such as Neverquest, Zeus or GameOver Zeus is getting more aggressive every day and the stealth way it steals money makes it even more dangerous.

The methods used by Neverquest and similar MITB (man-in-the-browser) attacks are described in the following video:

and at the following Wikipedia page: http://en.wikipedia.org/wiki/Man-in-the-browser

In short: by obtaining full control over the client computer, hackers can circumvent any protection, including hardware tokens with a changing code. The latter would significantly impede their task comparable to other temporary codes (not expiring), but not enough to deem this measure sufficient. Worst part is, any dialog or input box looks like a part of your website, even on SSL with an EV certificate! All modifications happen to the HTML in the browser, where your organization no longer has control.

Man-in-the-Browser attacks have dramatically changed the way online banking is done – and this change applies to all banks and financial institutions globally. Usernames, passwords and temporary codes are no longer an efficient protection in the presence of multiple viruses able to circumvent and intercept them.

The most effective measure against this attack is a secure computer – and since most of your clients can not afford the time and costs of training to configure a secure computer, you must offer them other options if you want them to stay with you in the long run, rather than going to a competitor (who does not necessarily have better protection for them, but they don’t know it, do they).

The essence of this attack makes it look as if your own website is compromised and your own organization’s security is lacking. This is a very serious reputation issue where your clients lose faith in you and there is nothing you can do on your side to counter their opinion other than customer education.

One of your primary tasks is not only to protect them, but to show how the same attack happens to even the largest banks worldwide, so they could realize that switching to the online banking at another bank will not make them safer, unless they can ensure the security of the computer from which they perform their online banking. They could switch banks every day – and get compromised every day – as long as the malware is still on their system, stealing credentials and sending them to their masters.

The security of their own computer and the risks for all types of payments while the computer is infected is the focus you should have.

Action Plan

Customer education and awareness comes first: your customers should realize that the responsibility for the security of their computer is theirs, just like the security of their money in their own home (or wallet). You, in turn, have a much larger arsenal of knowledge and experience in information security and are the ones who have a responsibility to share them in the right way and using the right channels, clearly and frequently enough.

You will need the active involvement of your marketing department in this task because of their close relationship with the customers and their good communication skills, translating IT jargon into understandable language for your clients.

Any financial institution has to go through a serious transformation before any significant security measures are applied to their online payment processing systems, such as e-banking, for example. During this period, which usually is between 3 to 6 months or even more (depending on the quality of your team and the funding available) your organization will need temporary ‘patches’ which will still allow payments to go through while the risk of fraud should be lessened as much as possible.

In the case of malware hitting your customers and you having no actionable technical measures to implement to mitigate that risk, the only thing left is educating your customers on taking their own security into their own hands (as it should be, because their computer security results in their transactions with any financial institution being secure as well).

Change, upgrade and improve the methods of communication with your customers

Banks and Social Networking is something that just does not mix up – even for their marketing teams. If your organization is the same, don’t be ashamed, accept the guilt and start improving yourself. Your customers have to get used to the thought that whatever their question is, your Twitter and Facebook as well as LinkedIn accounts are always responsive and ready to step in and assist.

Get to your management, get to the marketing management and start pushing them to improve their processes. Relying on e-mail is so 1990, people! Finally, there’s Aweber and Mailchimp for those of you who still rely on e-mail. Do it right. In a crisis your methods of communication have to be already practiced and proven effective. Sometimes you will have just minutes to inform all your customers of an impeding change, not days or weeks, and social networking and e-mail marketing services can do wonders for that.

Have a structured and consistent approach for the education of your clients

Implement a plan for creating security awareness, which would consistently and consequentially explain their challenge – it cannot be done with one gigantic mail, they simply will not read it. If you you have to, print brochures and send them out – use every available communication channel to inform them about the current virus outbreak. Do not make the mistake of telling them your online banking is at risk – just tell them that the online banking of institutions across the globe is at risk, because it’s a global problem for every organization – which it is.

Instead of showing panic and haste to save your clients from the risk of banking with you, try turning the tables in your favor and instead be the bearer of good news – that no matter the global hacking attacks against all banks, you will step up and show your clients the way out with your outstanding technical knowledge and advice – for free, so they would safely bank with any organization they want. Thanking you, they’ll bank with you – because you were the only one to actually show care and understanding of the problem, while everyone else were playing hide and seek with the hackers, burying their heads in the sand.

One major strategy inefficiency which many organizations face is sending out technical messages to their clients without realizing that these messages are received primarily by non-tech personnel, such as accountants – they usually ignore technical advice automatically. Help them by placing a little note saying this advice is for their system administrators or tech support company – they will pass the message along and you will not have written it in vain.

Technical changes for your e-banking system

Usernames and passwords along with TANs are outdated and inadequate compared to modern technical protection measures – and still many organizations choose to use them and hope someone else will get attacked in the sea of banks out there.

hardware token

 

The minimum you can implement is a hardware token, generating a new  code every 30 seconds. An extra method of protection would be a hardware token which accepts transaction details as input and outputs a unique 6-8 digit code as a result – which completely eliminates the risk of a Man-in-the-browser attack, but would be a significant inconvenience to your customers, eventually causing more damage than not having it at all.

Another defense that would do the job is the technology of http://www.ca.com/~/media/Files/whitepapers/protection-from-mitm-mitb-attacks-wp.pdf

Whichever token you choose remember: it will not protect your customers from malware. You absolutely must remember that! Viruses will ask your customers to enter unique token numbers / combinations in fake pages, on their mobiles (smartphones get infected too) and generally the times when token gave enough security are gone.

Hardened Browsers

There are a few companies doing that, the one I personally recommend is ProMon. While reviewing dozens and dozens of solutions and vendors out there they are the ones who provide the highest level of protection against financial malware. You can actually go ahead and infect a virtual machine, install their browser, visit a test e-banking account (a test account, not yours!) – or an account with no money on it – the malware will not be able to inject ANYTHING – and any software keyloggers you might have had, will be useless to the attackers. Unfortunately this is something which end-users cannot buy – but you as the financial organization can and … well, you should. Because out of the dozens other huge vendors with humongous pricing and doubtful performance, solutions which you will have to implement for months and months – this one is QUICK to implement and is really effective. At least you should give it a test spin.

Content Security Policy

Most web developers have never heard of this and if yours have not, you can excuse them. People don’t usually need to implement Content Security Policy until it’s really needed, one of these cases is when your clients are under attack from a banking trojan. As one of the few measures you can actually implement on your side, on the web server, it will be a shame if you don’t.

Since the instructions the browser to trust only your code are delivered in a way which is still modifiable by the attacker CSP is not a silver bullet – but it will buy you time until they can figure out what tools you’re using to counter their attack. As with any technical measure, it can be bypassed if not implemented correctly.

Being a measure which is quick to implement – do it now, keep in mind that it’s just an additional layer of protection which will be peeled off sooner or later.

Keep in mind that if your website uses a lot of javascript you may run into serious usability problems – CSP breaks all inline JS and it will take you quite a lot of time to migrate it to external files. Things like sharing buttons, Google Analytics and similar services might stop working for you as well.

OOB confirmation

When an attacker fully controls the computer of your client you have no other choice but choose a different communication path with them to confirm and verify transactions. Unfortunately malware writers have upgraded their toolsets long ago and are already using man-in-the-mobile attacks intercepting SMS messages… but that’s a different story for a follow-up post.

Let’s get back to the  Out of band confirmation. You could send confirmations for every transaction over a certain limit – say, $100 or $500, depending on the client and the bank – this way the client may react quickly and get their money back even if they do get stolen. This method is very effective, but slightly annoying for accountants, who send transactions every few minutes. You should provide an opt-out mechanism and alternative notification methods (account page, e-mail, mobile app, etc) to confirm transactions with clients.

You could also run an automated telephone system, calling your clients and telling them of impending transaction details and requiring them to press 1 to confirm or 2 to refuse a transaction – just an idea. It would be much more expensive then an SMS system and to say the least, much more annoying.

OOB + OTP

Send an SMS containing the transaction amount + a code based on it (eg, “You initiated a transaction of 10 000 EUR. To confirm, enter code 357 378 zz”) is the most effective solution for the moment.
An example of such a decision is http://www.safenet-inc.com/data-protection/financial-data-security/online-banking-security/financial-fraud-prevention-man-in-the-browser-attacks/

ModSecurity WAF helps mitigate the man-in-the-browser attack (to some degree)

As described at http://blog.spiderlabs.com/2013/07/modsecurity-advanced-topic-of-the-week-detecting-banking-trojan-page-modifications.html you can configure your webserver with ModSecurity to ensure the integrity of the web pages served at your clients browsers. As the article says, you can’t rely on it 100% – but you can use it for fraud detection if the attackers decide to strip your verification measures. Measures signatures missing – you have a fraud alert!

Technical measures applicable to your customers

  • Not all protection measures are suitable for all customers. One method which is 100% effective for those with more powerful computers is Sirrix – http://www.sirrix.com/content/pages/bitBox_requirementstoinstall.htm. Essentially, this is a browser exported from a VirtualBox virtual machine into the Windows desktop. Try exploiting that, Mr. Hacker?
  • For those with slower computers I can recommended a solution which is not as secure, but a little bit easier to install and user-friendly: BitDefender Safepayhttp://www.bitdefender.com/solutions/safepay.html
  • Yet another relatively secure way to do online banking – albeit not practical and rarely ever used by real people who are not complete computer nerds, is a separate, “clean” computer exclusively for online banking (or a virtual machine, but did we already exclude the computer nerds?).
  • A hardened browser on a flash drive – this measure can accomplish good results in some cases. Given the rapid reaction of hackers to mitigation measures, this method of protection can not be considered 100% effective as most others suggested here.
  • Anti-virus system based on Behavior Analysis. Many of your e-banking clients will not have *ANY* antivirus – what about an advanced one? AV vendors rely on signatures – only a few, such as Webroot, rely on behavior analysis and you should definitely give it a try, because a signature-based AV cannot detect new, unknown viruses and malware. The existence of an antivirus system does not guarantee protection – success rate for detection of a virus of this kind is not more than 23%.

Detection of Fraudulent Transactions

Fraud detection software, especially for banks, is ungodly expensive. A bank can generally afford it, though. But if you can’t – you have to do it manually. A cheap and effective approach is to hire (if you don’t have it) a programmer with mathematical and statistical + database background, who will be able to develop rules to put transactions in a ‘waiting’ list for manual review or direct cancellation.

For now, the most effective method (and most expensive) is the detection of fraudulent transactions and suspicious behavior by monitoring user behavior in the browser. By analyzing the movements and clicks of a  mouse or keyboard keystrokes you can develop automated methods for the detection of fraudulent transactions and distinguishing them from normal user behavior. An example of such a solution is http://www.entrust.com/wp-content/uploads/2012/07/DS_EntrustTransactionGuard_web_Feb2014.pdf