In May of this year, the K Department of the Ministry of Internal Affairs of Russia, with the assistance of Group-IB, detained a 32-year-old resident of the Volgograd region, who was accused of embezzling money from clients of Russian banks using a fake Internet banking application that turned out to be Android malware. -troyan Every day, with its help, from 100,000 to 500,000 rubles were stolen from users. Some of the stolen money was transferred to cryptocurrency for further cashing and concealment of fraudulent activity.
Analyzing the “digital traces” of the committed thefts, Group-IB specialists found out that the banking Trojan used in the criminal scheme was disguised as the “Banks in the palm” financial application that acts as an “aggregator” of mobile
banking leading banks in the country. It was possible to download all your bank cards to the application so as not to carry them with you, but at the same time be able to view card balances based on incoming SMS for all transactions, transfer money from card to card, pay online services and purchase in online stores .
Interested in the capabilities of the financial aggregator, bank customers downloaded the Banks in the Palm app and entered their card details. The launched Trojan sent the data of bank cards or logins / passwords to enter the Internet bank on the server to attackers. After that, the criminals transferred money to pre-prepared bank accounts in amounts from 12,000 to 30,000 rubles. for one transfer, entering the SMS confirmation code of the operation intercepted from the victim's phone. The users themselves did not suspect that they were victims of cybercriminals - all SMS transaction confirmations were blocked.
Text: Pavel Krylov, Head of Product Line Development
Secure Bank Group-IB
At the moment, the “market” of banking Android Trojans is the most dynamic and fastest growing. According to the Group-IB report for 2017, the damage from malware under Android OS in Russia increased by 136% compared with the previous reporting period - it amounted to $ 13.7 million. This figure covers the damage from Trojans for personal computers by 30%.
Basic schemes for theft through DBO: why antiviruses do not work
Group-IB criminologists identify seven common theft schemes that cybercriminals use when attacking remote banking systems:
1) social engineering;
2) transfers from card to card;
3) transfers through online banking;
4) interception of access to mobile banking;
5) fake mobile banking;
6) purchases using Apple Pay and Google Pay;
7) theft through SMS-banking.
The usual means of anti-virus protection are practically useless against such theft schemes. For example, in the case of using social engineering, when a client caught “at the bait” believed the fraudster and independently transferred money to his account (i.e., “hacked” the person himself), or when the victim is extorted details from an external device, the antivirus does not help
The last echelon of protection is antifraud. Most antifraud systems are concentrated on analyzing transactional information or data that comes directly to the bank’s servers (client’s IP address, information about its browser, speed of work in a web or mobile application, etc.). If we consider that fraud as such is a process that includes not only the time of the transaction, but also the stages of preparation and
Withdrawal of funds, it becomes obvious that transactional anti-fraud systems “close” only a limited range of fraudsters.
Gartner analysts identify five levels of fraud prevention. We analyze and analyze each of them in detail:
1) analysis of the user's device (infected devices, device identification);
2) monitoring user actions at the session level (anomalies in the user's work: navigation, time, geography);
3) behavioral analysis of the user in a particular channel (what actions are performed in the channel? How (behavior)? Who commits them?);
4) cross-channel analysis of users and their behavior (analysis of user behavior in different channels, data correlation);
5) analysis of the relationship between users and accounts (behavior on different resources, the global profile of the client).
First level: we analyze the user's device
This level of fraud prevention includes all client protection technologies (endpoint protection technologies), such as antiviruses, tokens for generating electronic signatures, two-factor authentication tools, additional means of device identification, etc. The same level includes biometric means of identification by voice, fingerprint or face.
One of the clearest examples of attacks on RBS systems was the activity of the Lurk group, which at the end of its “career” in 2016 reached a rather impressive scale: about 50 people worked for it. Starting with avtozaliva for desktop versions of remote banking (thick client), at the end of 2014 she implemented this method of theft for Internet banks (thin clients who do not require installation on a user's PC), which significantly expanded the scope of grouping activities. The client made a payment with the same details of the beneficiary, but this payment already came to the bank with the details of the Trojan program. Many experts still recognize this type of attack as the most dangerous one, since it allows you to manipulate its behavior and data at the thinnest level directly from the client device. How did this happen?
The Trojan was injected directly into the client’s browser and made changes to its code in memory, which made it possible for the client to visit the official website of the bank to intercept and modify the original HTML pages in the way necessary for the fraudster, even when using an HTTPS connection.
In fig. 1 shows an example of a malicious injection that was added by a trojan to the page code. Gray lines are the URLs through which the script interacted with the scammer's command servers, where logins / passwords, balances and other information were sent, and the scam's payment details were sent in response to replace the client’s original payment.
Fig. 1 Script introduced by Trojan to the original page of the Internet bank in the client’s browser.A less sophisticated but effective way to steal money is to remotely control a client's device (Figure 2). After automated collection using keylogger-program (literally "key interceptor") all the necessary logins / passwords, PIN from tokens, etc. the fraudster, via remote control, connects to the client device (Fig. 3) and creates a fraudulent payment directly from the client device and on its behalf.
Fig. 2. An example of the interface of a computer infected with Ranbayas Trojan
Fig. 3. Implementing a VNC remote control program in ExplorerSo what technologies of fraud prevention exist at the first level? First of all, those that allow you to effectively detect remote control when working in RBS systems using several independent methods. However, they do not require the installation of additional software on the client device.
Also, the technologies and solutions that identify the device and the user belong to the category of technologies at the first level. This allows you to collect and analyze information about the devices used by a particular client (on the left in Fig. 4 is a fragment of the graph of the relationship between the accounts and the devices they use). For example, the appearance of an unknown device in a client previously known to us is an important factor for deciding to suspend payment and conduct additional control procedures.
Fig.4. Graphic links between accountsIn fig. 4 on the right shows another example of identifying a device for proactive detection of legal entities intended for money laundering. In this example, bank employees identified a company that was involved in money laundering (the lower part of the graph to the right) using a financial analysis. Additionally, by identifier of a legal entity, you can get the identifiers of the devices that they used (center of the right column). And then all the other accounts that were used from the same devices (the upper part of the right column) and from which the identified "launderer" worked. It fits very well into the nature of the work of scammers. A fraudster always has companies in stock that have not yet been used for money laundering. The bank should focus on the operations of the identified legal entities.
Second level: we monitor user actions
At this level, it analyzes what a person does directly during a session in a remote banking system or another system. At this level, we can identify abnormal user behavior, or typical scenarios of the fraudster. In particular, such an analysis already makes it possible to increase the efficiency of detecting fraud using social engineering (that is, when a fraudster uses the gullibility, carelessness or lack of awareness of the user to lure information from him or force him to take actions beneficial to the fraudster).
For example, a common case is the luring of card details and SMS codes in the process of buying expensive goods through popular ad sites under the pretext of making a deposit. In fact, the fraudster uses this data to go through the registration procedure in the RBS and to gain access to the victim’s accounts. A real example of such a scenario is presented in Fig. five.
Fig. 5. Passing the registration procedure of the fraudster in the RBS and getting access to the accounts of the victim.Analysis of the sequence of steps performed by the user in the RBS, allows you to identify the scenario described above. This process takes into account the results of the work of technologies of the first level (analysis of the user's device): which device was used, is it typical for this client, has the geography changed; the session time is taken into account and, additionally, the script used by the fraudster.
This is also applicable to other scam schemes. For example, some scenarios of the work of "launderers" are revealed by a similar method. It is clear that only by behavioral characteristics can not be traced far from all cases of money laundering. For example, if a company is engaged in transit, then just one behavior analysis - what a person does in Internet banking - will not be enough to understand whether this is a transit payment or a standard one. But most cases still make it clear that something abnormal is happening, and most likely this activity is fraudulent.
Fig. 6. Preparation for the implementation of the fraudulent scheme: the entrance of more than 100 legal entities with a request to issue a bank card.So, on fig. 6 on the right is an example when one device entered under more than a hundred accounts of legal entities, the only activity of which was to request a bank card and expand its limit. As it was confirmed later, the base of cards for money laundering was prepared in this way. Also, the problem of bots can be attributed to the second level. If the customer does not have any bots protection system, then, as a rule, very primitive bots (go directly to the API) perform all the necessary actions (brutforce, password-check), bypassing the bank’s web application. But there are more "clever" bots used by fraudsters to bypass the anti-bot-defense.
These bots mimic the user's work. Often botnets are used for this. That is, the work of bots is distributed, and not concentrated in any particular hosting. Such bots are identified by the scenarios of their work on the sites and the nature of the action. This brings us smoothly to the third level.
The third level: analyze the behavior of the user in a particular channel
If at the second level we analyze what the user is doing in the system, then at the third level it is additionally analyzed how the user performs certain actions. Let us show it on a real example (Fig. 7).
Fig.7. Comparison of work in the system of a legal user and a fraudster: identification of uncharacteristic and suspicious actionsIn the upper part of the figure, the sequence of actions of a legal user is visible. That is, he enters the page for accessing the RBS system, uses the upper numeric keypad to enter the login and password, then clicks "Enter." In the lower part of the figure, there is a typical variant of the work of a fraudster who collected usernames and passwords in some way, for example, using fake (phishing) sites or using a trojan. He has a whole base of them. Naturally, the fraudster does not reprint his data, but copies them from the clipboard when entering the RBS. And it can be clearly seen in the screenshot.
In addition, all methods of analyzing the device and user behavior described at the previous levels are used. At this level, machine learning algorithms are actively used. One of the clearest examples is the use of such biometric technologies as keyboard and cursor handwriting, which take into account the behavioral character and habits of the user in the system. In fig. 8 shows the scenario of using keyboard handwriting on the user authorization page “captured” from the Group-IB Secure Bank system.
Fig.8. The scenario of using keyboard handwriting on the user login page.
On the graph along the axis, the accumulated handwriting of a legitimate user is highlighted when entering a username and password. More noticeable fluctuations characterize the cheater's keyboard writing. It can be seen that the keyboard handwriting is different. Above the graphs are two integral assessments of the differences between them. The values of the estimates exceed the established thresholds, which indicates a behavior that is not typical for a legitimate user.
The combination of the listed behavioral analysis technologies makes it possible to identify fraud committed using social engineering. Also, these technologies can reduce the number of false positives of transactional antifraud systems. For example, with an accuracy of 91%, it turned out to discard 78% of the false positives of the transactional anti-fraud system in cases of social engineering, which substantially frees up the internal resources of the bank, including from the mass of calls from irritated customers.
Fourth level: we implement cross-channel analysis of users and their behavior
At the fourth level, technologies are used to analyze and correlate data about the user's behavior on his devices when working through various channels of interaction with the bank.
How effective it is - we will demonstrate in one of the real cases, the graphic links for which are shown in Fig. 9.
Fig. 9. Graphic links showing the user's work with various devices, among which there is a fraudster device.Initially, the fraudster was discovered on a mobile device. He used a mobile trojan to collect logins and passwords, payment card details and intercept SMS confirmations from the bank for making unauthorized payments. An analysis of the links between the accounts and the devices they use made it possible to detect the mobile device of the fraudster, which is shown in the center and at the bottom of the picture in the account cloud. As you can see, only part of compromised accounts previously worked through the mobile application. Another significant part of the identified accounts was previously used in Internet banking. Later it turned out that the same scammer used social engineering methods to compromise them. Also identified is the fraudster device, which he used to access the victims' online bank. Their group stands out in the upper left of the figure.
The fraudster erased the history of the browser after consistent use of 3 to 8 accounts, trying to cover traces of their work. But all devices had the same digital footprint (recall level 1). It was through this scam device that other victims were identified. Moreover, through this analysis of connections, a case has surfaced when a fraudster, using social engineering methods, “threw up” the victim for an express loan with the subsequent theft of loan funds.
In this example, we can summarize the following results:
- first, cross-channel analysis of theft attempts using mobile Trojans made it possible to detect and prevent attempts of theft that are not related to the malicious code, but are performed using social engineering;
- secondly, he also helped to build a complete picture of the work of the fraudster and prevent theft from the entire client base, regardless of the remote banking channel;
- thirdly, we obtained more data for further investigation.
That is why, if now there are very few banking Trojans for desktop computers or iOS, or even they are absent, it is necessary to log and correlate the work of users through these channels, as it allows an order of magnitude wider view of the overall picture of users and, as a result, increase the effectiveness of countering fraud .
Fifth level: analyze the relationship between the user and accounts
The fifth level is a continuation of the fourth level, that is, the analysis of data on the behavior of the user and his devices is carried out not only within one specific bank, but more widely - between banks, e-commerce, offline operations, etc. This is the most difficult, but at the same time the most powerful level of counteraction to fraud, since it allows not only to stop the same type of actions of fraudsters in different organizations, but also to prevent the common chain of actions of the fraudster, which he conducts through different organizations.
Fig. 10. An example of fraud in Bank A: the entire pool of accounts and devices can be analyzed in other banks (Bank B)For example, the same scammers are engaged in money laundering. Despite the fact that they change the legal entities that they manipulate, they work from the same arsenal of computers and other equipment. If fraudulent activity was identified in one bank (in Fig. 10 Bank A), then the entire pool of accounts and devices can be analyzed in other banks (in Fig. 10 Bank B). This analysis, in turn, can reveal new accounts, new registration data of legal entities, their other devices and then be reused among banks, revealing more and more details with each iteration and the full structure of fraudsters. Note that the described synergistic effect also works in relation to other schemes and types of fraud.
This level also includes technologies and platforms of cyber prospecting (Threat Intelligence), which allow you to get both strategic knowledge about what a fraudster is preparing for, as well as
and tactical data on what he has already done regarding certain users. In the latter case, if the organization’s security systems missed the identified incidents, this makes it possible not only to take forward action on the data that has already been compromised, but also to set up their defense systems to respond to the new threat.
In conclusion, we add that each level of protection flows smoothly from one another. Due to this, applying all five levels of prevention of cybercrime in the field of RBS, banks will receive the most effective protection against external and internal harmful effects.
The material was published in the journal “Calculations and Operational Work in a Commercial Bank”, No3 (145) \ 2018.