Attack Update: Man-In-The-Browser, and Chat-In-The-Middle On Horizon For US Financial Institutions
A recent conversation with a security researcher in Israel gave me a real feeling of dread. Toward the end of our talk, I asked Uri Rivner, head of new technologies, consumer identity protection, RSA Security, about what he sees on the horizon for online attacks against banking customers. What he told me wasn't good news.
We all are familiar with the old phishing attacks where phishers send e-mails that try to trick customers into believing the e-mail is coming from their financial institution. The good news is people are getting wise to these attempts. The bad news is the newest threats on the horizon, including Man-In-The-Browser and Chat-In-The-Middle, don't rely on the gullible customer to take action in order for the attack to be successful. Their attacks are more surreptitious.
Rivner says the security community has been talking about Man-In-The-Browser attacks for a while, but it has not reached the mainstream American consumers or U.S. institutions. It is happening now in German banks and a limited number of commercial banks in the U.S., along with retail banks in the U.K.
Man-In-The-Browser goes one step further than ordinary banking Trojans like Limbo or Zeus. Those Trojans collect the information from a customer, but the turnaround time to get the data into the hands of a cash-out fraudster could be three or four days, or even weeks. The required two-factor authentication for online banking and the fact that many banks are now asking for additional authentication information in real time means the data collected by those Trojans are rendered useless. The specific information the bank asks in real time isn't collected by the harvesting Trojan, and when the harvested information is used again, the real-time authentication will stop the hacker from going further, they won't have the answer to that authentication challenge.
Leave it to the hackers to get around those hurdles. They are moving to real-time collection. Moving the credentials - complete with the real time authentication information to a cash-out fraudster - thus making the money transfer in real time to a money mule for cash-out, Rivner told me.
How the hackers are doing it in real-time - they have to trick the user, get the credentials and then send them to a mule database for cash-out. This is a giant move from where they are now in terms of operational fraud infrastructure. Rivner foresees once they do it on a wider scale, it means it will be much more difficult to stop them where they are operating in real-time.
The additional information being asked now will be useless to prevent the fraudster, Rivner says. According to what they're seeing at RSA, some Man in the Browser attacks have even changed the customer's online banking statement to show that all of the money is intact. This is so the customers won't know that any money has been removed until the next time they come back to the site. This level of sophisticated fraud hasn't reached consumer banks here in the U.S., but it is a matter of time before it does, Rivner told me.
One of the main defenses against Man-In-The-Browser is out-of-band authentication. Using either a SMS message over a cell phone, or an automated phone call where the user gives authentication over the phone, the institution now knows the customer is in front of their computer.
Another new, unique type of phishing attack is hitting online banking customers. It was also discovered by the RSA FraudAction Research Lab. The researchers are calling it Chat-in-the-Middle phishing attack. How it occurs is through routine means, but then presents a more advanced layer of perpetrating online fraud.
The phishing attack tries to trick bank customers into entering their usernames and passwords into an ordinary phishing site, but the addition of a bogus live chat support window can obtain even more credentials via a live chat session initiated by fraudsters.
When the bank customer enters the live chat session, the fraudster behind the attack presents himself as a representative of the bank's fraud department and tries to trick the customer into divulging sensitive information - such as answers to secret questions that are used for online customer authentication. RSA's blog on this new attack says it is targeting a single U.S.-based financial institution.