Stopping Fraud – Getting Rid of the Man in Your Browser

Rob Rachwald, Director of Security Strategy Noa Bar-Yosef, Sr. Security Strategist

Agenda

Motivation Problem Definition Shape Based Tests Content Based Tests Overall Solution Strategy Summary

Today’s Presenter Rob Rachwald, Dir. of Security Strategy, Imperva

Research + Directs security strategy + Works with the Imperva Application Defense Center

Security experience + Fortify Software and Coverity + Helped secure Intel’s supply chain software + Extensive international experience in Japan, China, France, and

Australia

Thought leadership + Presented at RSA, InfoSec, OWASP, ISACA + Appearances on CNN, SkyNews, BBC, NY Times, and USA Today

Graduated from University of California, Berkeley

Today’s Presenter Noa Bar-Yosef, Senior Security Strategist, Imperva

Research + Researches trends in the threat landscape

Security experience + Previously, held the position of Sr. Security

Researcher for Imperva’s Application Defense Center

+ Credited for multiple commercial applications’ vulnerabilities

+ Holds a Master’s thesis specializing in Information Security

Thought leadership + Writes a bi-weekly column on hacker trends and

techniques for SecurityWeek

Motivation

Client Side Attacks - Scope of Problem Major Attack Vectors

Client Side Attacks - Scope of Problem Major Attack Vectors

Exploiting Browser Code Vulnerabilities • Expected to rise with the introduction of HTML5

Exploiting Browser Plug-ins • E.g. Java, Flash, PDF, Media Player

Exploiting OS libraries • E.g. Graphics rendering

Client Side Attacks - Scope of Problem 2010 Vulnerability Figures

Client side

• 77 IE vulnerabilities, 106 Firefox vulnerabilities, 188 Chrome vulnerabilities

• 73 Adobe Flash, 9 Adobe Reader related vulnerabilities

• 72 Various ActiveX related vulnerabilities

Server side

• Only 36 vulnerabilities across IIS, Apache and Tomcat

Client Side Attacks - Scope of Problem Malware Distribution Methods

Drive-By-Download / Malvertizing

Phishing, “Spear Phishing”

Torrent and P2P

Physical

Client Side Attacks - Scope of Problem 2010 Attack Figures

A 2010 report by Kaspersky + ~600M attempts reported to KSN, more than 5 times increase

over 2009

Microsoft detects 60K-100K Zeus-infected machine per month

2010 1H – Microsoft cleaned 6.5M bot infections Rustock spanned 1M computers

Consumers cannot be expected to cope with the technical

problem on their own

From Consumer Attack to a Business Problem

The threat to consumers is

constantly growing •Number of vulnerabilities

•Number of attacks •Types of attacks •Sophistication

Usage is expanding beyond banking and

popular retail applications

We are passed the point of no return •We cannot expect average consumers to avoid infection and mitigate attacks alone

•We cannot deny service to infected consumers

•We cannot let the consumer bear the consequences of a compromise

From Consumer Attack to a Business Problem

Potential consequences (of failing to do so): + Reduced onboarding rate + Reduced activity + Increased refunds + Increased insurance rates

Consumer facing malware threatens online commerce*

Forrester Feb 2011: Malware And Trojans And Bots, Oh My!

From Consumer Attack to a Business Problem

Car User Safety

Online User Safety

Problem Definition

Client Side Trouble – Types of Interaction

• No interaction between malware and application

• Offline interaction between attacker and application using stolen credentials

Key loggers

Client Side Trouble – Types of Interaction

• Some interaction between browser and actual application during attack • Could be used for detection of some

Phishing campaigns • Offline interaction between attacker

and application using stolen credentials

Phishing

Client Side Trouble – Types of Interaction

• Extensive interaction between malware and application during attack

• Offline interaction between attacker and application using stolen credentials

Man in the

Browser

Attacker code runs in context of victim’s browser Original motivation

+ No need to attack infrastructure (DNS, tap into router, etc.) + Defeats SSL

Additional benefits + Access to local resources + Access to application session data

Prominent Actors + ZeuS, Gozi, URLZone, Sinowal, Limbo, and SpyEye + Silentbanker

Man in the Browser Attacks (aka Proxy Trojan)

MitB Attacks - Proxy Trojans in Action

Before After

MitB Attacks - Proxy Trojans in Action

Before After

MitB Attacks - Proxy Trojans in Action

Before After

Proxy Trojan Architecture

Client Machine Web Application

Proxy Trojan Architecture

Client Machine Web Application

Tamper Request

Tamper Page

Extract Data

Inject Fake Transaction

Drop Server

Shape Based Tests

A Typical Change by a Trojan

Clean Infected

Observation: Trojan likes to tamper with plain traffic

Observing Typical Changes by Trojans

• Enforces use of traffic that is easily tampered by the Trojan

• Avoids HTTP/1.1 connections, and compressed data

Encoding of Related Headers

• Ensures identification by the drop server and other attacker controlled components

Client Type Identification

• Extra data provided by an unfortunate victim • Could represent client identification for attacker

controlled components

Additional Parameters

• A consequence of fake transactions Parameter Order

Shape Based Tests

• The application (or a device protecting the application) inspects the shape of incoming messages for changes typical to Trojans

Step 1:

• If a Trojan pattern is detected mark the client (IP address / session / request) as “infected”

Step 2:

Shape Based Tests in Action

Client Machine Web Application

Tamper Request

Tamper Page

Extract Data

Inject Fake Transaction

Drop Server

Apply Shape Tests

Apply Shape Tests

Challenges – Tracking Trojan Discrepancies

• Each Trojan may display a different change • Changes may be reflected in specific request types

• Need to keep track of Trojans • Create a framework for shape based rules • Create a framework for constructing shape tests

Challenges – Avoiding False Positives

• Some real client devices do not support (or choose not to support) HTTP/1.1 or compressed data

Challenge:

• Engage the browser in a challenge response protocol

Solution:

Challenges – Avoiding False Positives

HTTP/1.1 200 OK . . . Content-Encoding: gzip Refresh: 2;url=infection_test.html?infected=no <html> <head> <script>window.navigate('infection_test.html?infected=yes')</script> </head> <body></body> </html>

...........V*//W...Qzi...I...z...J:`.......T$......d.y.%@.^f.R,...(..y.:.J....9.V......%%...JV.J~.a...!..~@.Dqbkc...%6....

Content Based Tests

Observing Content-Tampering Trojans

• Current malware tampers HTML at the network layer (before it is interpreted by browser)

• This is due to simplicity and robustness considerations

Observation:

• Use client side code to verify integrity of HTML page content in coordination with the server

Solution:

OK Solution: Altering the Trojan Behavior

• Step 1: “Provoke” the MitB into making changes • Step 2: Compare the HTML content to known Trojan

behaviors

Naïve Solution

• MitB can be configured to avoid this type of manipulation • Solution requires constant chase after MitB configuration

files Requires constructing an up-to-date database of “known

behaviors”

Challenges

Better Solution: Content-Based Tests

•Server computes a digest of the delivered HTML page Random (invisible) elements are injected into the page before computation

Step 1:

• Server appends a page digest computation function to the HTML page Computation function code includes a random salt

Step 2:

•When page is loaded into the browser, the computation function is invoked, computes the digest and sends it to the server for verification

Step 3:

• If the browser does not send back a digest then infection is assumed

Step 4:

Content Based Tests in Action

Client Machine Web Application

Tamper Request

Tamper Page

Extract Data

Inject Fake Transaction

Drop Server

Compare Digests

Compute Digest and Inject Digest Computation Function

Compute Digest

Content-Based Tests: Strengths

1) Digest cannot be pre-computed by malware due to the random HTML elements

2) Digest cannot be computed by malware without executing the digest computation function + Requires malware to implement / invoke Javascript engine

3) Computation function can be extended to explicitly reference the randomly injected HTML elements through DOM functions + Requires the malware to implement / fake DOM

4) Malware cannot dismiss test

Content-Based Tests: Strengths

5) Does not depend on specific MitB configuration and the expected changes + Only depends on protected application page + Some configuration options should be available to restrict the

parts of the page that are digested – Avoid elements produced by client side code

6) Breaking the tie with attackers + Complexity of the computation process can be increased with

small effort + Resulting changes to malware code are complex and painful,

increasing its footprint

Overall Solution Strategy

Look at the Complete Picture

Apply shape based tests…

… And content-based tests

Interact with Infected Clients

Provide clear visual warnings

Contact customer offline

Apply business access policies • Example 1: Allow data extraction but deny transaction • Example 2: Limit transaction size

Automatically employ extra validation through side channels • Adaptive authentication

Keep a more comprehensive audit trail for the user / session

MitB is Only Part of the Landscape

• Server side fraud detection • Device profiling and reputation • Advanced authentication

Identifying account takeover

• Detect and takedown campaigns • Detect victims in real time

Defeat phishing campaigns

Requires a Flexible Deployment Framework

Cannot change application code whenever capabilities change or threats morph

Create consistency across all applications and flexibility in choosing vendors

Be able to protect legacy applications

Summary

Summary

Threat to consumer is constantly growing and is past the point where we can expect most of our consumers to avoid infection

Consumer infection has become a business problem While providers should urge consumers to be prudent

they MUST learn how to interact with infected consumers and create a safe business environment for them regardless of the general threat

Some car safety mechanisms are already regulated. We can expect the same from business IT security

Summary

Enterprise IT is failing to properly tackle client based attacks within enterprise

The growing number of so called “APT” attacks on organizations demonstrate the effect of “compromised insider”

Failures stem from the same reason: try to avoid infection rather than learn to interact with infected clients

Imperva’s Fraud Solution

SecureSphere 9.0 - Fraud Prevention Services

Is this endpoint safe?

Pass / Block

SecureSphere integrates with Trusteer to detect users infected with malware like SpyEye, Zeus, Gozi & Silon

1. User accesses Website

2. SecureSphere redirects browser to Trusteer

3. Browser downloads, runs malware check

4. Result reaches WAF for analysis

Use Case: Man in the Browser – Fraud Malware

Challenge + Fraud malware performing activities on behalf of

customers, causing money losses & customers dissatisfaction

+ FFIEC compliance requirements

Solution + Detect infected end-devices + Block sensitive areas in the application from infected

devices + Report on users connected from infected end-devices

49

ThreatRadar Fraud Prevention Stopping MitB

SecureSphere provides full event detail to analyze Man in the Browser (MitB) attacks

Centrally Manage Fraud and Web Security

SecureSphere Policy Engine

Known Attack Sources

Bot Detection Web Attack

Detection

Geolocation

User Infected with Malware

Browser and Agent

Combining Web fraud with WAF policies enhances accuracy of fraud detection

User Name

Webinar Materials

Post-Webinar Discussions

Answers to Attendee Questions

Webinar Recording Link Webinar Slides

Get LinkedIn to Imperva Data Security Direct for…

www.imperva.com

- CONFIDENTIAL -