Presentation is loading. Please wait.

Presentation is loading. Please wait.

Malware and ACH/EFT Fraud

Published byVictoria York Modified over 9 years ago

Similar presentations

Presentation on theme: "Malware and ACH/EFT Fraud"— Presentation transcript:

1 Malware and ACH/EFT Fraud
Zeus Botnets: Malware and ACH/EFT Fraud Paul Melson Senior Manager IT Production & Security Priority Health What's a botnet? How does ACH fraud work? Mule recruiting Money Laundering The Zeus Botnet Kit - features - versions - pricing - MitB attack vs RSA, CAPTCHA, CERTIFICATES Zeus in the News - FBI Raid - That Kneber Thing - Some Brian Krebs Articles Zeus NOT in the News - Michigan case study #1 - Michigan case study #2 Organizational Risk Areas Countermeasures __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

2 What’s a botnet? __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

3 What’s a botnet? Compromised computers running malware
Centrally controlled IRC, P2P, HTTP/HTTPS, DNS A. This is where spam comes from B. DDoS for hire C. Fraud & identity theft D. All of the above __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

4 What’s a botnet? __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

5 The Zeus Botnet Kit Thought to be responsible for most of the reported ACH fraud incidents last year Made-to-order malware Reportedly, cost to criminal for custom version is $3000 depending on options Unlike other kits like YES and BlackSun, Zeus does not sell exploits with its kit __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

6 __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

7 __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

8 The Zeus Botnet Kit Components Custom command & control options
Webkit command & control console (PHP/MySQL) Zeus Builder binary generator Custom command & control options Encrypted HTTP Jabber VNC (over encrypted HTTP) __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

9 __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

10 __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

11 The Zeus Botnet Kit Self-protection features Data theft
%SystemRoot%\system32\drivers\etc\hosts file tampering Automatic repacking of binaries Polymorphic encryption (1.4.x and later) Data theft Stored IE passwords Web injection, aka login form stealing for Firefox & IE Digital certificates used for authentication __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

12 Malware Man-In-The-Browser
Presents fake login page / logout button to user Upon recognized bank login, phones home to waiting operator Steals bank website login information Steals Security Certificates Used by Bank of America Hijacks sessions that use RSA tokens Used by E*Trade, Credit Suisse This is reportedly a $1,500 option for ZeuS __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

13 How ACH / EFT Fraud Works
Corporate login to bank website is stolen Thief transfers funds to “mule” accounts based in the US Mules withdraw money in cash Mules wire cash to foreign countries in the form of a money order Thief cashes money order __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

14 How ACH / EFT Fraud Works
__________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

15 Mule Recruiting “Work From Home” scam
Person is told they are working in an customer service or billing position Person uses their personal checking account to receive funds And after they do the wire transfer and are burned… …their identity is sold on the black market and they get burned a second time __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

16 Mule Recruiting __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

17 Money Laundering Mule withdraws cash
Cash is then wired via Western Union to an alias in a foreign country Ukraine China Australia Nigeria Money is picked up by another local mule …and then it’s really gone __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

18 Michigan Case Study #1 Insurance Services Firm on East side of Michigan $150K stolen from trust account Transfer amounts just under $10K to avoid IRS notification Sent to individual accounts across USA Victim has recovered approx. $70K so far Confirmed instance of Zeus variant __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

19 Michigan Case Study #2 Construction company in central Michigan
$700K stolen from a payroll account Bank website used RSA token for login Transfer amounts just under $10K to avoid IRS notification Transfers withdrawn in cash by “mules” Confirmed instance of ZeuS variant __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

20 I Thought the FBI Busted Zeus?
9/28 – 15 arrested in UK 9/30 – 10 arrested in US Ties to organized crime in Ukraine Targeted customers of UK banks: HSBC, Royal Bank of Scotland, Barclays, Lloyds TSB Few details are publicly available as of right now This is one of many known active Zeus botnets This is not Kneber This is not a fast-flux botnet __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

21 Detecting Zeus on Your Network
UPnP search queries 3x UDP packets to on port 1900 HTTP GET pulls down config file on initial infection default filename is /config.bin server response is binary file (application/octet-stream) HTTP POST check-ins use HTTP POST to send an RC4-encrypted string Server responses are RC4-encrypted using the same key LuckySploit "Welcome to LuckySploit:) \n ITS TOASTED"; __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

22 Risk Areas in Your Business
Payroll Accounts Payable Insurance Claims Commissions Point of Sale Anything that can use EFT to send money __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

23 Countermeasures Dual control for banking web sites
Dedicated workstations Specialized Security Software Bank on a Mac? __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

24 Discussion Paul Melson pmelson@gmail.com twitter.com/pmelson
pmelson.blogspot.com What's a botnet? How does ACH fraud work? Mule recruiting Money Laundering The Zeus Botnet Kit - features - versions - pricing - MitB attack vs RSA, CAPTCHA, CERTIFICATES Zeus in the News - FBI Raid - That Kneber Thing - Some Brian Krebs Articles Zeus NOT in the News - Michigan case study #1 - Michigan case study #2 Organizational Risk Areas Countermeasures __________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Download ppt "Malware and ACH/EFT Fraud"

Similar presentations

Review Ch. 3 – Connecting to the Worlds Information © 2010, 2006 South-Western, Cengage Learning.

Review Ch. 3 – Connecting to the Worlds Information © 2010, 2006 South-Western, Cengage Learning.
09/04/2015Unit 2 (b) Back-Office processes Unit 2 Assessment Criteria (b) 10 marks.

09/04/2015Unit 2 (b) Back-Office processes Unit 2 Assessment Criteria (b) 10 marks.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license.

© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license.
1 Cypak core technology New convenient security solutions for online gaming Combat fraud and keep your customer happy.

1 Cypak core technology New convenient security solutions for online gaming Combat fraud and keep your customer happy.
Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.

Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.
The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
7 Effective Habits when using the Internet Philip O’Kane 1.

7 Effective Habits when using the Internet Philip O’Kane 1.
Module 5: financial services review

Module 5: financial services review
Welcome to SpyEye Front-end interface called “CN 1” or “Main Access Panel.”

Welcome to SpyEye Front-end interface called “CN 1” or “Main Access Panel.”
TAX-AIDE Computer Security Chris Hughes Chairman NTC 1 NLT Meeting Aug 2014.

TAX-AIDE Computer Security Chris Hughes Chairman NTC 1 NLT Meeting Aug 2014.
New trends on cyber security - Cyber Espionage & Identity theft By K S Yash, CRO 1.

New trends on cyber security - Cyber Espionage & Identity theft By K S Yash, CRO 1.
Warm Up: Identity Theft: Quick Write 1. What is Identity Theft? 2. What is Fraud?

Warm Up: Identity Theft: Quick Write 1. What is Identity Theft? 2. What is Fraud?
TAX-AIDE Computer Security Chris Hughes (HMR mod) Chairman NTC 1 NLT Meeting Aug 2014.

TAX-AIDE Computer Security Chris Hughes (HMR mod) Chairman NTC 1 NLT Meeting Aug 2014.
Facebook Security and Privacy Issues Brian Allen Network Security Analyst Washington University December 2, 2010 Alumni House.

Facebook Security and Privacy Issues Brian Allen Network Security Analyst Washington University December 2, 2010 Alumni House.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Corporate Account Takeover & Information Security Awareness PRESENTATION FOR BANK CUSTOMERS.

Corporate Account Takeover & Information Security Awareness PRESENTATION FOR BANK CUSTOMERS.
Internet Security Awareness Presenter: Royce Wilkerson.

Internet Security Awareness Presenter: Royce Wilkerson.
Phishing Definition: a criminal mechanism employing both social engineering and technical subterfuge to steal consumers’ personal identity data and financial.

Phishing Definition: a criminal mechanism employing both social engineering and technical subterfuge to steal consumers’ personal identity data and financial.
CMU Usable Privacy and Security Laboratory A Brief History of Semantic Attacks or How Not to Get Screwed Online Serge Egelman.

CMU Usable Privacy and Security Laboratory A Brief History of Semantic Attacks or How Not to Get Screwed Online Serge Egelman.
Australian High Tech Crime Centre What is cybercrime & trends Monday 5 November 2007.

Australian High Tech Crime Centre What is cybercrime & trends Monday 5 November 2007.

Similar presentations

Ads by Google