Presentation is loading. Please wait.

Presentation is loading. Please wait.

Transaction Generators: Root Kits for Web By: Collin Jackson, Dan Bonch, John Mitchell Presented by Jeff Wheeler.

Published byCornelius Abner O’Neal’ Modified over 9 years ago

Similar presentations

Presentation on theme: "Transaction Generators: Root Kits for Web By: Collin Jackson, Dan Bonch, John Mitchell Presented by Jeff Wheeler."— Presentation transcript:

1 Transaction Generators: Root Kits for Web By: Collin Jackson, Dan Bonch, John Mitchell Presented by Jeff Wheeler

2 Outline Current Phishing Attacks –Focused on stealing user credentials Response –Stronger Authentication and back end analytics Anticipated Attack Vector –Transaction Generator Malware Countermeasures –CAPTCHA, Randomized Transaction Pages, Transaction Confirmation

3 Current Phishing Attacks Steal User Credentials –Directing users to a spoofed web page –Key-logging

4 Crimeware-spreading URLs infecting PCs with password-stealing code rose 93 percent in Q1, 2008 to 6,500 sites. (apwg_report_Q1_2008)

5 The number of unique keyloggers and crimeware-oriented malicious applications detected rose to 430 in March (apwg_report_Q1_2008)

6 Response to Phishing Methods –Transaction authentication –Site-to-user authentication –Challenge questions –Device identification –Knowledge-based authentication (KBA) –Out-of-band authentication –Hardware tokens –Software and toolbar tokens –Transaction signing –CAP / EMV

7 Transaction Generator Malware Allows criminals to manipulate user accounts directly without stealing user credentials or subverting authentication mechanisms To the web site, a transaction generator looks identical to a legitimate transaction A transaction generator can hide its transactions

8 What does a Transaction Generator Do? Quietly sits on a user computer User authenticates Session cookie issued –Reside in application environment, and are fully accessible by malware Transaction Generator creates transactions

9 Additional work of a stealth Transaction Generator Hide transactions from users –Amazon purchase for blender Malware hides all references on order history page to anything containing the word blender –Credit card purchase to Amazon Hide all purchases from Amazon on recent transactions for the blender purchase amount Transactions are hidden through the malware, the site providing information is unaware the user does receives incorrect information

10 Uses of a Transaction Generator Pump and dump stock schemes –Boost the price of penny stocks Purchasing goods –When one blender is not enough Election system fraud –Voting at home systems Financial theft –Bill pay to transfer money

11 Countermeasures CAPTCHA –Create code to compute response –Use ChaCha type network of solvers Randomized Transaction pages –Increase difficulty of hiding unauthorized transactions Transaction Confirmation

12 Confirmation agent is isolated from malware, either via VM or separate hardware A browser extension to function as a relay between the confirmation agent and the remote site Verification via key exchange Security relies on 2 properties –The agents secret key must be isolated from malware –Malware must be prevented from injecting mouse clicks into the agents dialog

13 Ideal Solution Prevent malware from getting into the browser

Download ppt "Transaction Generators: Root Kits for Web By: Collin Jackson, Dan Bonch, John Mitchell Presented by Jeff Wheeler."

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
K-State IT Security Training Ken Stafford CIO and Vice Provost for IT Services Harvard Townsend Chief Information Security Officer

K-State IT Security Training Ken Stafford CIO and Vice Provost for IT Services Harvard Townsend Chief Information Security Officer
S CENARIOS FOR THE F UTURE OF THE C ANADIAN P AYMENTS S YSTEM A UTHENTICATION AND I DENTITY W ORKSHOP N OVEMBER 3, 2010 Greg Wolfond.

S CENARIOS FOR THE F UTURE OF THE C ANADIAN P AYMENTS S YSTEM A UTHENTICATION AND I DENTITY W ORKSHOP N OVEMBER 3, 2010 Greg Wolfond.
A Software Keylogger Attack By Daniel Shapiro. Social Engineering Users follow “spoofed” emails to counterfeit sites Users “give up” personal financial.

A Software Keylogger Attack By Daniel Shapiro. Social Engineering Users follow “spoofed” s to counterfeit sites Users “give up” personal financial.
Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.

Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
Dan Boneh CS155 Computer Security Looking for undergrad research? Come see me!

Dan Boneh CS155 Computer Security Looking for undergrad research? Come see me!
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Securing Online Transactions with a Trusted Digital Identity Dave Steeves - Security Software Engineer Microsoft’s.

Securing Online Transactions with a Trusted Digital Identity Dave Steeves - Security Software Engineer Microsoft’s.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.

The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.
Cyber X-Force-SMS alert system for E-mail threats.

Cyber X-Force-SMS alert system for threats.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
Context-Aware Phishing Attacks and Client-Side Defenses Collin Jackson Stanford University.

Context-Aware Phishing Attacks and Client-Side Defenses Collin Jackson Stanford University.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Payment Fraud Trends : What Can you do? Protect Yourself and Your Business from Financial Fraud.

Payment Fraud Trends : What Can you do? Protect Yourself and Your Business from Financial Fraud.
FIRST COURSE Computer Concepts Internet and Email Microsoft Office Get to Know Your Computer.

FIRST COURSE Computer Concepts Internet and Microsoft Office Get to Know Your Computer.
Web Browser Security Team iBrowse Sha-Myra Richardson John Darr.

Web Browser Security Team iBrowse Sha-Myra Richardson John Darr.

Similar presentations

Ads by Google