The case studies that will be documented in the subsequent case study chapters (four, five, six and seven) were identified through several processes. Firstly, the manual mapping of a URL to an organisation, as in this process several URLs of organisations attracted the researcher’s attention.
For example, there are three injections on URLs belonging to CNN (a news agency), which is apparently/superficially not a normal target for financial malware. The attack
39
against CNN is documented in chapter 4.3. In addition to CNN, 55 URLs based on commercially available banking software were also identified and documented in chapter 7.7.
The second process was investigating the data set by searching for various keywords, such as: “credit card”, TAN1
, OTP2, Password, CVV3 and so on. This resulted in the identification of several case studies in chapter five. The keywords were selected based on the researcher’s experience in online banking cybercrime fraud investigations.
Finally, correspondence with press activity was noted and analysed. For example, the McAfee research paper “Dissecting Operation High Roller (Marcus & Sherstobitoff, 2012)” is based on several webinject configurations, of which at least two are in the research data set. This led to the analysis of a webinject capable of performing automated transfers in chapter 6.
3.6.1 CAVEATS
In the examination of the case studies, the version of the website served when targeted by the financial malware may differ from what was served when the site was visited in the drafting of the thesis, as a result of the lapse in time between the two events. Also, a number of the webinjects are targeted at web pages served “behind the door”. In other words, one must have a legitimate and active user account at the organisation and have successfully logged into the website before one is able to view the page that was targeted by the webinject.
As a result of the above, screenshots visually depicting the injection are limited, and a certain dose of poetic license may have been applied where required. The assumptions made in order to recreate the version of the page at the time of the injection will be noted in the respective case studies.
Those webinject configuration files discussed in case studies are included in the electronic appendix attached to this research. The filename of the webinject configuration file is that of the listing reference used in the text.
1
TAN: Transaction Authentication Numbers
2 OTP: One Time PIN
3.7 S
UMMARYThe data set used in this thesis contains 483 webinject configuration files captured from October 2010 until June 2012, which targeted more than 440 institutions across 28 industries. As can be expected, the financial sector is the most-targeted industry within the data set; the vast majority of organisations targeted were located within the United States.
The XML files comprising the data set were imported into a data analysis tool that indexed the data, and enabled the query tools to search through the data set to extract the sought after information, whether structured or unstructured.
Part two of this research contains the analysis of the case studies that were identified in the analysis of the research data set. The case studies examine webinjects that exploit social engineering methods, bypass security controls and perform automated transfers.
41
PART TWO
4
SOCIAL ENGINEERING
4.1 I
NTRODUCTIONAfter hurricane Katrina in 2005, several fraudulent websites were set up to solicit donations for charities that would assist the victims in the aftermath (Krebs, 2005). This is consistent with the approach taken after the tsunami in Indonesia the year before (Krebs, 2005) and in other types of social engineering exploits.
The use of social engineering tactics is essentially to coax the victim into performing actions that will benefit the attacker, such as clicking the link that takes the victim to an infection point to install malware (Abraham & Chengalur-Smith, 2010). Typical social engineering, as popularised by Kevin Mitnick, is manipulating an organisation’s staff via telephone call or in person, using snippets of factual information bent to serve the attacker’s purposes (Mitnick & Simon, 2001).
Contemporary research related to malware and social engineering tends to end at the point when the victim has followed the directions received in emails or on websites, which have resulted in the installation of the malware on the victim’s device. The process of getting the financial malware installed on the victim’s workstation is only the first use of social engineering tactics in many instances (Abraham et al., 2010). As will be demonstrated below, the payloads of the financial malware instance may also include several instances of webinjects that leverage topical events, use social engineering tactics and exploit the trust that the victim places in the website where the malicious code has been injected.
43
Two case studies have been identified in the data set that illustrates the potential of the combination of well thought-out social engineering tactics and the attacker’s use of financial malware’s webinject functionality. The first case study, chapter 4.2, shows how a social networking platform was used to entice victims to make donations to a legitimate cause in order to harvest card data. In the second case study, chapter 4.3, a botnet operator using financial malware webinjects is able to immerse the victim in an ecosystem that is almost entirely controlled by the malware.