Trend Micro’s July report on the malware campaign known as Operation Emmental, named after the Swiss cheese because it revealed numerous holes in BFSI institutions’ security systems, detailed the attack bypassing the standard two-step authentication process employed by financial institutions to protect client accounts. Emmental has so far only exploited a handful of banks, but IT security experts warn that it and similar campaigns could inflict widespread damage.
Last year’s Target breach demonstrated that data security challenges are not limited to BFSI institutions. As JD Sherry, Vice President of Technology and Solutions at Trend Micro, explains, “Banks are typically seen as the major targets, but are usually the most secure compared to peers in other industries. According to Identity Theft Resource Center [ITRC], there have been 431 breaches this year as of July 2014 and Financial Services account for merely four percent of those breaches. However, users are typically seen as an easy attack vector to acquire access to these banking and financial accounts, oftentimes by providing criminals with credentials after they’ve been exposed to a successful spear phishing campaign.”
Emmental, believed to originate in Eastern Europe, affected 34 banks in Austria, Sweden, Switzerland and Japan, and exploits customer vulnerabilities instead of targeting banks’ complex security infrastructures. Phishing, a tactic which, as reported by the San Jose Mercury News, dates back to at least 1995, hackers sent spoof emails to users purportedly from a popular retailer. Symantec Security Response researcher Candid Wueest encapsulates, “Operation Emmental showed once more that web browsers can easily be compromised and should not be trusted alone when displaying security relevant information.”
The emails also contained a Control Panel file allowing manipulation of the host systems’ DNS configuration, bypassing security prompts and redirecting users attempting to make an online purchase to a hacker-run spoof site impersonating the targeted banks, prompting users to input sensitive data.
Emmental skirted the second standard authentication step by directing user devices to download a seemingly legitimate Android app that intercepted and diverted session tokens, one time codes normally sent to users by banks through secure separate channels such as SMS, to a hacker controlled command-and-control (C&C) server and enabling user accounts to be breached. Unlike malware campaigns that target entire systems, software such as Emmental vanishes once its mission is fulfilled to minimize traceability.
Although Emmental and similar malware targets users, Wueest mentions, “Of course, banks can do a lot of fraud prevention on the backend as well, such as verifying the user’s fingerprint based on system configuration and behavior, filtering out suspicious transactions.”
Instead of viewing user account protection as a Sisyphean task, Trend Micro’s report advises BFSI institutions to explore alternative authentication methods. “One approach that some banks have started to implement is true out-of-band authentication with transaction signing,” Wueest says. “For example, a smartphone application that can establish an authenticated and encrypted channel back to the bank independently from any laptop. This allows the user to receive push messages from the bank’s backend and verify, approve and sign the transaction without entering any data in a possible compromised web browser. Other banks have completely moved to mobile banking, not requiring any PC at all. These methods are fine, as long as the smartphone applications are not compromised – another cat and mouse game that has begun.”
Sherry advises that BFSI institutions “can help by further educating their end users to ensure they have the proper counter measures to defend against the types of attacks we saw in Operation Emmental. This could include cybersecurity awareness campaigns for their customers to showcase the risk of not protecting their devices and clicking on suspicious links. I would also like to see them offer free security toolsets for mobile devices and PC’s to keep their end users safe as yet another value added service they provide to reduce the overall risk of fraud.”
Emmental’s phishing strategy, bypassing banks’ highly sophisticated security systems, proved as effective today as it did `nearly two decades ago and remains a challenge across online industries. Wueest explains, “Attackers will always experiment with new methods or combine old ideas with a new twist. MITM attacks will always be popular with online banking threats as they allow for flexible modifications. Currently, the common bottleneck for the attackers are often the money mules needed to transfer the money out of a compromised account and not the number of vulnerable victims. The adaption rate also depends a lot on the success rate and the availability of an easy to use toolkit for a Trojan.”
Wueest believes hackers and other cybercriminals will continue to exploit the biggest possible threat to a user’s security – good judgment. “One other attack group, which we will definitely still see in the future, are social-engineering attacks, because they are very hard to prevent with technology. If the attacker can convince the user with a message that he has to do the transaction for a good reason, then there is little chance in protecting the user from himself.”