Last week, reports flooded security forums and publications highlighting an increase in the rate of a fraud attack named Operation Emmental.
The threat type was first noticed by security companies approximately 5 months ago, but the recent rise in successful attacks against mobile banking users has been alarming and underlined the effectiveness of the attack. The fact that the majority of the successful attacks were aimed at Swiss banks led to the name of Operation Emmental, referring to the Swiss cheese containing holes, suggesting imperfections in security.
What has been interesting about this attack, isn’t that it is a completely new threat, but rather the number of existing techniques which are used, and the way they are combined in order to beat traditional security measures, such as stand-alone use of second factor authentication. Further, the attack is employing the techniques in new channels which aren’t monitored by most anti-fraud systems.
Techniques such as phishing, pharming, malware installation, DNS poisoning, MITM, and fake app deployment, are all cleverly employed in unison, with one vector being used to nullify the security which is in place to protect the next vector.
We have seen that this is a continuing trend, not something which is only present in the Operation Emmental threat. Fraudsters have a very good understanding of how point security solutions work, and have seen that banks are deploying more than one solution to try and cover the end to end fraud lifecycle, and so are moving to this combined approach to be successful.
Dealing with such a complex attack doesn’t only need a solution to each issue, use of next gen detection techniques and a layered approach to security. It also requires each element to share intelligence and work in a unified way just as the attack itself does.
The attacks aimed against the Swiss banks fell into three stages:
Setup of Phishing Attack - The initial stage is to use a spear phishing attack via email, which executes a malware tool on the user’s PC, affecting the user’s PC before deleting itself, so it cannot be detected by traditional malware detection. This malware is focused on setting up the user’s PC to use a poisoned DNS server, and also install an SSL certificate, in order that the second stage can succeed.
Launch of Phishing Attack – The user is unaware of the changes made during the setup stage, and then browses to their online banking site and is hit by a phishing attack by the changes made in the initial stage. The SSL changes mean that the phishing site looks more real, effectively nullifying any security which SSL can provide. The phishing site is then successful in stealing user credentials, but in addition also sets up the next stage of the attack by instructing the user to download a fake mobile banking application, which is built to intercept SMS messages sent by the bank.
Cashing of Attack – In the final stage the fraudster is now able to use the stolen credentials to log into the users online banking account and transfer money out. The fraudsters were aware that some of the banks had deployed second factor authentication, but they had prepared for this during the previous stage by getting the user to install the fake banking application. This would prevent the 2nd factor authentication from being effective by intercepting SMS messages sent from the banks to the user, containing one time passwords (OTPs). The OTPs would be diverted to the fraudster for use in logging into the banking site, and the genuine customer would remain unaware that their account had now been taken over. At this point the fraudster has control and is able to ‘cash out’ the attack.
Implementing a unified, intelligent solution is the only sure fire way to defend against an attack such as this.
We see such threats day by day, and defend our customers against them through use of multiple layers of web fraud detection and prevention, which share intelligence to ensure that the fraudsters cannot attack one security defense to allow subsequent attacks to succeed.
In order to address these kinds of threats, banks must leverage technology that works against phishing and malware attacks, monitors App stores and devices for fake applications, and provides transaction anomaly detection along with next gen authentication, to prevent cashing of attacks. But most critically, banks must be able to share intelligence across all of these technologies. For example, it is critical that intelligence about phishing sites, for example, can not only be used to take down those sites, but also be leveraged to understand what fake apps users are being asked to install if they go to that site. Another examples is the ability to apply more advanced authentication measures (which go beyond just one-time passwords) once a bank knows that it and its customers have been the victim of an attempted phishing scheme.
By harnessing intelligence across multiple fraud-prevention technologies, banks can obtain a ‘risk-score’ across every transaction, which takes into account factors such as whether the user has been affected by malware or fake app installation, whether they have used more advanced authentication, and whether the behavior is typical of that user.
With attackers finding the ‘Swiss cheese’ holes in traditional fraud prevention, its time for companies to truly implement a layered approach to fraud prevention, so that no one hole becomes their demise.