Documente Academic
Documente Profesional
Documente Cultură
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 1 of 10
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 2 of 10
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 3 of 10
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 4 of 10
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 5 of 10
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 6 of 10
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 7 of 10
From a technology perspective, you can look at referrer headers; you can look at changes in the
timing between specific transactions, right? If someone logs in, immediately they're trying to add
a beneficiary or immediately turn into third party payment, the second they log in, that's not
normal behavior, because to get to that screen, you have to click through a couple of, all right,
other screens, like account balance. You know, it's not--so we do this sort of behavioral analysis
as well, which, you know, we keep registers of the browsers people use, the phones that they
use, all right, to make sure that we can pick up any of these changes.
So just in terms of the attacks, right, so it all started as an adjunct, right, and this was started as
an adjunct to phishing-- a better way of phishing where you didn't have to trick people. And what
they would do is, when a customer logged in, they would literally copy the password off into their
network for later use, and then later on, log in, transfer the money, all right? So the banks at that
stage, you know, they've done a lot of education to customers, saying, you know, "Never put your
password in an email. Always check out the site. "Make sure it's us, right? We never ask for it
over the phone," that sort of thing. And so they eventually did get around it. So we, all right?
Either tokenize or SMS OTP to stop them from being successful at this so we look smarter.
So what they decided to do was post login and during transactions, and this they generally wait-they don't have to, but they wait until after you've logged in, and they either flash up a screen that
says, "We're checking security settings," or they actually wait till you're doing transactions, and on
the fly they use regular expressions to actually change the destination account; they actually
route that money out through a different account. And what happens is, we send back the SMS
OTPs. There's--"Here's your magic number. Follow transactional authorization." You type in the
magic number, and off the money goes. This actually is a screen that SpyEye uses, all right? The
post-login screen.
So what happens in this scenario, you log in, you see this screen. In the background, SpyEye
actually enters either "adding you a beneficiary" or just doing a straight third-party payment, and
that generates an OTP. And after you seen this screen, a special screen says, "Please enter your
OTP to progress. Weve validated your security. Enter the OTP," and your money's gone. So if
you see the screen, I can guarantee you you have been hacked, all right? Incidentally, this is from
a devious site. They use style sheets, all right, so this text is always saying they use style sheets
to actually tone it the right color, to use the right font.
It's very, very, very hard to tell that this is actually a fraudulent injection into the website, all right?
Even the developers of the website look at this and go, "It looks just like our content," all right?
They are very, very good at this, all right? This is actually quite hard to detect, right? So the other
one is post transaction, and this is one that we've started to see in Europe, particularly in the U.K.
and in Germany, actually.
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 8 of 10
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 9 of 10
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 10 of 10