Identify theft: Complacency is Enemy No 1, says F5 expert
By Benjamin Cher September 24, 2015
- The ‘it won’t happen to me’ attitude the greatest threat
- Man-in-the-browser attacks a new avenue of attack
THE high penetration rate of smartphones in Asia – with Singapore and Hong Kong at 87% and Malaysia at 80% according to a Nielsen report – has opened up a new avenue for identity thieves to strike.
The subsequent rise of Internet banking has led to a corresponding increase of malware and trojans that steal login credentials to gain access to funds in banks and other financial institutions.
One such malware campaign is ‘Dyre Wolf,’ which according to IBM Managed Security Services (PDF), uses the Dyre or Dyreza malware that directly targets corporate banking accounts, and has successfully stolen upwards of a million dollars from unsuspecting companies.
“There are numerous trojans out there, especially financial trojans like Dyre, that get installed at endpoints,” said Edwin Seo, regional security architect, Asia Pacific and Japan, F5 Networks.
“Mobile devices are not spared either – there are cases where the threat actor creates a mobile app that looks similar to a banking app, and uses spear phishing to steal login credentials,” he told Digital News Asia (DNA) in Singapore.
F5 Networks customers in financial institutions have told the company that Dyre has reached Asian shores, according to Seo. Cybercriminals are not geographically-confined, and can target anyone, anywhere.
“How these criminals work is that they attack in campaigns – for example, today they can target Europe, and then move on to Asia,” he said.
“Even local banks have been calling up to ask if there are solutions to stop Dyre,” he added.
This threat to organisations, especially those in the financial services industry, is being aided by a different kind of C&C: Compliance and complacency.
Compliance and complacency
The financial services industry is one of the most heavily regulated, and compliance is often touted as a form of security assurance.
However, Seo (pic above) argued that compliance is just a single aspect of security.
“It is basically to tell the authorities that they [financial institutions] have covered the bases, and to not poke around anymore.
“The various regulations do cover a wide range of issues, but … [just] putting in solutions or devices to deal with compliance is not enough,” he added.
Seo said there is instead a need for defence against complacency and shedding the “it won’t happen to me” attitude.
“Organisations should not have this complacent attitude, where they see their neighbours getting attacked and think it won’t happen to them,” he said.
More avenues of attack
Attacks these days can come via a multitude of vectors, according to Seo. For example, the BYOD (Bring Your Own Device) trend has organisations allowing personal device access to corporate networks.
“BYOD allows infected devices to become a channel for the threat actor to hide, spread, and steal information, utilising the credentials of an employee,” he said.
Another vector are insecure public-facing web applications, he added, citing zero-day vulnerabilities like Shellshock and Heartbleed.
Cybercriminals took advantage of the window of opportunity to breach organisations which were slow to patch the vulnerability or lacked the technology to protect their web applications, according to Seo.
“Once they gain control, they can do whatever they want – from stealing data to using servers to launch botnet attacks,” he said.
Today’s expanded ‘playground’ means cybercriminals have more options when it comes to how they can steal login credentials, and don’t have to depend on keylogging software or database breaches. They can also use web injects.
“For example, when you log into your Internet banking account, additional fields might pop up on the web page with your ATM PIN (automated teller machine personal identification number),” Seo said.
“This might fool both tech-savvy and non-tech-savvy people, as the webpage might appear to be legitimate, with an SSL (secure socket layer) key – but the malware might be executing a ‘man-in-the-browser’ attack,” he added.
Man-in-the-browser attacks refer to attacks that modify webpages to insert or modify content that is invisible to the host web application.
To counter these new threat vectors, companies should put in the necessary measures, and according to Seo, securing Internet-facing applications or property should be on top of their priority list.
“That is a natural channel for threat actors, who are always looking for opportunities to enter,” he said.
And jail-breaking should be discouraged, as its puts a kink in security.
“Threat actors think of creative ways to enter networks, and a jailbroken device can provide that,” Seo said.
An indepth defence strategy is the only way to go. While a firewall might have sufficed 10 to 15 years ago, it is just not up to the task in today’s world.
“There’s this misconception that using technology like a firewall is sufficient to protect networks,” Seo said.
“You have to look at other technologies, and there is a general consensus in the security industry that in protecting web applications, you need a web application firewall and not just a firewall or other traditional measures,” he added.
Web application attacks are often tuned and created for a particular application, and thus might be missed by traditional security measures, he argued.
“People have stepped out to say, ‘Use the right tools to protect the right services’,” he added.
Remediation vs being proactive
While remediation – fixing things after a breach – plays its role, it pays even more to be proactive in securing your networks, argued Seo (pic).
“The forensic guys trace back the cause, you get a report, a head rolls, and you remediate after the incident,” he said.
“Compare that to proactively trying to prevent incidents – while this may not catch 100% of all attacks, being able to reduce this to 10% to 20% from 100% is still considered a win in my book,” he added.
He however acknowledged that neutralising attacks from a public-facing application or infrastructure will not be as easy.
“For example, if you are a bank customer who has been compromised, often the bank takes the financial hit from a fraudulent transaction,” Seo said.
“However, if a significant part of the customer base has been compromised, the financial hit for a bank will be significant,” he added.
Related Stories:
Plugging the gaps in today’s threat landscape
225K+ Apple accounts stolen from jailbroken devices: Palo Alto Networks
iOS and Android targeted by Man-in-the-Middle attacks
Identity and access management: 5 things to watch out for
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.
