Internet banking has created a convenient way for us to handle our business without leaving our home. Man-in-the-browser, a form of security threat in which proxy Trojan infects a web browser by taking advantage of vulnerabilities in browser security and modifies web pages, transaction content or insert additional transactions, all in a completely covert fashion invisible to user and web application host. Carberp, Silent banker, SpyEye, Zeus are the most important man–in-the browser Trojan’s developed targeting banking & financial industry. Zeus, nick named “the king of banking Trojan” and first known piece of Malware sold via license till 2011, entered the malware scene in 2007. Zeus can infect windows PC’s having IE, Firefox browsers. The mobile variant called ZitMo (Zeus in the mobile) entered the market in 2012 have the ability to infect Windows, Android, Symbian, BlackBerry OS and defeats SMS-based banking “out of band” two-factor authentication. Industry reports indicate the most popular Malware next to Stuxnet that caused panic is Zeus.
ABC bank (the client name changed), one of the bank offering net-banking services to its customers. One of the customer (Air Ticketing Company) of ABC Bank while performing on-line transaction on April, 2nd, 2014, has observed on bank net-banking authorization page additional fields like date of birth, mother’s maiden name, sort code etc., apart from regular fields like name, card number, expiry date and security code. The customer furnished the information “assuming the bank must have changed” the requirements from April, 1st, 2014 (start of new financial year in India) and lost more than $ 0.6 million in four days starting from April 2nd, 2014. The customer appealed the bank to pay-back the money informing the fault is on bankside for not taking “reasonable security practices”.
ABC bank hired the Fraud Management & Digital Forensic team under Enterprise Security and Risk Management (ESRM) practice of TCS, to conduct forensic analysis of customer machine to identify the presence of any malware and the root cause of the incident with timelines.
Forensic analysis of RAM, volatile data, internet history, event logs and registry is very crucial in investigation of windows infected machine in many cases. Forensic analysis of these indicators of compromise in this case revealed not only the source of attack but also the nature and behavior of malware. Infecting the explorer.exe, disabling the firewall, changing the event logs, registry, creating an executable with random name, hooking API address and injecting code into webpages to monitor online banking activities are few features of this variant of Zeus Trojan. The results obtained corroborated the facts of the case with timelines and protected the bank from legal and regulatory liability.
Attached here the detailed paper in PDF, accepted for publication in an International Journal.
By Sastry Pendyala