When is a man-in-the-middle attack not a man-in-the-middle attack? When it gains access to bank accounts by skirting text-based two-factor authentication. That’s what’s happening in an international cyber attack known as Operation Emmental.
The attack got its moniker from Trend Micro researchers who liken online banking security to Swiss or Emmental cheese — both can be full of holes. The criminals target overseas bank accounts that utilize two-factor authentication. It’s a variation of a man-in-the-middle attack in that the hacker bypasses the session tokens used in the authentication process. In this case, the tokens are usually sent as text messages to mobile devices.
“It begins with a spear phishing attack that is specific to a customer of a specific financial institution, and they actually know what kind of institution you conduct business with and what types of emails you’re traditionally receiving from them,” says Tom Kellermann, chief cybersecurity officer for Trend Micro. The attackers customize the language and the social engineering accordingly, asking each recipient to click on a link. Many customers have been fooled.
“Once the email link is clicked on, a Windows binary is installed on the machine that not only obfuscates itself but deletes itself from the registry of the system and then hides itself in image files, which is very elegant and very reminiscent of the intelligence community as a whole,” Kellermann says.
The user is unable to authenticate with the bank and is prompted to download what turns out to be a malicious Android app to reinstall the text message authentication system. The new app delivers a one-time use password giving account access to both the user and the hacker.
Kellermann says very sophisticated former Soviet bloc computer scientists who’ve been conducting high levels of reconnaissance on the financial sector are leveraging the attack. He says the hackers have been effective against Swiss, German, Swedish and Austrian financial institutions. “All have greater levels of security than their U.S. counterparts.” Banks in Japan have also been hit.
The malware has spread to dozens of financial institutions around the world. The targeted banks are ones that follow the directives of European regulators to implement two-factor authentication via one-time use passwords for their customers. German speaking financial institutions are the primary victims. Kellermann says the hacker crews likely originated in Russia and Romania but are fluent in German.
“It’s very difficult to ascertain who’s behind this because many times they utilize compromised devices to leverage these attacks,” Kellermann says. “It really speaks to the evolution of capabilities that have been created in the arms bazaar of the former Soviet bloc, and that two-factor authentication and encryption alone will not protect you.
A strike against two-factor authentication
Emmental is no man-in-the-middle attack, says Pierluigi Paganini, chief information security officer at the digital security firm Bit4id and security researcher for the InfoSec Institute.
“The activity detected by experts at Trend Micro was based on a first stage phishing campaign,” Paganini says. “Phishers are concentrating their efforts to break into hosting providers with unprecedented success and abusing their resources to conduct large-scale phishing campaigns. The cyber gang behind Operation Emmental used a malware to install illegitimate certificates to trust the phishing website used in the attack scenario.”
Paganini says the malware spread by the Emmental attackers exploits vulnerability in single-session token protection strategies that are still adopted by many financial institutions. “Fortunately, the security industry provides more advanced defensive solutions to avoid such incidents,” he says. “The real problem is that such countermeasures represent a further cost for the organization.”
On the other hand, Paganini notes it’s not the bank’s responsibility to protect clients in phishing scenarios, especially when users choose to install untrusted apps or visit questionable Web sites. “Banks have to inform their clients of the risks related to principal cyber threats. But in the majority of cases, customers’ habits enlarge their surface of attack,” he says. “Bad habits, like the installation of mobile apps from third parties, are the principal cause of success for cyber attacks.”
Trend Micro cites the weakness of single-session token protection strategies as a problem with these attacks. “Banks and other organizations that continue to use these are exposing themselves and their customers to rogue mobile apps,” the report states.
Institutions need to use more advanced defenses, which include the use of multiple transaction authentication numbers, photo-transaction authentication numbers and card readers. While these are more complicated to maintain, organizations should determine whether they are worth the investment.
Personal responsibility of users aside, Kellermann thinks there’s much more banks can do to protect and educate consumers. “I think that most financial institutions should be deploying breach detection systems,” Kellermann says.
Banks can also use Domain-based Message Authentication, Reporting and Conformance (DMARC), an email and domain name authentication standard that can identify non-legitimate emails. “Many financial institutions and corporations have paid a lot of attention to authentication, but they haven’t paid sufficient attention to the authentication of emails or of the domain names,” Kellermann says. “They’re not appreciative that their reputations extend beyond their given website and beyond their given employees or the credentials that are issued.”
He says companies have an extension of themselves in cyberspace that doesn’t exist in the brick and mortar world. “You have to be responsible for the reputation and the personification of your reputation in the wider domain that is cyberspace,” Kellermann says. “So at least provide folks with a way to associate whether something is you or is not you in the greater environment.”
Neither Emmental nor two-factor is going away
While two-factor authentication is good, it needs to be coupled with other systems. “I am a huge proponent of two-factor authentication,” Kellermann says. “There needs to be greater levels of transaction verification and customer verification beyond just two-factor authentication, especially when it relates to the transfer of funds or the transfer of credentials.”
Trend Micro researchers recommend better communication between the fraud departments and IT security departments of financial institutions, because bank heists have evolved to cyber-based fraud. Kellermann says 98% of financial fraud and bank heists are occurring in cyber space now. That’s why he wants to see authentication expanded beyond the customers to the financial institutions and their extensions.
“Just because you can authenticate that a real domain is a real domain, you should also be allowed to give visibility or transparency into when a fake domain or a fake email is not a legitimate financial vehicle for you,” Kellerman says.
He expects the evolving Emmental attack to spread to other countries. He points out that even though two-factor authentication is not mandated in the United States for banking customers, it is widely used for employees of financial institutions as well as for partners and high net worth individuals who conduct business with such institutions.
“These types of attacks will begin to flourish,” Kellermann says. “What you’ll see is large scale infestations of hackers as they penetrate financial institutions themselves versus merely picking the pockets of the customers as they transact from their mobile device.”