Expert Group on E-Banking Security

Latest Updates:

  • 23-June-2012: Banks have succeeded in removing my account from Vimeo.com. Vimeo has deleted my account without informing me. You can watch video from www.FaceBook.com/BrokenInternet page. 
  • “Expert Group on E-Banking Security” has given live demo to RBI(Reserve Bank of India)
  • “Expert Group on E-Banking Security” has given recorded demo and discussion DVD to CERT-IN Head personally
  • FIR registered in police station against HSBC Bank for sending people to my residence

Last two months I have published three bank videos of Man in Browser / Man in Middle attacks. You can access these videos in following links:

Couple of banking Trojans including Zeus Trojan is available in wild for last couple of years for many banks outside India, many variants of this Trojan is also available. You don’t need expert to develop these types of Trojans; skilled programmer can do it easily.

In internet, identity of a person is always problem, once fraud happens, it is very hard to track the money and recover. Banks need to understand the nature of internet while exposing customer money via internet and take “preventive” step in all possible levels using both technology and non-technology methods.

Publishing these videos is done with good intension; banks need to take step in right direction in protecting online banking customers. Banks should have a right technical team of security experts to probe these problems in systems, before black hat hacker exploits it; this initiative prevents lot of frauds.

Naavi.org has constituted an “Expert Group on E-Banking Security“. I have give demo to this group to initiate discussions to take it next logical step. Mr. Na. Vijayashankar is convener of this group. You can keep in touch with him for discussion about these videos:

Contact Info:  naavi@vsnl.com

Virus attack on HSBC Transactions with OTP Device

Disclaimer:  Author takes no responsibility for any actions with provided information

Latest Update:

  • 23-June-2012: Banks have succeeded in removing my account from Vimeo.com. Vimeo has deleted my account without informing me. You can watch video from www.facebook.com/BrokenInternet page.
  • “Expert Group on E-Banking Security” has given live demo to RBI(Reserve Bank of India)
  • “Expert Group on E-Banking Security” has given recorded demo and discussion DVD to CERT-IN Head personally
  • FIR registered in police station against HSBC Bank for sending people to my residence
  • 16/02/2012: DropBox has blocked my public link for video file downloads saying “I am hosting viruses in Dropbox”, but i have kept only videos of banks and given link in my website for download.
  • 02/02/2012: HSBC has sent goons to my residence, after failure attempts to bring down content with the help of service provider. I was not present at that time; they have asked my family members rude questions. HSBC showed their method how they deal with cyber security in India.
  • 01/02/2012 : HSBC again asked this hosting provider to remove video of Man-in-browser attack. Based on the request of hosting provider i have removed video from this site and given  external references to watch the same videos at Vimeo and Facebook.
  • 21/01/2012: www.yashks.com is disabled by hosting provider (www.bluehost.com) without any notice to me. They have acted based on complaint by HSBC Bank. Bank has provided a reason saying “I am teaching how to hack HSBC bank”, this is wrong reason. In video, it only shows the consequences and how it is going to effect onling banking customers.

We saw the virus in the proof-of-concept video attack two other banks over the last few weeks. The latest one is on HSBC Online banking using a similar Man-in-Middle / Man-in-Browser attack method. I am releasing this video to show what an attack can do to an online banking customer using HSBC online banking facility with OTP (One Time Password) Device and how it can result in a similar financial loss. Like in the previous instances, I am not releasing source code or binary of virus in order to prevent any kind of misuse from black hat hackers.

This video shows how a virus can take control of your internet explorer and manipulate HSBC Bank transactions in real-time. The user logs into HSBC online bank with the help of One time Password (OTP) (Hardware Device is provided to each user by HSBC Bank) and performs an online transactions. He should provide a One Time Password (OTP) (OTP is Generated by hardware token every one minute) to confirm any kind of online transaction. The user is unaware that a virus is running in the background. In spite of the dual authentication, the virus is able to manipulate the transaction in real-time without the user’s knowledge and redirects the fund to the attacker’s account.

For this demo, I have used Windows 7, Internet Explorer and Kaspersky anti-virus with latest patches. The same virus can be extended to other browsers.


High level description of the video:

User account name is: Naveen T.G in HSBC Bank with OTP Device

Destination account name is: Yash K.S in ICICI Bank

Attacker’s account name is: Yash K.S in Citibank

  1. User login & Transact : User logins as Naveen T.G (HSBC Bank), with login password and One Time Password (OTP) into HSBC Bank. User enters the details of destination account information along with the amount of Rs. 34 and confirms the transaction by entering One Time Password (OTP) and completes the transaction.
  2. User Realization : The user checks the account statement of HSBC Bank, the user sees that Rs. 10,000 has been transferred instead of Rs. 34 and also, instead of transferring it to Yash K.S – ICICI Bank account, the virus has transferred the amount to Yash K.S – Citibank account in real-time.
  3. Verification of the Attacker’s account : This video also shows the attacker’s account i.e Yash K.S – Citibank account where the money has been transferred confirming that the virus has been successful in diverting transactions.
Video is removed from this site due to request from Hosting provider. If you like to watch the video, Please follow instructions:

  • Search “Virus attack on HSBC Transactions with OTP Device” in www.vimeo.com and watch the video – Even this is blocked now. Vimeo has removed my account itself due to Bank request. You can still watch in Face Book page.
  • Visit “Broken Internet” Face book page and watch this video

Frequently Asked Questions

 Q1) Why an antivirus is not able to identify this Trojan/Virus?

A) Virus detection is done either using signature based or heuristics based. To detect based on signature Anti-virus should get this virus sample, otherwise they cannot detect this virus.  Heuristics based detection is always based on behavior of executable file, most of the virus which are in wild today know how to evade all these anti-viruses and other protection technologies.

Q2) Should the Trojan/Virus be different for different banks or the same for all the banks?
A) The Trojans are specific to a Bank. The attacker identifies the flaw in a particular bank and develops a Trojan to exploit the flaw.

Q3) What is the co-incidence that the Trojans/Virus present in my system is for the bank that I use?
A) A simple approach is to write a Trojan that can identify the bank and report back the data to the attacker. The attacker can then infect the computer with a bank specific Trojan. Smart Trojans can adapt to the situation because they contain code for multiple banks.

Q4) I don’t share my computer with strangers and I perform online transactions only from my computer, then, how can I get infected?
A) Computers can get infected when users visit malicious websites or download freeware’s. From more than 10 years, Trojans/Virus writers have mastered the art to infect end user systems. Today’s underground market hackers provide Pay-Per-Install (PPI) service to other criminals.

Q5) I perform online transactions from my office environment only, which is supposed to be updated with the latest antivirus updates, is there still a probability of infection?
A) Anti-viruses detect and cure only known Trojans/Viruses. The protection mechanisms help in mitigating risks, but attackers invent new ways by using a combination of exploits to by-pass these protections.

Q6) Can I get infected when I visit malicious online websites?
A) Yes, you cannot really identify which site is genuine or not, even if you have the most updated Antivirus patch.

Q7) Every time I transact, I immediately call the recipient to find out if he/she has received the money. Is this a safe measure?
A) This is a good practice.. But, if you make NEFT/RTGS transactions it will take a while to reach the destination account and it is really hard to recover your money back in case of attacks.

Q8) Can I identify the Trojans/Virus from the task manager and kill it? What are the ways it is hidden in my computer?
A) Trojans/Viruses are hidden from the task manager. Hiding from the task manager was in fact the first step in the evolution of Trojans/Viruses.

Q9) If the InPrivate mode in web browsers is developed for sensitive activities, then, is it not safe enough?
A) This InPrivate mode is useless for securing online banking. Online banking facilities have been provided by banks, it’s up to them to find secure ways for the facilities they provide. The core focus of web browsers has never been to secure online banking transactions anyway.

Q10) Which is a safe web browser?
A) The same Trojan/Virus can be extended to any browser. The core architecture of a specific web browser remains the same for many years and attackers don’t need that many years to master a browser.

Q11) So many millions of online transactions happen in India. I haven’t heard any such incidences, especially, when the media hypes any such incidences of online attacks if it has occurred. Why should I bother now?
A) Most of these attacks go un-noticed by the user since they happen in stealth modes; banks also attempt to hush away any such incidences. After all, it’s their reputation at risk.  Having said, the media attention is still less on such topics.

Q12) My online bank account has a small amount and I don’t transact more than a couple of thousands. I will alert myself if I hear any such incidence or been attacked once.
A) It will be too late when you are a victim to say “next time”.

Q13) Some of the banks allow transferring only to pre-registered recipient accounts. In this case, how does the bank allow transferring to a non-registered attackers account?
A) You can take a look at Citibank and ICICI Bank videos to learn more on how attacks could be performed. When an attacker is targeting a specific bank, his design will consider countering the banks security measures. He performs an end to end attack.

Q14) Isn’t this a world-wide problem? Our banks will copy the western world for such advanced safety measures and most of the banks in India where I have online accounts are foreign banks. Haven’t all these problems been already solved?
A) Yes, it is worldwide problem. Banks world-wide have similar problems but they only “feel” their online banking is secure. Such optimistic feelings from banks are not backed with substantial proofs.

Q15) Is it possible get hold of such Trojan/Virus code by a criminal who is not a hacker and infect in a few machines to usurp money?
A) Yes, many tool kits are available on the internet, where criminals can configure and release in the wild. Banks should think outside-the box and invest in building controlled network for online banking.

Q16) I use the banks many other online facilities. Is there a possibility of high extent of such attacks where without my knowledge; I can lose a large sum of money?
A) A risk exists all the time. Banks should take the right measures, before a well-coordinated attack is planned by attackers.

Virus attack on ICICI Bank Transactions

Disclaimer:  Author takes no responsibility for any actions with provided information

Latest Update:

  • 23-June-2012: Banks have succeeded in removing my account from Vimeo.com. Vimeo has deleted my account without informing me. You can watch video from www.FaceBook.com/BrokenInternet page.
  • “Expert Group on E-Banking Security” has given live demo to RBI(Reserve Bank of India)
  • “Expert Group on E-Banking Security” has given recorded demo and discussion DVD to CERT-IN Head personally
  • 16/02/2012: DropBox has blocked my public link for video file downloads saying “I am hosting viruses in Dropbox”, but i have kept only videos of banks and given link in my website for download.
  • 18/01/2012: ICICI Bank has sent Courier to me, threatening legal action – Defamation case from Corporate communication, if i don’t remove my videos and related content from my website, facebook and vimeo soon. They have claimed that these videos are false. They have asked me to close my ICICI Bank account within 30 days of this notice.
  • 21/12/2011: ICICI Bank has sent mail asking me to remove Videos and related content from my website, threatening legal action from Corporate communication.

I have developed a proof-of-concept virus to attack the ICICI Online banking using the Man-in-Middle / Man-in-Browser attack method. I am releasing a video (of only  8 minutes) to show what an attack can do to an online banking customer who uses ICICI online banking facility and how it can result in financial loss.. I am not releasing the source code or the binaries of the virus to prevent any kind of misuse from black hat hackers.

This video shows how virus can control your Internet explorer and manipulate ICICI Bank transactions in real time. The user is unaware that a virus is running, he logs into ICICI Online bank and performs an online transaction, the virus modifies the destination payee information in real-time and redirects the fund to an attacker account without the knowledge of the user.  The same virus can be extended to any browser.

High level description of the Video:

User account name is : Yash K.S (ICICI Bank)

Destination account name is : Praveen Kumar (HDFC Bank)

Attacker account name is : Yash K.S (Citibank)

User logins as Yash K.S (ICICI bank) and selects Praveen Kumar as payee (destination account) for transferring the fund. The user keys in Rs.18 and completes the transaction. Thereafter, , the user checks the mini-statement of the ICICI Bank, user sees thatRs.750 has been transferred instead of Rs.18 and also, instead of transferring it to Praveen Kumar, the virus has transferred the amount to Yash K.S (Citibank) account in real-time. The video also shows -the attacker’s account, i.e. Yash K.S (Citibank account) where the money has been transferred confirming that the virus has been successful in diverting transactions.

User is running Windows 7, Internet Explorer and Kaspersky Anti-virus with latest patches

Download mirrors:

1. Man in Browser attack on ICICI Bank video : Mirror-1

2. Man in Browser attack on ICICI Bank video : Mirror-2

 

 

Virus attack on Citibank Transactions

Disclaimer:  Author takes no responsibility for any actions with provided information

Latest Update: 

  • 23-June-2012: Banks have succeeded in removing my account from Vimeo.com. Vimeo has deleted my account without informing me. You can watch video from www.FaceBook.com/BrokenInternet page.
  • 16/02/2012: DropBox has blocked my public link for video file downloads saying “I am hosting viruses in Dropbox”, but i have kept only videos of banks and given link in my website for download.
  • After this video, Citibank has taken small steps to mitigate this problem.  Its right step, but its not enough
  • 12-08-2011: YouTube removed this video. I have given other choices to watch or download the 8 minutes video.  Will continue to educate more audiences.

I have developed a Proof-of-concept malware almost a year back to attack Online banking using Man-in-Middle attack method. Now i have decided to release this video for public on how an attacker can perform Man in Middle on Citibank India. Instead of posting source code or binary file here (where Blackhat hackers may misuse), I am posting a recorded video for consumers to be aware of these types of attacks. When a consumer transfers fund to A, this malware modifies the transaction to make sure it goes to B in real-time without user knowledge.

Man in Middle attack or Man in Browser attack is well known in the Internet Banking.  Zeus is well known malware of this kind, which has stolen more than 200 US Million $ in many users accounts without the knowledge of consumers. Many Blackhat users have used Zeus Kit or Sources available and customized for different backs to steal money, this malware has capability to defeat two factor authentication based on Mobile.  Few years back these types of attacks are not known, that does not mean it was not possible to perform this type of attacks, it was waiting to happen like many attacks are still waiting to happen in e-commerce world.

High level descriptions of  demo video are as follow:

  • I will use my own citibank username and password
  • I will launch MITM Malware myself – normally malware hides in your system without your knowledge
  • I will add Payee account – Praveen Kumar before transferring fund. Citibank mandates adding payee before transferring funds to another account
  • NEFT transactions means transferring fund from one bank to another bank. Ex : Citibank -> HDFC Bank
  • When we add payee additions in citibank, it sends OAC (Online Authentication Code or One Time Password) to registered mobile, this OAC should be entered by user into citibank authorization page for confirmation of Payee.
  • After successful payee addition in citibank, user can transfer fund to payee anytime. Some of the banks might have additional password or OTP (One Time Password) still it does not matter for this type of attacks.
  • In this demo you can watch how malware redirects the fund transfer to different Bank, different account number, increase amount
  • This malware is configurable, where attacker can mention any bank account as attacker account
  • This types of attacks are possible on many banks across the world and it is very sophisticated attacks, where malware does not need to steal authentication information of user

Note:  Demo for More banks will follow


Download local copy of video from following mirrors (Right click and Save As):

1. Man in Browser attack on Citibank video – 16MB  Mirror-1

2. Man in Browser attack on Citibank video – 16 MB Mirror-2


Older un-edited version of video:

1. Man in Browser attack on Citibank video – 29 MB Mirror-1

2. Man in Browser attack on Citibank video – 29 MB Mirror-2