Overview

As banks allow their customers access to critical internal banking applications, it is increasingly difficult for them to protect their businesses using traditional security measures. Financial institutions and businesses involving internet banking, online brokerage, alternative payment solutions or e-commerce websites in particular face a growing number of targeted attacks. These online banks and their customers are the targets of focused hacking attempts from fraudsters who are constantly trying to execute fraudulent transactions, often resulting in losses amounting to millions of dollars. The attacks come in the form of Man-in-the-Browser (MitB) Trojans, viruses, key-loggers, rootkits, browser redirection and other malware.

As integrated components of the ThreatMetrix™ Cybercrime Defender Platform, TrustDefender™ Cloud and TrustDefender Client provide the perfect solution to help financial institutions mitigate the risk of even the most sophisticated malware and prevent fraud in a seamless and minimally invasive manner.

The Problem

Financial institutions face a growing problem: the ability of many kinds of malware to infect an end-user’s device, allowing hackers to collect critical information from legitimate users as well as to fully control any Internet sessions initiated from the end-user’s device. Compromised sessions include Internet banking, online brokerage or other financial account service transactions (loan applications, credit card applications, etc.). Trojans in particular can modify any website according to their configuration and the end user can’t distinguish which parts of the website are legitimate and which parts are “injected” using the MitB Trojan. In fact, the end user is almost never aware that their computer is compromised in the first place.

Two-factor authentication is no protection against MitB Trojans, which is one reason they have become popular. Using this HTML injection technique, MitB Trojans can circumvent and attack any kind of two-factor authentication. The Zeus Trojan is one of the most prolific and high-profile MitB Trojans, and is still operating today due to its large distribution network (crimeware as a service). Despite its well-understood technology, it is the single most successful MitB Trojan.

Machine resident malware is another major problem. Customers connecting to banking applications may be doing so via infected desktops and laptops. Malware resident on these machines is designed in particular to spy on computer activity and collect sensitive information, including usernames and passwords. Thus when customers conduct banking or other financial service transactions, the account credentials are captured, usually with additional details like physical address information, phone numbers, identity verification information (secret questions/answers) and account balances. Zero-day variants of Trojans and other malware add to the problem. Although anti-virus software is helpful in reducing machine resident malware, it often gives legitimate customers a false sense of protection against malware. Even when anti-virus signature files are updated daily, they cannot protect against zero-day attacks. The same is true for anti-virus software on the machines of corporate employees, a desirable target for determined fraudsters and hackers.

ThreatMetrix Malware Detection

ThreatMetrix Cybercrime Defender Platform includes the TrustDefender Cloud and TrustDefender Client products. These malware protection products detect malicious software present on online banking customer machines, and prevent the malware from committing their reconnaissance or fraudulent transaction activity.

TrustDefender™ Cloud

ThreatMetrix TrustDefender Cloud is a completely transparent, SaaS solution specifically designed to protect online transactions from even the most sophisticated web-based attacks, including web session manipulation, cookie hijacking and MitB attacks. TrustDefender Cloud can detect web attacks coming from any client device, whether it is a PC, Mac or mobile device. TrustDefender Cloud uses JavaScript to employ various techniques to detect the presence of malware on the endpoint, including:

  • Patented page fingerprinting techniques to detect any page modification in real-time
  • Tagless device identification that creates a unique fingerprint for fraud detection purposes
  • Malware forensics to identify malware present on the device

All of this happens completely in the background, without requiring any downloads or registration process. As TrustDefender Cloud is based on web standards, it works on all browsers and devices, including PC, Mac, iPad, iPhone, Android, and Kindle devices.

This approach enables TrustDefender Cloud to detect a compromised device used by an end user in the most generic way. It doesn’t matter whether it’s an ultra-sophisticated, highly targeted advanced persistent threat (APT) attack, or adware or spyware on the end user’s device. TrustDefender Cloud will be able to detect it.

Using TrustDefender Cloud, financial institutions can:

  • Instantly determine whether they are targeted by any MitB Trojan, including Zeus, SpyEye, Carberp, Silon, Gozi, Torpig and others
  • Manage online security threats from many types of web-enabled devices
  • Protect customer data from identity theft or insecure transactions
  • Reduce costs of fraudulent transactions and data breaches
  • Make existing fraud prevention efforts more efficient and effective

How TrustDefender Cloud Works

TrustDefender Cloud employs its patented page fingerprinting method to detect any kind of MitB Trojan instantly. TrustDefender Cloud does not rely on blacklists or the explicit knowledge of particular Trojans. Instead, it employs a “whitelist” approach in the sense that TrustDefender Cloud knows what the page really looks like. If a Trojan (even an unknown or unseen one) changes anything on the page, TrustDefender Cloud will instantly alert you in real time.

This means that TrustDefender Cloud will not only detect the common MitB threats (e.g. from Zeus or SpyEye), but will also identify targeted attacks. And it will not only alert you to an infected computer trying to connect, it will also give you critical knowledge as to how the endpoint is infected.

Any solution that relies on blacklists or signatures only detects a few high-profile Trojans, but leaves you exposed to targeted and zero day attacks. This is where the whitelisting approach is so powerful.

ThreatMetrix patented page fingerprinting technique is unique in that it doesn’t rely on pattern updates or signatures. It creates a unique fingerprint of the page structure on the client’s device so the Cybercrime Defender Platform can verify the integrity of the client computer in real time.

It doesn’t matter whether the MitB Trojan injects visible content elements, such as personal information:

TrustDefender Client

ThreatMetrix TrustDefender Client extends the protection offered by TrustDefender Cloud to include machine resident malware that cannot be detected by JavaScript alone. TrustDefender Client is a lightweight client application that scans the machine initiating online transactions at an extremely comprehensive level. This scan includes probing the kernel, operating system, applications, network and transaction for any suspicious activity. Using this multilayered scanning methodology, TrustDefender Client can discover many hidden malware items that are not detected by the leading anti-virus products. The kinds of malware detected include Trojans, viruses, key-loggers, rootkits and spyware. If malware is detected on the machine, TrustDefender Client can choke the resources used by the malicious software, rendering it useless, while at the same time allowing online transactions to execute in a secure browsing mechanism. With this layered approach, ThreatMetrix is able to provide a comprehensive solution with redundant defenses, making TrustDefender Client subversion resistant, as well as extremely effective against unknown or zero day attacks.

How TrustDefender Client Works

TrustDefender Client secures the end-point, hardens the communication between a bank’s client and the bank’s trusted web servers, and provides risk based access and transaction screening based on enterprise policies. It focuses on five key layers on the customer machine as follows.

Kernel – TrustDefender Client will detect and disable Kernel Rootkits and malware hidden from antivirus software in the operating system kernel, as well as malware hidden in malicious Browser Helper Objects (BHOs). TrustDefender Client provides the most advanced malware and rootkit detection available on the market today, and this layer of protection works against MitB Trojans like Zeus, key-loggers, and other malware that hooks into the kernel at this level.

Operating System – Working at the operating system level, TrustDefender Client actually helps to prevent malware from compromising the machine in the first place. When the user requests a site protected by TrustDefender Client, a secure handshake with the ThreatMetrix Cybercrime Defender Platform verifies the security health of the end computer even before the first page is loaded. This is configurable, and this solution can verify and enforce endpoint security protections, making sure existing protections such as AV, firewall and OS patches are in place and up to date. The issuing financial institution can set the policy on what action to take (whether the transaction should be allowed, whether the user should be notified of the infection) based on the risk profile the bank is comfortable with. This flexibility reduces the number of malware infections, which helps achieve the ultimate goal of reduced liability and exposure for the bank and its customers.

Applications – At the applications level, the solution validates Trusted OS processes using in-memory screening for hidden malware, and it actually uses a direct memory access approach to avoid subversion. This mechanism also uses a global whitelisting approach to verify processes with their signatures, with rapid classification of new whitelisted processes. So, this part of the solution uses process signatures, it’s a whitelist approach, which essentially means “guilty until proven innocent”, and therefore is not susceptible to zero day attacks.

Network – At the network level, the solution provides secure communications between the machine requesting a transaction and the financial institution. TrustDefender Client analyzes all outgoing connections and detects when the device is connecting to a protected service. At the same time, TrustDefender Client sends a scrambled client ID, encrypted hardware fingerprint, connection fingerprint details as well as other client security parameters that are evaluated by the Cybercrime Defender Platform. The hardware fingerprint is determined to be new or known for the user ID, and the connection fingerprint is cross-validated to prevent any DNS-spoofing, Man-In-The-Middle or other pharming attacks. If an anomaly is detected in the connection’s fingerprint, for instance if malware has modified the “.hosts” file on the client to point to an attacker IP address, the system can take action.

In addition to the mutual authentication process, TrustDefender Client also implements a dynamic firewall that blocks any Internet requests to untrusted domains and IP Addresses for the duration of the transaction or session.

Transactions – TrustDefender Client verifies transactions with a centralized intelligence and control application that is part of the Cybercrime Control Center. This allows custom configuration of both endpoint and application behavior based on the assessed risk of the device and transaction, providing enterprises with the ability to integrate real-time risk scores, reason codes and attributes into existing third-party authentication and authorization applications via a secure web API. And, there are more than 40 security attributes from this product available to the rules engine common to all ThreatMetrix products.

Unlike other products that rely primarily on either blindly blocking malware and/or band-aid type patches to the browser and keyboard as new threats are discovered, TrustDefender Client uses a layered approach that attacks the malware problem at its core by recognizing and unhooking the malware itself, as well as blocking unauthorized processes through CPU starvation and network access.

Mobile Platforms

The ThreatMetrix CyberDefender Platform also extends to mobile devices and transactions coming from mobile browsers. As mobile handhelds are of particular concern, this section highlights a few important technical details in regards to mobile browsers.

TrustDefender Cloud uses only minimal client resources and therefore it works well on any mobile browser that implements JavaScript at least in part. TrustDefender Cloud has been tested with the most common mobile operating systems including BlackBerry, Symbian, iOS and Android. The page fingerprint algorithm works exactly the same way, hence all the features of TrustDefender Cloud are available to their full extent on these mobile devices.

Conclusion

Banks and their customers are increasingly at risk of financial fraud by motivated hackers who apply sophisticated fraud techniques to commit financial fraud. A new wave of attacks compromises legitimate users’ desktops, laptops and mobile devices, attempting to circumvent the various customer identification mechanisms deployed by financial institutions today.

Authorized customer compromise occurs in two broad methodologies. One method plants machine resident malware and tries to steal usernames, passwords, screenshots and other data to be used for financial fraud. The other method infiltrates and hijacks current customer sessions through MitB and session hijacking techniques. Both these methods have become very sophisticated, and almost always occur without the user’s or the bank’s knowledge.

ThreatMetrix offers a holistic, layered approach to preventing web-application and machine resident malware from conducting financial fraud. TrustDefender Cloud is an essential defense against MitB Trojans, identifying zero-day and targeted attacks as well as the well-known and ubiquitous Trojans such as Zeus and SpyEye. TrustDefender Client detects and prevents rootkits, spyware, key-loggers and other machine resident malware from compromising customer’s banking sessions, or leaking their banking credentials. When integrated with the ThreatMetrix Cybercrime Defender Platform, TrustDefender Cloud and Client are part of a comprehensive security solution that integrates device identification with malware detection to protect online transactions and identities.

close btn