InvestorsHub Logo
Followers 5
Posts 3002
Boards Moderated 0
Alias Born 09/06/2006

Re: None

Tuesday, 09/04/2018 5:08:04 PM

Tuesday, September 04, 2018 5:08:04 PM

Post# of 249560
‘CamuBot’ Banking Malware Ups the Trojan Game with Biometric Bypass

https://threatpost.com/embargo-banking-malware-camubot-tries-to-bypass-some-biometric-account-protections/137131/


CamuBot is a unique malware targeting Brazilian bank customers that attempts to bypass biometric account protections.


Brazilian bank customers are being warned of malware dubbed CamuBot that hides in plain sight and presents itself as a required end-user security module provided by a bank.

The malware goes so far as to include bank logos that look and feel as if they’re part of a real security application. In some cases, the malware can also hijack one-time passwords used for biometric authentication.

In a report by IBM X-Force released Tuesday, researchers said CamuBot was first spotted in August 2018 in a targeted attack against business-class banking customers. The name, CamuBot, was given to the malware because it attempts to camouflage itself as bonafide branded security software.

The malware’s operators are actively using [CamuBot] to target companies and public-sector organizations, mixing social engineering and malware tactics to bypass strong authentication and security controls,” said Limor Kessem, a global executive security advisor with IBM Security, in a technical breakdown of the attacks posted Tuesday.

Distribution of the malware is believed to be highly individualized. “It is very possible that [the threat actors] gather information [on potential targets] from local phone books, search engines or professional social networks to get to people who own a business or would have the business’ bank account credentials,” Kessem wrote.

Once a target is defined, the attackers pose as bank employees via phone calls, and instruct victims to visit a specific URL to verify that their “security module” is up-to-date. The fake verification site will then indicate a fake “required update” for the supposed security software. Next, victims are told to close all running programs, and to download and install the malicious software using the Windows admin profile.

“At this point, a fake application that features the bank’s logos starts downloading. Behind the scenes, CamuBot gets fetched and executed on the victim’s device,” the researcher said. “The name of the file and the URL it is downloaded from change in every attack.”

As the attacker is on the phone with the victim, “a pop-up screen redirects the victim to a phishing site purporting to be their bank’s online banking portal,” Kessem explained. Victims are instructed to log into their account via the fake site maintained by the attacker. Once accomplished, the victim has shared their banking credentials with the attacker.

Outsmarting Biometric Hardware Protections

In some circumstances, such as the presence of biometric authentication or other strong authentication hardware attached to the targeted PC, CamuBot goes the extra mile. “The malware can fetch and install a driver for that device,” researchers said.

To perform this type of authentication end-run, attackers take advantage of the malware’s advanced features. That includes CamuBot creating new firewall and antivirus rules to make sure the malware is a trusted program. Communication is then established with the adversary’s command-and-control via an SSH-based SOCKS proxy. Next, port forwarding is enabled and used “in a two-way tunneling of application ports from the client’s device to the server,” researcher said.

“The tunnel allows attackers to direct their own traffic through the infected machine and use the victim’s IP address when accessing the compromised bank account,” she said.

Now, CamuBot asks the victim to install remote access to their USB-connected device.

“Trusting that they are speaking to a bank representative, the victim may authorize the access, not knowing that by sharing access to the connected device they can allow the attacker to intercept one-time passwords generated for authentication purposes,” Kessem wrote. “If the same remote sharing is authorized by a duped user, they could unknowingly compromise their biometric authentication.”

The CamuBot malware code distinguishes itself from copious banking malware and trojans found targeting Brazil-based financial institutions over the past year. For one, it does not attempt to hide itself as does Brazilian banking malware samples: Trojan-Proxy.PowerShell.Agent.a, Metamorfo, MnuBot and one malware family that used Compiled HTML Help files to deliver a banking trojan.

“CamuBot is more sophisticated than the common remote-overlay type malware used in Brazil in its M. O. (modus operandi) and fraud tactics. Instead of simplistic fake screens and a remote access tool, CamuBot tactics resemble those used by Eastern European-made malware,” she said.

Kessem said CamuBot is most similar to Europe-based TrickBot, Dridex and QakBot, which target business banking and leverage social engineering for account and device takeover.
===============================================================
My hunch is Wave Knowd could protect against Camubot with the TPM as a factor of authentication (that the hackers couldn't get) rather than biometric or one-time passwords that are being hacked in the article. imo.
=================================================================
Wave Knowd Introduces New Model for Internet Authentication Without Passwords

Knowd ‘Trust Score’ Assures User Identity when Accessing Web Services

https://www.wavesys.com/buzz/pr/wave-knowd-introduces-new-model-internet-authentication-without-passwords

Lee, MA -

May 9, 2013 -

Wave Systems Corp. (NASDAQ: WAVX), the Trusted Computing Company, today announced Wave Knowd, a new web service available for preview that significantly reduces the vulnerability and use of passwords by leveraging the unique identity of computing devices. With a simple integration of Wave Knowd, any website can establish reliable and consistent identity relationships with the devices its customers use most often for Internet services. Wave Knowd, which signifies “Known Devices,” is being tested by partners to provide the backbone for general purpose machine identity.

“The maturation of the web mandates a change in how we, and our computing devices, connect to the web,” said Steven Sprague, Wave CEO. “With cable television, satellite radio, bank kiosks and mobile phones, the service relationship is tied to the endpoint device. The web needs the security and simplicity of this same model, where our computing devices themselves play an added role in authentication. I access dozens of web services every day from the computer in my home office, and want those sites to know and trust my PC so they’ll stop continually asking me to log in. Wave Knowd enables that trust.”

To make web authentication stronger and simpler, Wave Knowd provides a new approach to signing on and accessing Cloud and Internet services. From online banking to business services and even consumer gaming, passwords are failing to provide a level of security that either service providers or users can trust. Knowd is built upon the concept that only known devices should ever access a protected network. Knowd incorporates all of your access and identity solutions together to establish a relationship of trust between users’ computing devices, and the web services they access.

“We interact online using so many devices now, but from a security perspective those devices aren’t all equal. Accessing medical records or confidential business files from my kid’s smartphone is certainly not as trustworthy as connecting from my business PC with an encrypted drive,” continued Mr. Sprague. “Wave Knowd is all about making the Web simpler and safer, and that new foundation of trust begins with known devices, and known capabilities.”

Once machine identity is established, any web site—from gaming, social networking or shopping; to banking, business and financial services—can use Wave Knowd to create a reliable and persistent identity for the connecting device. Knowd allows Web sites to streamline access for users who repeatedly log on from trusted devices, while bolstering security. Initial authentication creates a unique and anonymous relationship between each computing device and each web service accessed, and then the level of trust between the two grows over time. Knowing the device can also help the site prevent fraud and phishing, or simply provide quicker no-password access. Wave is the partner helping to create and manage these relationships.

“Wave Systems was the obvious choice to provide ID Dataweb’s attribute exchange with device identity services,” said David Coxe, CEO at ID Dataweb. “In Knowd, Wave has provided a system that is rooted in state of the art device security technologies such as the Trusted Platform Module and other secure elements, while also offering a simple web based integration. It’s easy to identify if a connecting device is highly trusted, or whether it requires added screening and security.”

ID Dataweb uses Wave’s Knowd solution as part of the Identity Ecosystem supported through a grant from the U.S. Department of Commerce’s National Institute of Standards and Technology’s NSTIC initiative (National Strategy for Trusted Identities in Cyberspace). ID Dataweb has created a standards-based platform to simplify online identity verification using OpenID credentials.

Providing the Tools to Manage Trust in the Cloud: What’s Your Trust Score?

Wave Knowd is a powerful enhancement for any website. The endpoint identity service links an individual users’ unique device identity, with the Internet services that are typically protected only by username and password access. Users are prompted by their cloud service provider to register their primary computing devices to create a unique and persistent device identity relationship with their Internet services and service providers. No personal ID information is obtained by Wave, as Knowd works purely as a machine identity service. Furthermore, registered devices are given a unique ID for every service provider, establishing a separate trust relationship with each service.

Wave Knowd asserts a Trust Score that helps both consumers and cloud services or relying parties to determine the level of trust granted to each specific computing device. For example, a home PC that is used regularly for banking will quickly build a high Trust Score. Users can achieve a higher Trust Score by installing a small software application (Wave Knowd currently supports Windows 7 and 8, with Apple and Android to follow later this year). Business-class PCs containing a standard Trusted Platform Module (TPM) can establish even greater trust by leveraging the TPM security chip to create and securely store a unique device ID.

Knowd provides a web service with a new capability to enable or disable features based on the device that the user is actively using, providing a new security option for the end user. Perhaps an account password can only be reset from the user’s registered home computer and not from anywhere in the world, thereby linking in all of the user’s investment in the security of their home, from their alarm system to the doorman. Every web service can benefit from integrating Wave Knowd as part of the user’s experience.

Wave Knowd is free to consumers, and reduces the authentication cost to providers. Knowd is available to relying parties using the standard OpenID protocol, and also offers a simple web API. For more information visit: ID.Wave.com




Join InvestorsHub

Join the InvestorsHub Community

Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.