Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/14/2015
03:20 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Bank Fraud Toolkit Circumvents 2FA & Device Identification

KL-Remote is giving Brazilian fraudsters a user-friendly "virtual mugging" platform.

Another user-friendly attack toolkit is on the market, and it's perfect for the budding Brazilian banking fraudster. It's got an attractive, user-friendly interface that includes a "start phishing" button. And it effectively circumvents both two-factor authentication and device identification protections.

IBM Security Trusteer released details today about this KL-Remote, a remote overlay toolkit that performs what it calls "virtual mugging." Unlike banking Trojans, KL-Remote is less automated (because where's the fun in that). It requires attackers to do some manual sleight of hand, but it makes it very easy to pull off.

The toolkit is distributed by being embedded in other malware. It comes preloaded with a list of targeted banking URLs. When the infected user visits one of those sites, the malware operator gets an alert and can then decide whether or not to proceed with an attack.

Here's what the attacker's interface looks like:

The KL-Remote fraud banking panel screen while viewing a victim navigating the online banking website, translated from Portuguese into English.
The KL-Remote fraud banking panel screen while viewing a victim navigating the online banking website, translated from Portuguese into English.

As IBM describes it, "during a remote overlay attack, the criminal is virtually looking over the victim's shoulder, watching his or her every move. At some point, the attacker takes direct control over the device without the victim's knowledge."

When KL-Remote goes into action, it first takes a snapshot of the infected user's browser screen and lays it over the real website, preventing the user from interacting with the real site. A quick click of the "start phishing" button begins issuing a series of prompts -- customized for each bank -- stating that the user needs to install a security update, and it tricks the user into entering the password and one-time token.

Once the user enters that data, the tool throws up a waiting message -- one of those usual "installing update, this may take a few minutes" messages. While the user waits, the tool takes control of the infected machine's keyboard and mouse and carries out whatever fraudulent financial transactions the attacker would like with that user's bank account.

The user can't see the activity, and the bank can't tell that the person conducting the transaction isn't the account holder logging in from the usual device.

The attack effectively circumvents two-factor authentication and device identification.

Instead, identifying the fraud would require a combination of detecting malware infection, use of remote access tools, abnormal browser patterns, or abnormal transactions.

For now, KL-Remote is available only in Portuguese, and it is only in use in Brazil. Researchers say it could be adapted to other languages, territories, or industries.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
aws0513
50%
50%
aws0513,
User Rank: Ninja
1/16/2015 | 9:26:45 AM
Re: Workaround: Block web access
Good points all around @Spikes.
I also see where application whitelisting would be a major mitigation solution for this kind of malicious toolkit. 
The downside is that the solutions we describe require the end user to be technically savvy to implement... and that is assuming they would want to spend the time...  and in some cases money...  to do so.
Spikes
50%
50%
Spikes,
User Rank: Apprentice
1/15/2015 | 8:02:37 PM
Workaround: Block web access
I put a lot of emphasis on preventing this sort of malicious software from getting there in the first place, but once your endpoint has been infected by malware, things get dicy fast.  If you can't trust the sanctity of your endpoint device (phone/laptop/PC), you've really lost all hope of being secure.  But, I do have a couple suggestions for people scared of what to do about this sort of malware threat.

One option, as Scott points out above, is to have some clever next-gen 2FA mechanism for your banking sites, but let's face it that's just not ubiquitous yet so not a very real solution for an enterprise or your average user.  I do however applaud new approaches to authentication which protect against these "virtual mugging" (and for the record, I love this clever terminology, did you come up with this one Sara?) attacks, and hope they grain traction and become widespread.

But what if you assume you've got this kind of malware on your system now.  What would you do?  How about this.. Block web access.  Just don't surf the web anymore, problem solved, right?  

Well okay, that's just not practical.  However, you could whitelist your trusted sites perhaps.  But my advice is to isolate your browser to a virtual machine and use a firewall to block web access for your endpoint entirely.  Allowing only the isolated browser instance to communicate out on 80/443.  If done well, pre-existing malware would not be able to communicate to its command & control servers, and this kind of threat is suddenly dead in its tracks.
TextPower
100%
0%
TextPower,
User Rank: Strategist
1/15/2015 | 4:01:31 PM
Bypassing 2FA depends on the *type* of 2FA
FULL DISCLOSURE: I am the co-founder and CEO of an authentication platform company 

Thanks for writing a solid article about KL-Remote.  In the never ending game of cat-and-mouse between hackers and security, chalk up another one for the hackers.

I do want to note one thing, though.  Your article states that the KL-Remote circumvents 2FA and that's true - most of the time.  It depends on the type of 2FA.  My company's 2FA platform (TextKey) takes the standard SMS 2FA and turns it on its head: a message is sent *from* the phone rather than to it and a secure connection occurs between our server and the website server completely outside the browser environment.  

This method of sending an authentication text from the phone is infinitely more secure than current methods.  It eliminates man-in-the-middle/browser attacks as well as eliminating the potential interception of the SMS sent to the phone.  As a result this type of authentication is impervious to a KL-Remote attack.  

We've built our own authentication product on the platform to demonstrate its security and effectiveness.  "SnapID" authenticates using the TextKey platform and at the same time completely eliminates the need for any user ID or password when logging into a SnapID-enabled website.  No hacks and no hassles.

In short, different flavors of 2FA have different levels of protection.  
aws0513
50%
50%
aws0513,
User Rank: Ninja
1/15/2015 | 3:31:22 PM
Re: Very creepy..
Agreed...  fascinating and scary at the same time.

I am particularly interested in the ports, protocols, and traffic involved in the malware client operations.
I would expect the client would be designed to run on common ports and protocols to avoid any firewall or intrusion detection systems.

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/15/2015 | 2:53:35 PM
Very creepy..
this gives me the shivers, thinking about what could be lurking behind, inside, over my shoulder when I am navigating a bank transaction. Sara, did IBM Security Trusteer provide any information about how many transactions were hijacked,or machines effected?
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20491
PUBLISHED: 2021-04-16
IBM Spectrum Protect Server 7.1 and 8.1 is subject to a stack-based buffer overflow caused by improper bounds checking during the parsing of commands. By issuing such a command with an improper parameter, an authorized administrator could overflow a buffer and cause the server to crash. IBM X-Force ...
CVE-2021-22539
PUBLISHED: 2021-04-16
An attacker can place a crafted JSON config file into the project folder pointing to a custom executable. VScode-bazel allows the workspace path to lint *.bzl files to be set via this config file. As such the attacker is able to execute any executable on the system through vscode-bazel. We recommend...
CVE-2021-31414
PUBLISHED: 2021-04-16
The unofficial vscode-rpm-spec extension before 0.3.2 for Visual Studio Code allows remote code execution via a crafted workspace configuration.
CVE-2021-26073
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or ...
CVE-2021-26074
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a se...