Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Bank Fraud Toolkit Circumvents 2FA & Device Identification
Newest First  |  Oldest First  |  Threaded View
aws0513
50%
50%
aws0513,
User Rank: Ninja
1/16/2015 | 9:26:45 AM
Re: Workaround: Block web access
Good points all around @Spikes.
I also see where application whitelisting would be a major mitigation solution for this kind of malicious toolkit. 
The downside is that the solutions we describe require the end user to be technically savvy to implement... and that is assuming they would want to spend the time...  and in some cases money...  to do so.
Spikes
50%
50%
Spikes,
User Rank: Apprentice
1/15/2015 | 8:02:37 PM
Workaround: Block web access
I put a lot of emphasis on preventing this sort of malicious software from getting there in the first place, but once your endpoint has been infected by malware, things get dicy fast.  If you can't trust the sanctity of your endpoint device (phone/laptop/PC), you've really lost all hope of being secure.  But, I do have a couple suggestions for people scared of what to do about this sort of malware threat.

One option, as Scott points out above, is to have some clever next-gen 2FA mechanism for your banking sites, but let's face it that's just not ubiquitous yet so not a very real solution for an enterprise or your average user.  I do however applaud new approaches to authentication which protect against these "virtual mugging" (and for the record, I love this clever terminology, did you come up with this one Sara?) attacks, and hope they grain traction and become widespread.

But what if you assume you've got this kind of malware on your system now.  What would you do?  How about this.. Block web access.  Just don't surf the web anymore, problem solved, right?  

Well okay, that's just not practical.  However, you could whitelist your trusted sites perhaps.  But my advice is to isolate your browser to a virtual machine and use a firewall to block web access for your endpoint entirely.  Allowing only the isolated browser instance to communicate out on 80/443.  If done well, pre-existing malware would not be able to communicate to its command & control servers, and this kind of threat is suddenly dead in its tracks.
TextPower
100%
0%
TextPower,
User Rank: Strategist
1/15/2015 | 4:01:31 PM
Bypassing 2FA depends on the *type* of 2FA
FULL DISCLOSURE: I am the co-founder and CEO of an authentication platform company 

Thanks for writing a solid article about KL-Remote.  In the never ending game of cat-and-mouse between hackers and security, chalk up another one for the hackers.

I do want to note one thing, though.  Your article states that the KL-Remote circumvents 2FA and that's true - most of the time.  It depends on the type of 2FA.  My company's 2FA platform (TextKey) takes the standard SMS 2FA and turns it on its head: a message is sent *from* the phone rather than to it and a secure connection occurs between our server and the website server completely outside the browser environment.  

This method of sending an authentication text from the phone is infinitely more secure than current methods.  It eliminates man-in-the-middle/browser attacks as well as eliminating the potential interception of the SMS sent to the phone.  As a result this type of authentication is impervious to a KL-Remote attack.  

We've built our own authentication product on the platform to demonstrate its security and effectiveness.  "SnapID" authenticates using the TextKey platform and at the same time completely eliminates the need for any user ID or password when logging into a SnapID-enabled website.  No hacks and no hassles.

In short, different flavors of 2FA have different levels of protection.  
aws0513
50%
50%
aws0513,
User Rank: Ninja
1/15/2015 | 3:31:22 PM
Re: Very creepy..
Agreed...  fascinating and scary at the same time.

I am particularly interested in the ports, protocols, and traffic involved in the malware client operations.
I would expect the client would be designed to run on common ports and protocols to avoid any firewall or intrusion detection systems.

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/15/2015 | 2:53:35 PM
Very creepy..
this gives me the shivers, thinking about what could be lurking behind, inside, over my shoulder when I am navigating a bank transaction. Sara, did IBM Security Trusteer provide any information about how many transactions were hijacked,or machines effected?


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24613
PUBLISHED: 2021-09-20
The Post Views Counter WordPress plugin before 1.3.5 does not sanitise or escape its Post Views Label settings, which could allow high privilege users to perform Cross-Site Scripting attacks in the frontend even when the unfiltered_html capability is disallowed
CVE-2021-24618
PUBLISHED: 2021-09-20
The Donate With QRCode WordPress plugin before 1.4.5 does not sanitise or escape its QRCode Image setting, which result into a Stored Cross-Site Scripting (XSS). Furthermore, the plugin also does not have any CSRF and capability checks in place when saving such setting, allowing any authenticated us...
CVE-2021-24635
PUBLISHED: 2021-09-20
The Visual Link Preview WordPress plugin before 2.2.3 does not enforce authorisation on several AJAX actions and has the CSRF nonce displayed for all authenticated users, allowing any authenticated user (such as subscriber) to call them and 1) Get and search through title and content of Draft post, ...
CVE-2021-24636
PUBLISHED: 2021-09-20
The Print My Blog WordPress Plugin before 3.4.2 does not enforce nonce (CSRF) checks, which allows attackers to make logged in administrators deactivate the Print My Blog plugin and delete all saved data for that plugin by tricking them to open a malicious link
CVE-2021-24637
PUBLISHED: 2021-09-20
The Google Fonts Typography WordPress plugin before 3.0.3 does not escape and sanitise some of its block settings, allowing users with as role as low as Contributor to perform Stored Cross-Site Scripting attacks via blockType (combined with content), align, color, variant and fontID argument of a Gu...