According to IBM 24 US-banks have been hit by a new and advanced malware. Since the beginning of April 2016 this malware has stolen millions dollars:

https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/

It is not the current amount stolen that makes the attacks interesting, but that the perpetrators have created a systematic attack pattern that works over and over again, circumventing all types of security mechanisms currently deployed in the market, such as 2-factor/multi-factor authentication, malware detection, fraud detection, anti-virus solutions, endpoint protection etc.

The reason is that the attackers are no longer attempting to crack the authentication mechanisms, steal user credentials or crack the encryption of the system. Instead they just let everything work according to the security design and normal data flow of the banking application. It is simply taking advantage of the general design flaw of all user devices that allow software to be downloaded and installed, with or without the consent of the user, which in today’s market is every PC, smartphone, tablet, etc. Malicious code is injected into the running local application/web browser when the transaction data is verified by the end user. The goal is to undetectably change the transaction data transmitted within the secure session of the banking application.

The root-cause of the fundamental malware injection problem is that malware can easily manipulate all apps running on the operating system of the device by exploiting security vulnerabilities which grant root-privileges, while the local application/web browser runs with normal user privileges. This security vulnerability exists independently of the device (smart phone) being rooted/jailbroken or not.  The existence of such design flaws enable attackers to systematically win the race between attackers and the defenses of the online payment application.

 

Here is an example attack scenario:

1. The user logs on to an online banking application through the web browser/local application

2. The user register payments

3. The malware changes what the user entered before the falsified transaction data is transmitted and stored on the banking server

4. The banking server is supposed to challenge the user to verify the stored transaction by requiring the user to re-read the stored transactions.  If accepted, the user is required to type in a random transaction verification code on the screen displaying the transactions

5. The malware changes the transaction data which is to be displayed towards the user, so that the user see the payments she originally entered

6. The user enters the random code into the application, believing she is verifying the transactions she originally entered, while she actually is tricked to verify the falsified transaction

7. From the banking server everything seems to be working according to the designed data flow and security policy, and the fraudulent transaction is performed. Both the amount and recipient can be totally different from what the user actually entered.

The Protectoria Secure Mobil Platform – PSMP –  mitigates these kinds of threats by just-in-time loading of enormous entropy into the personalized running application, prohibiting the attacker from instrumenting the malware of attacking transactions. With the PSMP active attackers have to figure out how to perform malware injections into a unique PSMP running environment within milliseconds for each and every transaction verification procedure, making it practically impossible to attack transactions given the limited time and computing power both presently and in the unforeseen future.