Image Attack-Report

New Wave of Attacks Demand A Stronger On-line Banking Security Solution!!

Digital Security News

October 11, 2004

By Dr. Glenn Gearhart

Hacker and criminal attack schemes are growing in popularity and each can result in the perpetration of a financial fraud on a victim and upon the associated financial institution (FI). This is due in part because current on-line banking services are operating on older technology.

It is well known that all SSL (Secure Socket Layer) data links are highly susceptible to the security vulnerabilities which are inherent to Internet browsers and World Wide Web (WWW) operations. The open interactive features of an Internet browser and the WWW are wonderful for the presentation of products, services, promotions, advertising and information distribution but their openness creates significant security vulnerabilities. Some of these serious vulnerabilities include URL substitution attacks, phishing attacks and the new image attacks.

URL Substitution Attacks

URL Substitution Attack (URLS (“earls”) Attack) is possibly the most dangerous type of on-line fraud attack. The danger is derived by the magnitude and diversity of the fraud schemes which can be initiated from an URLS attack. Additionally, because once a fraudulent URLS address it is imbedded into the victim’s computer it is very difficult to remove and will continue to exist in one or more URL address directories. The result being that the fraud address will send the user to the fraudulent URL at any time even after the victim believes he has removed the “bad address.” We have witnessed very experienced programmers who believe they have cleared the bad URL addresses from their computer, who a month later find that they have been again taken to one of the fraud web pages of a URLS attack site.

URL substitution (URLS) attacks are fraudulent web sites or web pages that look and feel as if they are the a legitimate bank’s web site and/or web page. They are not. They are fakes which have been setup solely to collect private and confidential information from the un-suspecting victim and use it to commit both on-line crimes and off-line crimes.

These crimes may be focused upon using the victim’s credit card or debit card to make on-line purchases. The web page crimes may be performed to gain the victim’s account number, access password, and other information to allow the on-line criminal to gain access to victim’s FI account via on-line banking. The attack may be designed to obtain a victim’s ATM card and pin number to facilitate an ATM cash withdrawal.

Commonly the URLS attacks use URL addresses which appear legitimate. For example if the on-line criminal is attempting to entice an abcfi customer to provide information, the URLS site home page may have a URL address of: www.1.abcfi.com; or www.server1.abcfi.com; or www.home1.abcfi.com. Whatever is selected is NOT an authorized abcfi website, it is a criminal’s web site and related web pages. But the URL address and all of the content is designed to appear to the visiting victim to be the true abcfi website.

Phishing Attacks

Phishing attacks are usually delivered by e-mail messages. The e-mails may request and collect the requested information as part of the e-mail question set or the phishing attack may transport the victim to a URLS and use the URLS to collect the private and confidential information.

Phishing is not limited to e-mail. Instant Messaging (IM) is also being used to perform phishing attacks. The adverse results and possible losses from a phishing attack are very similar to those identified for a URLS attack.

Image Attacks

Every Internet browser has inherent security vulnerabilities. One of those vulnerabilities is now being exploited by image attacks. Images on the Internet browser’s tool bar, such as the image of the back arrow, the forward arrow, the favorites button, the print button and others are clear sources for a cyber-criminal to penetrate the SSL security (https) and extract account numbers; credit card numbers; passwords; and many other critical and confidential customer data items. These items can then be used to steal a victim’s identity, issue fraudulent checks, make unauthorized purchases, withdraw cash from accounts and perform other criminal acts.

The image attacks typically use malicious code (malware) imbedded in the image to gain access of the PC, to secure transaction access data, and to collect critical confidential data which is later used to re-access the on-line banking and e-commerce transaction servers and perform the criminal acts.

How prevalent are image attacks and how serious are they to individual victims and the victimized FI or e-commerce vendors? The results of an image attack can be as serious as a URLS attack.

These new image attacks may utilize a gif, jpeg or almost any form of image to deliver the malicious code. Many security software experts are diligently creating software patches which attempt to fix these vulnerabilities. However, almost as fast as a patch is created a new set of image attacks are initiated which circumvent the patch.

In one image attack example, an on-line criminal used AOL Instant Messenger (AIM) to exploit unsuspecting victims with the JPEG GDI+ (image) vulnerability. The criminals used an image attack file that systematically installed a Trojan (malicious code) on an affected user's computer.

In this image attack against AIM users, intruders post a copy of an infected JPEG image to their user profile and then send instant messages to other AIM users enticing them to view that profile. When someone views the profile and the JPEG image loads the viewing user's computer is then infected.

This remote code execution vulnerability could allow a malicious user or a malware to take complete control of the affected computer system if the affected user is currently logged on with administrative privileges. The malicious user or malware can execute arbitrary code on the system, giving them the ability to install or run programs and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes.

Microsoft Service Pack 2 is designed to fix the current (MS04-028) vulnerability found in the XP operating system. However the SP2 release does not provide a fix for all of the many application programs which a computer user may have installed on his computer. Research on the image attack threat has found that many application software developers have not addressed any fixes to image attacks. Furthermore, one can not assume that the SP2 will be the final end of image attacks on XP or any other PC operating system.

Based upon the escalation in URL substitution attacks, phishing attacks and the new image attacks, the transition from SSL into a higher level of security for on-line banking is mandatory. The prudent FI who values its market share of on-line banking customers should began evaluating and planning for the essential evolutionary change to the new security technology. As this serious security deficiency continues to be exploited by cyber criminals it is likely the regulatory agencies will move to enforce higher levels of security for online banking activities.

By Glenn Gearhart, CEO, ACAP Security Inc., a provider of higher level security solutions to the banking industry. For more information on security solutions contact: glenn@acapsecurity.com or 714-843-0099.

White Paper: 111104 ACAP Security Inc.