Disclaimer: Author takes no responsibility for any actions with provided information
- 23-June-2012: Banks have succeeded in removing my account from Vimeo.com. Vimeo has deleted my account without informing me. You can watch video from www.facebook.com/BrokenInternet page.
- “Expert Group on E-Banking Security” has given live demo to RBI(Reserve Bank of India)
- “Expert Group on E-Banking Security” has given recorded demo and discussion DVD to CERT-IN Head personally
- FIR registered in police station against HSBC Bank for sending people to my residence
- 16/02/2012: DropBox has blocked my public link for video file downloads saying “I am hosting viruses in Dropbox”, but i have kept only videos of banks and given link in my website for download.
- 02/02/2012: HSBC has sent goons to my residence, after failure attempts to bring down content with the help of service provider. I was not present at that time; they have asked my family members rude questions. HSBC showed their method how they deal with cyber security in India.
- 01/02/2012 : HSBC again asked this hosting provider to remove video of Man-in-browser attack. Based on the request of hosting provider i have removed video from this site and given external references to watch the same videos at Vimeo and Facebook.
- 21/01/2012: www.yashks.com is disabled by hosting provider (www.bluehost.com) without any notice to me. They have acted based on complaint by HSBC Bank. Bank has provided a reason saying “I am teaching how to hack HSBC bank”, this is wrong reason. In video, it only shows the consequences and how it is going to effect onling banking customers.
We saw the virus in the proof-of-concept video attack two other banks over the last few weeks. The latest one is on HSBC Online banking using a similar Man-in-Middle / Man-in-Browser attack method. I am releasing this video to show what an attack can do to an online banking customer using HSBC online banking facility with OTP (One Time Password) Device and how it can result in a similar financial loss. Like in the previous instances, I am not releasing source code or binary of virus in order to prevent any kind of misuse from black hat hackers.
This video shows how a virus can take control of your internet explorer and manipulate HSBC Bank transactions in real-time. The user logs into HSBC online bank with the help of One time Password (OTP) (Hardware Device is provided to each user by HSBC Bank) and performs an online transactions. He should provide a One Time Password (OTP) (OTP is Generated by hardware token every one minute) to confirm any kind of online transaction. The user is unaware that a virus is running in the background. In spite of the dual authentication, the virus is able to manipulate the transaction in real-time without the user’s knowledge and redirects the fund to the attacker’s account.
For this demo, I have used Windows 7, Internet Explorer and Kaspersky anti-virus with latest patches. The same virus can be extended to other browsers.
High level description of the video:
User account name is: Naveen T.G in HSBC Bank with OTP Device
Destination account name is: Yash K.S in ICICI Bank
Attacker’s account name is: Yash K.S in Citibank
- User login & Transact : User logins as Naveen T.G (HSBC Bank), with login password and One Time Password (OTP) into HSBC Bank. User enters the details of destination account information along with the amount of Rs. 34 and confirms the transaction by entering One Time Password (OTP) and completes the transaction.
- User Realization : The user checks the account statement of HSBC Bank, the user sees that Rs. 10,000 has been transferred instead of Rs. 34 and also, instead of transferring it to Yash K.S – ICICI Bank account, the virus has transferred the amount to Yash K.S – Citibank account in real-time.
- Verification of the Attacker’s account : This video also shows the attacker’s account i.e Yash K.S – Citibank account where the money has been transferred confirming that the virus has been successful in diverting transactions.
- Search “Virus attack on HSBC Transactions with OTP Device” in www.vimeo.com and watch the video - Even this is blocked now. Vimeo has removed my account itself due to Bank request. You can still watch in Face Book page.
- Visit “Broken Internet” Face book page and watch this video
Frequently Asked Questions
Q1) Why an antivirus is not able to identify this Trojan/Virus?
A) Virus detection is done either using signature based or heuristics based. To detect based on signature Anti-virus should get this virus sample, otherwise they cannot detect this virus. Heuristics based detection is always based on behavior of executable file, most of the virus which are in wild today know how to evade all these anti-viruses and other protection technologies.
Q2) Should the Trojan/Virus be different for different banks or the same for all the banks?
A) The Trojans are specific to a Bank. The attacker identifies the flaw in a particular bank and develops a Trojan to exploit the flaw.
Q3) What is the co-incidence that the Trojans/Virus present in my system is for the bank that I use?
A) A simple approach is to write a Trojan that can identify the bank and report back the data to the attacker. The attacker can then infect the computer with a bank specific Trojan. Smart Trojans can adapt to the situation because they contain code for multiple banks.
Q4) I don’t share my computer with strangers and I perform online transactions only from my computer, then, how can I get infected?
A) Computers can get infected when users visit malicious websites or download freeware’s. From more than 10 years, Trojans/Virus writers have mastered the art to infect end user systems. Today’s underground market hackers provide Pay-Per-Install (PPI) service to other criminals.
Q5) I perform online transactions from my office environment only, which is supposed to be updated with the latest antivirus updates, is there still a probability of infection?
A) Anti-viruses detect and cure only known Trojans/Viruses. The protection mechanisms help in mitigating risks, but attackers invent new ways by using a combination of exploits to by-pass these protections.
Q6) Can I get infected when I visit malicious online websites?
A) Yes, you cannot really identify which site is genuine or not, even if you have the most updated Antivirus patch.
Q7) Every time I transact, I immediately call the recipient to find out if he/she has received the money. Is this a safe measure?
A) This is a good practice.. But, if you make NEFT/RTGS transactions it will take a while to reach the destination account and it is really hard to recover your money back in case of attacks.
Q8) Can I identify the Trojans/Virus from the task manager and kill it? What are the ways it is hidden in my computer?
A) Trojans/Viruses are hidden from the task manager. Hiding from the task manager was in fact the first step in the evolution of Trojans/Viruses.
Q9) If the InPrivate mode in web browsers is developed for sensitive activities, then, is it not safe enough?
A) This InPrivate mode is useless for securing online banking. Online banking facilities have been provided by banks, it’s up to them to find secure ways for the facilities they provide. The core focus of web browsers has never been to secure online banking transactions anyway.
Q10) Which is a safe web browser?
A) The same Trojan/Virus can be extended to any browser. The core architecture of a specific web browser remains the same for many years and attackers don’t need that many years to master a browser.
Q11) So many millions of online transactions happen in India. I haven’t heard any such incidences, especially, when the media hypes any such incidences of online attacks if it has occurred. Why should I bother now?
A) Most of these attacks go un-noticed by the user since they happen in stealth modes; banks also attempt to hush away any such incidences. After all, it’s their reputation at risk. Having said, the media attention is still less on such topics.
Q12) My online bank account has a small amount and I don’t transact more than a couple of thousands. I will alert myself if I hear any such incidence or been attacked once.
A) It will be too late when you are a victim to say “next time”.
Q13) Some of the banks allow transferring only to pre-registered recipient accounts. In this case, how does the bank allow transferring to a non-registered attackers account?
A) You can take a look at Citibank and ICICI Bank videos to learn more on how attacks could be performed. When an attacker is targeting a specific bank, his design will consider countering the banks security measures. He performs an end to end attack.
Q14) Isn’t this a world-wide problem? Our banks will copy the western world for such advanced safety measures and most of the banks in India where I have online accounts are foreign banks. Haven’t all these problems been already solved?
A) Yes, it is worldwide problem. Banks world-wide have similar problems but they only “feel” their online banking is secure. Such optimistic feelings from banks are not backed with substantial proofs.
Q15) Is it possible get hold of such Trojan/Virus code by a criminal who is not a hacker and infect in a few machines to usurp money?
A) Yes, many tool kits are available on the internet, where criminals can configure and release in the wild. Banks should think outside-the box and invest in building controlled network for online banking.
Q16) I use the banks many other online facilities. Is there a possibility of high extent of such attacks where without my knowledge; I can lose a large sum of money?
A) A risk exists all the time. Banks should take the right measures, before a well-coordinated attack is planned by attackers.