Isn’t anyone in the middle?

Kaspersky Lab has patented technology enabling our software to detect man-in-the-middle (MitM) attacks, beloved of authors of financial malware.

We are pleased to introduce a major reinforcement in our arsenal of security technologies: Kaspersky Lab has patented technology enabling our software to detect man-in-the-middle (MitM) attacks, beloved of authors of financial malware. It is our hope that the technology will greatly reduce the profitability of such scams.

We began development several years ago, after mobile banking had gained real popularity. Once people were increasingly using online payment applications, cybercriminals followed, becoming more adept at stealing money electronically. One of the most common techniques still regularly used in banking malware involves compromising the communication channel — the MitM attack.

During an MitM attack, an attacker essentially intercepts the information-exchange channel between the bank and the client, substituting the data the client receives. That is, the mobile application is not communicating with the bank as the user assumes, but rather it sends information to an outside system. At the same time, cybercriminals handle communications with the bank (with obvious results). The specific scenarios enabling such attacks are numerous, as are the technologies that fraudsters use. Some examples are DNS spoofing (poisoning the DNS server’s cache), replacing security certificates, public wireless networks parasitizing, and intercepting the traffic on the device side by means of malware with elevated system privileges, but there are more.

We decided to create technology that would let banks identify a MitM attack — regardless of which techniques attackers used. In other words, our task was to come up with a method that would enable client’s device to make sure that it is indeed the bank’s information system on the other side of the connection. Kaspersky Lab’s method rechecks data sent to the financial application to ensure it really came from the bank.

Let’s see how it works in a typical attack, say through an open Wi-Fi network in a café. A user tries to access a bank account using the bank’s official application, but the café network is under the control of cybercriminals. When the user opens with the banking application, the compromised network prevents the app from establishing an https connection, thus forcing the user to use a browser instead. The browser tries to establish an unprotected http connection with the bank’s site, but somewhere in the café’s router, the http request is redirected to a malicious server, where a fake copy of the required site is deployed. When the user enters his or her username and password, the crooks capture the credentials.

A key aspect of this attack is that, when trying to imitate the banking site’s behavior, the server sends a response to the request. Despite all attempts to copy a legitimate response, the fake response simply can’t be identical. And that is where our technology intervenes: It allows the resending of the received response and compares that with the data the user should have received from the real bank.

This technology has the potential to do more than just reveal the fact of a MitM attack; it can also detect the point at which attackers interposed their instructions in the communication channel. In a perfect world that might help you find the criminals.

The anti-MitM technology is already in Kaspersky Lab’s products, including Kaspersky Fraud Prevention, which, among other things, protects online banking processes on Android and iOS systems.

Want to read the patent? You’ll find it on the USPTO website. Do not let the name “System and Method for Detection of Targeted Attacks” fool you: The term targeted attacks typically applies to attacks aimed at a particular organization, but MitM is tailored for a specific task, and so we call it a “targeted attack,” too.