Cracked HomeBanking Case
How would you analyse forensically a case, where a bank experienced banktransfers, which were not intended by the accountowner.
The victimes all used the Homebanking service of this bank. I have the image of the HDDs of 8 victimes' computers.
I think the victimes computers are manipulated. The username and password will be sent somehow through internet. I also assume that these cases are related with each other, the method should be the same.
I have scanned with two virus scanner, and two spyware scanner. Nothing weird were found (mywebsearch and co etc. - they might be what I looking for, but at this stage of the analysis, I stepped further.). I checked all autorun things (run, runonce etc., svchost, services). I checked with a process monitor if anything funny is running.
Nothing has been found.
I stepped further with a "runntime method":
I have restored these images to other hdds and successfully booted them on my computer in the lab.
I run a file monitor tool to see what is done with files. I run a registry monitor tool to see registry manipulation. The computer is connected to a network with a freebsd gateway that uses tcpdump to log any network trafic.
I logged into the HomeBanking service with an account, provided by the bank, did some transactions and logged out. I let the computer running a day long. I do this with all 8 victims configuration.
ADVANCED SCAN METHOD
I scan the whole drive after executables and libraries which are using something from a socket api.
ANY OTHER IDEA?
Do you have any other idea?
RELATION WITH the Japanese bank Sumitomo Mitsui:
I donot know many thing about this case. Keylogger were used in it. It might be in some relation with "my" case. Should anybody have more information about that keylogger or method, please inform me.
OK, I donot know if this forum is the right place to place such question. Should this not be that, please advise me the right one.
Thank You very much,
Something similar to this happened to one of my users a month or so ago.
It may not help, but you never know.
I currently work as IS Manager for a company and one of our users came to see me to explain that he had a lot of money transferred from his account.
We isolated the users PC in case there were any viruses or trojans, took an image and started analysing the disk.
We found a few trojans but after a bit of work we decided that these were a red herring.
We then analysed the IE index.dat files and found some data being submitted to a strange website and some jpg files being downloaded from the banks website. After seeing this, the user admitted that he had received an email asking him to enter his details but he couldn't remember doing this. Not what the evidence showed !
Fortunately, the bank refunded the money but they have not asked for any of the information we found.
If info is being captured from the victim and then transfered somewhere I would create a clone and use this in isolation i.e. NOT connected to any network.
Run some software to find open ports and the processes that have these ports open. That will identify the how.
Then try to find out how that process 'contacts home', that will identify the villan.
I would think that the problem is on the bank's network. Either they hacked into the bank's network, or just got the passwords/logins by some other means and logged in from another location. The bank should have an ip login history for those accounts. Determine when the transactions in question took place and determine the source ip address. I would consider a trojan horse attack the least likely scenario, but certainly not impossible. Especially since you are talking about multiple victims using the same banking services. The fact that you found no such application on any of the computers. You may ask the victims if they responded to an inquiry asking them to input their bank login and password. Such scams are common with ebay and may have been used here as well. In fact I would check deleted emails on all machines and see if any identical emails are found on the eight systems.
Thank You very much for the replies. I have never thought of such rapid and quality answers… 🙂
I have made thoghts about the possible versions:
The victim plays an active or a passiver role
1. The victim has given this information deliberately, allthough thinking that the request is OK: its from the bank.
2. The victim has given this information deliberately, knowning that this request is not OK. (He gets his money back
from the bank, and he gets a part of the money from the defrauder.)
a. These have been done through computer system –> Information might be still around.
b. These have been done through some "analog" way –> No information is in the system.
c. These have been done mixed: for example the contact has been made through the computer system, further steps
analog. –> Some information might be still around.
Information to look for:
- Internet usage: .dat-s, email
- Stored information: the codes
3. The victim is the defrauder.
a. These have been done with the direct help the computer system we have seized –> Information might be still
b. These have been done through another computer system
- For example through a proxy –> Information might be still around on the seized storage.
- With the help of another computer –> Information might be still around somewhere.
4. The victim has made it deliberately possible to get into his system, sit back and "let" the defrauder steel the
5. The victims computer is not secure enough, the defrauder could get into without the victims "help".
a. The defrauder has a trojan installed that - as keylogger - collects information and sends it back home. –>
Information might be still around about collected information. A process might still run. Communication might still
get built if I let the config running.
- The trojan is a standalone app.
- The trojan is like a virus: it modifies another programs running.
The victim has no role
The communication between the bank and the victim is tapped
6. The communication is tapped at the ISP or at other nodes.
7. The communication is tapped at the bank.
a. The communication is crypted, it goes through an SSL tunel, so the ISP and nodes may have difficulties at
"sniffing the line".
b. The bank says it stores passwords in hash. They do not have it directly. The bank has given me logs, the transactions should have happened very normally: username and password has been given one time accurately. I have also the IP addresses; they point to two different countries on two different continent, the partner authorities are already contacted, allthough I would not await that much of this line.
Can you think of something else?
Thanks again for your replies,