Mean Blue Team: Fighting Phishing One Exploit at a Time

Berto I'm a product security engineer in n26 and today I'm going to tell you a little bit of a fishing U campaign that we had and a creative way that we use to H combat it uh first of all first of all this is not

working okay there we go yeah so I am the one presenting but we have a lot of people that were involved and they deserve a little bit at least a little bit of credit um especially on the side of fighting fishing from uh for a bank that's our trust and safety uh team that takes care of protecting customers from scammers and from anybody that tries to trick them into doing things they wouldn't like to do h i myself belong to the product security team we are not working so much with fishing but as you will see in this case we were involved we also have Walter here a principal engineer he helped us set up um pretty interesting

infrastructure for all the um stuff that we wanted to do and Val which is also here he's a security researcher and you will see he played a key role on helping us H push back the scammers so the issue that we had um well first fishing for a bank as you can imagine we well we keep people's money so that's a very juicy Target for scammers isn't it um we see this maybe not every day but almost every week people are finding new ways and creative ways of tricking customers into doing things they wouldn't want to do H in the end that means that if the scammers are successful people are going to lose money but that that's not only

the end of it they will also uh involve a lot of people like uh customer support they will complain online it will be a really H bad impact for everyone so of course we are we are always finding way ways to not only help them once this happens but also prevent it h to begin with um as you can imagine uh we have protections for login so when you have a username and a password that's not enough that's a modern uh Bank we have second Factor authentication but also ways of identifying that a customer is indeed the person that they claiming to be that the device they are using is indeed the device they usually use

things like that and then on top of that even if somebody managed to get access to an account we have ways of preventing them from stealing money no there are other confirmations there are other mechanisms with all of this in place in the end the weakest link is the user so if they go and they provide all of this information they will eventually lose money which is where the story that I'm telling you today started so this campaign uh we believe started with a data breach that happened actually a combination of them that happened in the late 2021 beginning of 2022 on other companies we were seeing a lot of Bank beings targeted by these

scammers they started in Italy as you can see here that was a sample of the of the SMS they were sending and they were just telling people your account has been compromised quickly quickly quickly go change your data click on this link that is clearly not suspicious um and give us all of your details the first problem that we were encountering with this is that uh the SMS they were sending to the customers was using a old uh n26 phone that was being spoofed so if you were a customer for some time a few years you would receive this SMS in the same place where you were receiving official Communications so you're more likely to

click on it aren you H once a customer was were clicking on it they would arrive at obviously a website that resembles a lot like the n26 website input your email your password depending on the version they would ask for uh card data and for all sorts of information that would allow them to steal money from you uh in Italy where which is where they started they would actually call people on their phones uh impersonating our customer support and ask them to uh provide the OTP when they start to spread the scam to other countries they realized that well probably they didn't speak German or Spanish or whatever so they were uh putting that also on the

website to collect the otps and finally as I was mentioning h of course we have ways of preventing money from living no somebody can get full access to your account they you give them your username your password your OTP they are in your account but still to steal your money they will have to link it they will have to uh do this from the device that you usually use which obviously the scammers don't have to bypass that they H use the virtual cards they use Virtual cards that they could link to Apple pay or to um Google and use that for um ex def funds we quickly ped that but still the customers were eventually giving enough details

for the scammers to steal their money sitation which was a little bit complicated we got a Roy of sunlight which was valer um this was a back bound to report that uh he was saying I received this SMS a friend is a customer of yours he sent it to me and I was poking around with a website realized there was an xss right on the on the passwort field um this meant that we could see all of the data that they were storing in the website so basically the way it works is on the same fishing side they would have all of this uh prepared for the users but on the back they would have an admin panel where they were uh

showing all of the credentials for them to work uh on them it also had the very nice side effect that prod product security got involved so because we review the back Bounty uh program so that also uh meant more participation from our site um eventually they patched the xss we didn't have access to it so we were back to scare one and what I'm going to show you now hypothetical this I don't claim to have it done it but yeah um with security H with pro security Now involved H we could follow the path of Valerie and look for more vulnerabilities in the sites we got lucky enough that our trust and St team um contacted some of the

hosting providers so we would get the coach even better for finding more vulnerabilities and as you just heard a minute ago they were really lazy like you can see you can see the credentials were one two 3 one two three for instance they eventually changed it to something very similar we had a guessable authentication cookie which essentially when you were providing a username and a password that are up valid they would set this cookie value logato logato loged in loged in so you could just write that value go to the admin panel and you're in or even pages that were missing authentication basically the way it worked is every time that uh a customer was putting data on this website H that

data was being written to a file those files were not behind the authentication we could read them and even some uh other PHP scripts that were loading the data in the main panel were also exposed with all of this we have uh many ways of um retrieving user data we pass it down to safety they take action they reset passwords they send people new cards but still it's all manual we have to find these sites for starters we have to exploit it so we have to be faster and the scammers and this doesn't work by the time we finally manag to find the vulnerability that works and we manage to exploit it maybe they already stole

the money from the people no so the next step that we took is to automate all of this we went a little bit crazy with this what we have here is um first using several providers we would enumerate or just pull the information fishing sites that were're targeting our brand with that we would fingerprint those sites uh trying to ident identify uh which version of the fish kits we were dealing with then exploit whichever vulnerability we found available if it was something that required a call back such as xss then we had a um cloudwatch uh setup in AWS and then we would read it from the python script and for any other of the vulnerabilities that are

more straightforwards we just simply read the read the details and push them to the um to a CSV for thrust and safety team to deal with no and finally we'll report the sides so we can make sure that they are taken down and no more customers uh f for them um that's pretty pretty much what I wanted to show you today h there is only one more slide uh which is on a research topic that I never had the time to work on um for a little bit uh I thought if this works if uh we can do this for these fish kits and we know that the scammers are getting them from the dark

web or they are using the same thing from open source that anybody can read no h maybe we can find more vulnerabilities on other fish kits maybe we can do the same thing for other people right I reviewed every fish kit I could get my hands on and there was not a single one that didn't have at least one vulnerability that would expose the data so pretty much something that we can that we can do as fighters of fishing fingerprinting them is pretty easy as usual they would just change the front facing website the brand and whatever but the back end part Remains the Same and there are some challenges like some fish kits use U email instead

of storing the data in the in the server they will send an email to whichever person is running them but as always we can also find a way to get through that so yeah that is a short story of how we fought fire with fire um and yeah that's me if you want to send me a fishing email or [Applause] whatever thank you so much that's wonderful um we are very good on the time so you have a lot of time for questions if allowed um oh yeah wonderful let me come to

you thank you for your presentation and I actually have two two questions wa uh as I comprom telecommunication industry and there are certain certain regulatory regulatory pressure regarding the SMS messages because the SMS messages are us are are used are used as a primary transport for those kind of those kind of spaming me messages and T operators are now now thinking that if they do not not provide the solution then there will be there will be some regulatory pre pressure regarding how the SMS messages are spread or telecommunication in general do you also do you also see any kind of regulatory pressure on on how banks are are handling those those kind of fishing attacks and the other question is that

have you managed to track the origin of the origin in country of where where the possible scamers are are are located throughout your research thank you for the question hello yeah thank you for the question so on the first one uh um I don't know about Telos I don't know about what regulations they might have but I know on our side uh we are getting pressure to move away from SMS in fact in 1026 we already did that no we need to have better ways of having second Factor authentications better ways of sharing the otps and things like that no um and that's coming from compliance it's not only because it's more secure it's also a

regulation um on the second question yes the I actually can can share a little bit of that we reported this to the authorities we had so much information about the scammers we sent all of it to the Italian police they were coming from Italy that's where they were starting in the beginning we got very vague responses we got uh we were working on it so that's all we had so we had to you know get creative but uh I learned recently that they have been found and they have been arrested so you know at least that thank you thank you for your talk uh I have also two questions uh the first question is was it a onetime activity or now you

have a dedicated fighting Bank team and the second uh question is are your legal team is aware of it yeah thank you that's a very good one ER for the first uh one we get fishing all the time it's something that we are fighting of course uh and we are improving our ways of uh preventing it because as you can see uh responding to it is very very difficult so our improvements go more in the line of you know making sure that no matter what a user provides another person it is very very hard to steal money from them no um we don't do this I don't claim to ever have done it and I

don't claim to be doing it actively and yes the legal teams are aware of it ER we have to be very careful of course but I think um I think sharing these kind of experiences helps everyone and fortunately the legal team can allow us to share them so

yeah so you mentioned that you got your first orl from your bu Bounty program so is this in your scope like can I go to Hecker one and provide you another fishing URL it's out of scope and you can I will close the report no this was uh a very very specific case uh it clearly helped us a lot and we uh I I think we valued that um but usually it's out of scope and it's not just reporting a fish inside he provided an exploit for it and he got us out or he gave us a good idea on how to get out of a very dire situation so yeah very specific case you uh mainly using um fishing

websites that are reported by your customers to hunt for um fishing kits or are you also using other sources to obtain fishing kits like the anti- fishing work group for example or um other lists you mean for taking down the websites for identifying them or I'm not I'm not sure I understand yeah like to identify fishing kits yeah are you mostly using sources like sites that customers report you or also public sources yeah we have um thre intelligence sources you know uh I had the logo of virus total there because it's actually quite reliable but there's a bunch of others and then customers also report it we have a portal where they can just send it or

through our customer support chat and they they can almost it's it's almost done by Machine we get it almost straight so yeah I have the feeling is oh yeah there yeah

hence all right very cool talk I have one question slash remark sort of General thing uh I use n26 because it seems to be like the bank that speaks English around here um and what one thing that makes me sad is uh that the way other things that are seemingly less important like my Google account does security is significantly more like I would trust it than uh the bank because it really appears that uh I still can't use a UB key as my uh multiactor authentication and I cannot disable uh the other ways of multiactor authentication and especially given that you have no physical stores where I can go and prove my identity I I find this

super discouraging uh like if you really do care about fishing I really feel like if someone wants this level of security they should be able to get it right and also the other thing was like the legal conditions absolutely um I I mean I don't think there is a person in this room that disagrees with that we all would like to have that kind of features especially as a bank but the truth is many customers to a bank don't even know what that means you know uh so we need to have measures that are Universal and not only Universal in the sense that we can catch new customers also that people that already have their

money there can still remain using those those features no so that makes it very hard to um improve uh security with new technologies because not everybody have access to them or know how to use them that's the the Kat uh there we could perhaps Implement them as an optional thing but that also means that we need to um how do you say prioritize it know we have to take the effort from one side to put it on that and maybe the amount of people using it will be very small certainly a very good thing to have but not Universal so yeah maybe in some time thank you thank

you oh any more questions yes for your talk um I have a question about validating the fishing links if you have some validation there before uh putting that to your automation like if someone would report the volid n26 website it comes still over your years or you have some you know conditions to check if it's really fishing cing I mean how do we validate that a site is actually fishing us yes I mean uh someone just reported the link uh but it's just the URL right and the code itself doesn't know if it's fishing clink really if it's somehow checked like screenshot comparison or verification by the human something uh sadly uh at this point I think we are on

boarding a provider that will do a little bit of that with us because we can really you know that's something that can be automated but at the moment it's very manual a human will check it ultimately okay thank you thank you so last CH hi uh do you have any any info on what was the success rate for this campaign if you have any data how many SMS was sent versus how many accounts was fished amount of customers that actually input their data on the on these sides um we definitely have those numbers I don't know them from the top of my head but I remember being happily surprised like a lot of people got the the notification the

message but not a lot of people were H falling for it definitely enough for this to be very very relevant but that was a pretty small percentage which is good news I guess and also a fun remark uh when you get to the admin portal you can see the passwords in plain text a lot of people were making fun of the scammers themselves like just putting silly things ni thanks all right I said last CH chance but if Alberto doesn't feel too grilled this is the last chance okay I think we are good thank you so