Transacting online is always a point of insecurity and fear, although you are committed to have every bit of your transaction details secured and kept confidential. This is almost every time, we are promised by every company on this earth. People are always in a big dilemma to judge between pain to visit banks or pay utility bills personally and sitting comfortably in the house and transferring money or paying all the bills online.
Today we are living in a jet edged society, where everything we do becomes a style statement. Just because to live up to the expectations of the society, we end up inclining more towards online mode of payment than going personally and making it, but I can bet, everyone has a question in mind, “how much my money is secure in this?” and “what happens if the connectivity is lost in between my transaction?”
With an exponential growth in the cyber crimes in the space and with the known philosophy of attaining unachievable 100% security, individuals or corporate end up installing all sorts of defensive layers of security, making their network more and more complex. The idea of “being secured” cannot be achieved by just enhancing the layers of security but by increasing the awareness of it.
Let me shed some light on the most destructive and undetected attack till date. This is the most dreaded when it comes on it applications on banking sites. Most of the banking crimes or online frauds are the outcome of this attack. This attack exploits the trust a user has on his/her browser and injects and activates malicious codes using phished pages.
This type of attack is called “Cross Site Request Forgery” or “CSRF” or “One Click” attack. This attack exploits the HTTP request, and user sends to the target server through its browser. In layman’s term, if you want to have certain amount of money withdrawn from the victim’s bank account, you can do this. You can very well write a code in the website using an “on click” event, so that every time the user clicks the link, a certain amount will be withdrawn from his account and will be deposited the other account.
How it works?
First of all, it is to be understood that this type of request tampering can happen between multiple accounts in the same bank. It cannot work on multiple bank accounts.
Next, we will intercept the bank request and will try to get an online version of the web site code, the reason behind this is that, usually, if you want to change a code and get it reflected in the website, it is not possible using offline code.
Then once we get the online code, then we will find some open links. Open links can be an image link or a button click. Let’s have an example of this, let’s say, I want to make all the users click on an image to go to the next page.
By default there will be a code which will say like this,
<a href src =”next page path”
<img src = “Image source path”></img>
</a>
Now after I intercept this code, I will change the “image source path” into a malicious code like,
<img src=http://bank.domain.com/withdraw?account=victim&amount=100000&for=attacker>
When I load the page with the changed code, it does miracle… every time there is a click happening in this page, automatically an amount is deposited in the attacker’s account, without the knowledge of the victim.
These types of attacks cannot be detected easily because they reside into the backbone of trusted HTTP protocol, which the sites used to load. Since they are not a standalone bunch of code, which could create suspicious but they are the trusted code which cannot be questioned.
How do I know?
It’s being a decade; I am working in the field of detecting and stopping cyber frauds. I often come across many cases of these types. The problem is there is no trace left behind to detect the actual culprit. The maximum anyone can do is to; take a reactive decision in stopping the next attack after the damage has happened. Looking this, I developed a framework which is blended with the coding concepts of a website, which limits anything of this sort.