Hacker tutorial teaches bypassing fraud detection

Security vendor Trusteer has found an underground tutorial that teaches hackers an easy way to bypass fraud detection systems used on many e-commerce and online banking sites.

The company uncovered the document while prowling forums used by cybercriminals to discuss the latest tools and techniques for penetrating security systems.

The tutorial is aimed at technology that identifies devices contacting a site. Such systems monitor the visiting smartphones, tablets or personal computers for hacker-like behavior.

The document shows how cybercriminals work together in promoting techniques for circumventing security systems. The discovery emphasizes the need for organizations to continuously upgrade systems and take a layered security approach to keep hackers out of corporate networks.

“What was effective two or three years ago may be much less effective now,” Amit Klein, chief technology office for Trusteer, said on Tuesday.

[See also: With new bank-security guidance, how safe is your firm?]

The tutorial was written in English, even though it came from an underground forum where documents are typically written in Russian, Klein said. The document describes how to fool detection systems that monitor for unusual transactions.

For example, hackers who have obtained a list of stolen credit- and debit-card numbers will attempt to use multiple cards on e-commerce sites or banking sites to obtain goods or cash, respectively.

Key to the effectiveness of the detection systems is the ability to “fingerprint” each device to watch for behavior like multiple transactions, Klein said. The identifying information includes the IP address and the version of browser and operating system in the device.

The latter two identifying bits are taken from what is called a “user-agent header” that the browser uses to identify itself as the software making the request of the Web site. Because multiple devices can have the same IP address, the information within the user-agent header is used by many detection systems to identify devices.  

The hacker tutorial recommends using a commercially available virtual private network or proxy server to hide the device’s real IP address. It then instructs hackers to use a browser plugin available on an underground site to modify the user-agent header each time the device starts a new transaction, Klein said.

The discovery means organizations using fraud detection systems need to evaluate their methodology. Those still using user-agent headers should be replaced with systems that are less likely to be tricked, Klein said.

“What [technology] people put in front to protect transactions have to be constantly evaluated and reevaluated against emerging threats,” he said.