Protect Online Banking from RAT-In-The-Browser (Ritb) Attacks

Protect Online Banking from

RAT-in-the-Browser (RitB) Attacks

January 2016

Protect Online Banking from RitB Attacks – BioCatch White Paper

Document Overview

Remote Access Tools are standard software applications used by people who troubleshoot and fix PC problems remotely. Many IT professionals use remote access tools because they allow them to enter a user’s desktop and control it, just as if they were sitting behind the keyboard themselves. When used properly, the remote access tools are an effective way to solve difficult computer problems for people around the world.

But remote access tools are used for different purposes today. Both nation states and hacktivists use modified remote access tools to execute cyber-attacks and fraudsters successfully use1 remote access Trojans (RATs) to attack online banking and hijack transactions. One of the many problems with RATs is that the current fraud detection solutions used by banks aren’t designed to detect them; and that leaves users vulnerable to a growing epidemic of remote access attacks.

BioCatch uses a unique approach to detecting RATs. Most systems used today examine device data, which cannot detect when a RAT is present. BioCatch monitors and analyzes a user’s cognitive behavior, without interfering with the user experience. BioCatch tracks a user’s unique profile throughout the session and can instantly detect and alert the bank when it spots abnormal user behavior consistent with a RAT.

1 British banks lose £20 million to Dridex malware

2 Protect Online Banking from RitB Attacks – BioCatch White Paper

What is RAT?

Although the name doesn’t imply it, RATs began as a helpful software application. Remote access tools were used by remote personnel to takeover a user’s PC to see what the user was experiencing, find issues, and provide immediate assistance when needed. But cybercriminals recognized the power of RATs, too. A modified RAT called Poison Ivy was used by criminals for years to control employee PCs and compromise several high profile defense firms, chemical makers, and government agencies despite the efforts of cybercriminal professionals. And fraudsters use RATs today to attack online banking by using remote access protocols like virtual network computing (VNC) or remote desktop protocol (RDP) to control a user’s PC. The technology works well enough that modified RATs are sold at “underground” market2 as standalone malware and as cheap plug-ins to common financial Trojans like Zeus, SpyEye, and Citadel.

There’s a RAT in your browser

RAT in the Browser (RitB) is a third-generation Trojan attack that uses a RAT to open a browser from within a user’s device and initiate a fraudulent money transfer. Dyre is the most widespread Trojan that uses RitB today and Dridex is often used to target commercial banking.

An example of how Dyre works is detailed below. Other Trojans like Neverquest, Shifu, and other Zeus clones work in a similar way.

2 OmniRAT – the $25 way to hack into Windows, OS X and Android devices

3 Protect Online Banking from RitB Attacks – BioCatch White Paper

Figure 1: Dyre malware in action

Once a RAT is installed it can be used without detection as long as the user is connected to the Internet. Advanced fraudsters use Man-in-the-Browser (MitB) techniques together with remote access in a single attack. With a combined MitB/RAT attack, the malware informs the attacker when the user logs into the banking site and provides the user’s credentials. The attacker suspends the session, opens an invisible browser on the victim’s device via remote access, and logs onto the bank to initiate a transaction. If the bank asks for out-of-band authentication, the fraudster uses the suspended session to ask the user to go through the authentication process and uses the one-time passcode to complete the fraud.

4 Protect Online Banking from RitB Attacks – BioCatch White Paper

Social RATs aren’t very nice

“Social Rats” use social engineering to gain remote access to a user’s device. Instead of setting up systems to lure users to sites with malicious code or buying sophisticated financial malware, the “social RAT” simply calls a user posing as an "IT administrator" or "Microsoft Representatives", and asks them to download remote access for security reasons. In some recent attacks, the fraudsters had the victim to turn off their monitor while they performed the fraud.

Image 2: Social RAT flow

5 Protect Online Banking from RitB Attacks – BioCatch White Paper

Why current fraud detection fail to detect RitB attacks?

Banks and other financial institutions are struggling to mitigate RitB attacks using their current fraud prevention solutions. Device recognition, malware detection, proxy detection, and IP geo-location can all fail when a RitB is present during a transaction.

Most adaptive authentication solutions use device recognition to detect fraudulent users, but with RitBs, the device used to login and make the transfer is the real device. So when a RitB is present on the user’s device, the bank’s systems detect a genuine device fingerprint, with no traces of proxy, code injections, or malware, and with the proper IP and geo-location. It’s as close to a cloaking device there is.

BioCatch’s RitB Detection BioCatch monitors a user’s interaction with an application and introduces small, invisible challenges to establish a profile of a user’s unique cognitive behavior. BioCatch uses machine learning to model behaviors and can detect a genuine user from a fake one in real-time. When a user accesses his banking site, BioCatch compares his actual behavioral profile to his previous profile in order to identify anomalies and characteristics that are indicative of fraud.

BioCatch is effective against RATs because RATs behave very differently than a person working on their local PC.

During a RAT session, the interaction data travels over the web (typically through a proxy server) and triggers a screen refresh that travels back to the remote PC.

6 Protect Online Banking from RitB Attacks – BioCatch White Paper

BioCatch detects the sluggish responses common with network latency, overshoots, and the delayed corrections that are characteristic of remote access.

BioCatch’s ability to detect RATs has been confirmed by multiple third party testing organizations. Please contact BioCatch for more details.

Summary

 BioCatch Detects 100% of Malicious RAT attacks including DarkComet, ProRat, and VNC and RDP add-ons to Zeus and Citadel  BioCatch Catches RAT in the Act: unlike solutions that only detect malware infections, BioCatch alerts the bank when the remote access is happening with real-time actionable alerts.  Easy Integration: BioCatch requires embedding a small JavaScript on the online banking web site.  Not just RATs: BioCatch detects other forms of advanced cyber threats including automated MitB and MitM. BioCatch is a complete behavioral biometric authentication solution for online and mobile applications.  Proven: BioCatch is used by leading banks around the world and protects millions of users every day

7 Protect Online Banking from RitB Attacks – BioCatch White Paper

About BioCatch BioCatch is a leading provider of behavioral biometrics, authentication and malware detection solutions for mobile and Web applications. Available as a cloud-based solution, BioCatch proactively collects and analyzes more than 500 parameters to generate a unique user profile. Organizations use the platform to continuously authenticate users during their online sessions, protecting against cyber threats and fraudulent activity such as Account Takeovers, RAT- in-the-Browser. Additionally, BioCatch has collaborated with Early Warning in securing and optimizing digital financial transactions through shared behavioral intelligence. The company was founded in 2011 by experts in neural science research, machine learning and cyber security and is currently deployed in leading banks and eCommerce sites across North America, Latin America and Europe. For more information, please visit www.biocatch.com.