RAT detection: How to avoid RATs abuse in your financial services business

When it comes to stealing credentials or accessing customer accounts, fraudsters will use any and all tools available out there. As methods become more sophisticated, remote access tools (RATs) are becoming an increasingly popular approach. When combined with social engineering, these tools can support fraudsters to bypass security measures, tricking users into granting access to their entire system.

Banks and other financial services companies are an ideal target system in this case. If fraudsters can gain access from a single user, they can then remotely control that account to gain all the lucrative information and sensitive data - including the financial accounts - held within. And from there, a lot of bad things can happen. The compromised account might become a tool for money laundering purposes or be manipulated for further social engineering tactics. Or fraudsters may empty the user's account of all its funds. 

But with the right tools to detect the malicious use of RATs, banks and fintechs can understand how the fraud process looks in detail and protect their business and customers. 

So, let’s get to the heart of the matter and learn:

• How fraudsters use RATs to gain access to financial accounts 
• Why RATs abuse protection might be crucial for compliance as well
• What you can do to protect your users against remote access abuse
  
  

Remote Access Tools have a practical and effective use. We are all familiar with Anydesk, Teamviewer, and other similar solutions, and most likely, we have used these tools at least once. They help technical experts fix and address problems via remote access when over the phone instructions are inefficient. Yet, in the wrong hands, RATs can become a double-edged sword. Fraudsters know that most people are familiar with remote control systems and the types of companies that use them, so they exploit it to their advantage.

Remote access tools vs remote access trojans

Before we move any further, it's worth noting the difference between remote access tools and remote access trojans, which both unfortunately have the RAT acronym. 

Remote access tools are legitimate applications for gaining remote access, often requiring the user's consent or some action to grant access.

Remote access trojans are viruses designed to achieve the same effect without the user's permission. This malicious software is often disguised as something else, hidden in emails or websites. 

For this particular article, we are talking about remote access tools. This is because these tools represent a very different risk. They require user behavior to work, whereas trojans must fight your firewall and other malware detection systems.

Remote access tools are used by fraudsters in social engineering schemes, often by phishing or otherwise representing a legitimate company or individual. Let's go through some of the more common approaches.

First, let's imagine a fraudster impersonating a bank's customer service or any other financial service that deals with sensitive data and accounts. This is achieved through various means:

• They can call the customer through their phone number, pretending to be the bank or business in question.
• They can also email the customer with a seemingly legitimate email address. 
• They may also reach out via social media, informing individuals of potential risks and offering to help them.

In any case, the goal is to encourage the user to install the remote access tool and grant access. Once in, the fraudster has access to the machine or device and anything stored there. In short, whatever that user can access, so can the fraudster. At a glance, this can include access to financial accounts, passwords, and other accounts, as well as any wider networks that the fraudster can now access, assuming the user identities of their victims. In the worst cases, an infected computer also has log files and other data that can be used in more fraudulent activities.

Here are a few specific scenarios in financial services:

• The fraudster targets an employee within a bank. They call up, claiming to be from the bank's security provider or department. They can claim to be in another location, so rather than physical access, they ask the worker to install an RAT. Once in, they download log files, databases, and other information they find useful.
• The fraudster contacts individuals via email or phone, claiming to be from their bank. They lie about some sort of suspicious activity in the customer's account and offer to help them. The user downloads the RAT, which the fraudster then uses to gain more information on the user, including their usernames, account details, financial information, and more. They can then change many of the passwords, leading to an account takeover, for example.

Why are RAT attacks so effective?

There's a reason the above scenarios don't trigger any suspicious behavior alerts in your typical defenses. Because they require the user to install genuine software, and then permit access, there is no immediate data or security breach. They avoid many standard antifraud or intrusion detection systems, especially those related to device fingerprinting. Since the user's account is legitimate, device fingerprinting is completely circumvented.

Even when detection is possible, fraudsters are clever enough to use a proxy server, VPN, or similar means to protect their IP addresses and remain hidden as much as possible.

With legislation regarding cybersecurity becoming increasingly more complex, it's arguably only a matter of time before businesses are required to implement an advanced intrusion detection environment that can detect RAT abuse.

For example, PSD2 doesn't cover such cases, but the updates on PSD3 standards will cover suspicious behavior and advanced behavioral analysis of user activity. Much of this puts a great deal of emphasis on banks and other payment providers. As RAT manipulation, social engineering, phishing, and other scams grow in frequency, it's only natural that compliance standards will increase to match.

So it’s not about detecting RATs, but rather detecting RATs abuse. Remote control solutions leave traces of their activity behind, typically in the form of low-level network data. However, understanding when remote access has been granted doesn't help if you don't further understand the situation. 

How do we distinguish suspicious behavior from genuine use? The anomalies caused by RAT software provide the first signals we can further analyze with advanced algorithms. Specifically, we monitor user behavior and assess whether the current activity matches what should be expected. These factors combined provide a high precision rate in detecting the use of RATs. What's more, it lets us know if RATs are being actively used on a target computer or installed but inactive.

From here, we can detect additional user behavior. The suspicious activity would be flagged if the user is making transactions or is engaged in other banking-related activities whilst on a video call or screen-sharing platform.

Therefore, detecting RAT abuse without disrupting a genuine session takes precise analysis. We’ve been supporting financial services companies for quite some time by detecting this risk signal with outstanding performance on both websites, mobile apps, and mobile websites. 

We've performed perfect detection of active AnyDesk sessions for one of our valued clients, Kanga Exchange, using only the user’s IP address. If you want to learn how we can detect RATs abuse on your websites and mobile apps with the highest precision, contact us, and we’ll show you how.