RAT detection: How to avoid RATs abuse in your financial services business
Explore the growing threat of remote access tools (RATs), understand the risks, and learn crucial insights into preventing remote access abuse.
Michał PawlikVP of BD CEE
28 November 2023
7 min read
Remote Access Tools have a practical and effective use. We are all familiar with Anydesk, Teamviewer, and other similar solutions, and most likely, we have used these tools at least once. They help technical experts fix and address problems via remote access when over the phone instructions are inefficient. Yet, in the wrong hands, RATs can become a double-edged sword. Fraudsters know that most people are familiar with remote control systems and the types of companies that use them, so they exploit it to their advantage.
Before we move any further, it's worth noting the difference between remote access tools and remote access trojans, which both unfortunately have the RAT acronym.
Remote access tools are legitimate applications for gaining remote access, often requiring the user's consent or some action to grant access.
Remote access trojans are viruses designed to achieve the same effect without the user's permission. This malicious software is often disguised as something else, hidden in emails or websites.
For this particular article, we are talking about remote access tools. This is because these tools represent a very different risk. They require user behavior to work, whereas trojans must fight your firewall and other malware detection systems.
Remote access tools are used by fraudsters in social engineering schemes, often by phishing or otherwise representing a legitimate company or individual. Let's go through some of the more common approaches.
First, let's imagine a fraudster impersonating a bank's customer service or any other financial service that deals with sensitive data and accounts. This is achieved through various means:
In any case, the goal is to encourage the user to install the remote access tool and grant access. Once in, the fraudster has access to the machine or device and anything stored there. In short, whatever that user can access, so can the fraudster. At a glance, this can include access to financial accounts, passwords, and other accounts, as well as any wider networks that the fraudster can now access, assuming the user identities of their victims. In the worst cases, an infected computer also has log files and other data that can be used in more fraudulent activities.
Here are a few specific scenarios in financial services:
There's a reason the above scenarios don't trigger any suspicious behavior alerts in your typical defenses. Because they require the user to install genuine software, and then permit access, there is no immediate data or security breach. They avoid many standard antifraud or intrusion detection systems, especially those related to device fingerprinting. Since the user's account is legitimate, device fingerprinting is completely circumvented.
Even when detection is possible, fraudsters are clever enough to use a proxy server, VPN, or similar means to protect their IP addresses and remain hidden as much as possible.
With legislation regarding cybersecurity becoming increasingly more complex, it's arguably only a matter of time before businesses are required to implement an advanced intrusion detection environment that can detect RAT abuse.
For example, PSD2 doesn't cover such cases, but the updates on PSD3 standards will cover suspicious behavior and advanced behavioral analysis of user activity. Much of this puts a great deal of emphasis on banks and other payment providers. As RAT manipulation, social engineering, phishing, and other scams grow in frequency, it's only natural that compliance standards will increase to match.
So it’s not about detecting RATs, but rather detecting RATs abuse. Remote control solutions leave traces of their activity behind, typically in the form of low-level network data. However, understanding when remote access has been granted doesn't help if you don't further understand the situation.
How do we distinguish suspicious behavior from genuine use? The anomalies caused by RAT software provide the first signals we can further analyze with advanced algorithms. Specifically, we monitor user behavior and assess whether the current activity matches what should be expected. These factors combined provide a high precision rate in detecting the use of RATs. What's more, it lets us know if RATs are being actively used on a target computer or installed but inactive.
From here, we can detect additional user behavior. The suspicious activity would be flagged if the user is making transactions or is engaged in other banking-related activities whilst on a video call or screen-sharing platform.
Therefore, detecting RAT abuse without disrupting a genuine session takes precise analysis. We’ve been supporting financial services companies for quite some time by detecting this risk signal with outstanding performance on both websites, mobile apps, and mobile websites.
We've performed perfect detection of active AnyDesk sessions for one of our valued clients, Kanga Exchange, using only the user’s IP address. If you want to learn how we can detect RATs abuse on your websites and mobile apps with the highest precision, contact us, and we’ll show you how.