What are the current trends in online fraud? Last year, we certainly saw an increase in Account Takeover (ATO) activity -- time investment in ATO by fraudsters and an expansion of tools used to commit ATO. What can we expect to see in 2021? I would encapsulate my latest observations this way: even unsophisticated fraudsters are increasingly able to commit highly sophisticated fraud thanks to access to more professional software and automation tools, some of which were created expressly for the purpose of committing online fraud. The latest technique that I’ve observed involves a combination of social engineering (classic technique) and gaining access non-internet-savvy users’ PCs and using it to generate real identities with the expressed purpose of committing long term, multi-level fraud. For now, let’s call it “remote desktopping.”
The most precious prize for fraudsters: access to a real but new-to-the-web identity
Creating a profound digital identity with unique background info is really helpful to fraudsters who want to access merchant sites. But what if you want access to banking and lenders? Online banks, digital lenders, and open banks/fintech companies have access to KYC (Know Your Consumer) tools that confirm users' identities against their passports and other documents. In this case, fraudsters need access to a real identity.
That is why I think we have seen a new type of fraud with higher frequency especially targeting digital lending in Europe and Russia. It’s a new type of scams that needs a name… For now, let’s call it remote desktopping.
What is remote desktopping?
Fraudsters target a group of people who have never been internet-savvy, they have never used the internet to purchase goods/services and do not have an online history. Fraudsters identify such people and target them for a social engineering attack. Social engineering, in broad terms, is an act that influences a person to take an action that may or may not be in their best interest. The top four methodologies of malicious social engineering are the following:
Phishing: The practice of sending emails that appear to be from reputable sources with the goal of influencing or gaining personal information.
Vishing: The practice of eliciting information or attempting to influence action via the telephone, may include such tools as phone spoofing. The goal of vishing is to obtain valuable information that could contribute to the direct compromise of an organization.
Impersonation: The practice of pretexting as another person with the goal of obtaining information or access to a person, company, or computer system.
SMiShing: The act of using mobile phone text messages (SMS) to influence victims into immediate action. These actions may include downloading mobile malware, visiting a malicious website, as well as calling a fraudulent phone number.”
The fraudster just needs to convince a potential victime over the phone to install one of the several available remote desktop software applications. The typical script is the following: “Hi, I’m a representative of [insert name of bank or government agency], and we noticed a problem with your account! If we don’t fix it soon, it could mean serious problems for your savings (or tax bill). I can help you fix it over the phone, can you turn on your desktop computer? I will walk you through the steps of fixing the problem!” Victims who are not internet savvy might struggle with the installation steps but often enough are only too happy to comply.
After fraudsters gain access to their PCs and/or mobile phones and devices, then they can literally assume the poor person’s identity, commit fraud with it, and even use the victim’s PC to do it. Two problems are addressed at once.
Remote desktopping provides an added bonus to fraudsters: they gain access to all of the files stored on the computer. Naturally, scanned identification documents are the top prize, but many types of documents, photos, and video can be extremely helpful for creating a profound identity as a launchpad for scams. Oftentimes, fraudsters don’t even want access for the person’s money, they just want it for the gateway to open multiple accounts.
More details about remote desktopping
There have been warnings out there about “remote desktopping,” but I wouldn’t exactly classify it as common knowledge. The FBI even sent out a notification related to it: “the US Federal Bureau of Investigation's (FBI) Internet Crime Complaint Center (IC3) is warning companies about the dangers of leaving RDP endpoints exposed online.” RDP stands for Remote Desktop Protocol, a proprietary technology developed by Microsoft in the 1990s that allows a user to log into a remote computer and interact with its operating system via a visual interface that includes mouse and keyboard input -- hence the name "remote desktop." RDP access is rarely enabled on home computers, but it's often turned on for workstations in enterprise networks or for computers located in remote locations, where system administrators need access to, but can't get to in person.
If you don’t want to do the search for RDP Endpoints yourself, you can just buy lists online for surprisingly inexpensive prices. For example, Makost[dot]net is a service advertised on cybercrime forums which sells access to RDPs, mainly Microsoft Windows systems that have been configured to accept “Remote Desktop Protocol” connections from the Internet. MS Windows ships with its own RDP interface built-in; to connect to another Windows desktop or server remotely, you simply open up the Remote Desktop Connection utility in Windows, type in the address of the remote system, and enter the correct username and password for a valid user account on that remote system. Once the connection is made, you’ll see the remote computer’s desktop as if you were sitting right in front of it, and have access to all its programs and files. COVID has provided a nice cover for fraudsters’ expansion of remote desktopping. In addition to Microsoft RDP utility, another popular tool for fraudsters is AnyDesk, a remote desktop application that boasts over 300 million downloads worldwide. They offered a free version available to all students “so they can easily maintain a seamless learning environment in today's changing education landscape… to allow them to complete their assignments and stay connected with their educators and classmates." In this case, fraudsters don’t even have to use multi-step social engineering to get a potential victim to download the remote desktop application. Most of the steps are already covered! Other remote desktop applications that are popular with fraudsters include TeamViewer and VNC Connect. Obviously, remote desktop applications have their legitimate, helpful use cases, but it’s important to remember that they’re also extremely powerful tools for fraud.
A new year with new fraud techniques
Fraudsters have been innovators for a long time, but this last year has seen an unprecedented spike in activity. With remote desktopping, fraudsters can hide behind the “real” identity of a person that doesn’t have an online presence and therefore won’t notice the online fraudulent activity. COVID provides some useful cover for this scam because perfectly legal remote desktop applications have become more common and in some cases may have already been downloaded to the PC of a fraud victim. In a future post I will give an overview of the new SaaS tools that are available to online fraudsters, most of which appeared only in the last 12-18 months. It’s part of the trend of “Professionalization of Fraud” that we have observed at Nethone. In the past, unsophisticated fraudsters were limited to carding. Now, as my colleague Hubert Rachwalski recently put it, the barrier to entry to this space is merely having the financial resources to subscribe to these new tools; there is less training needed, fraudsters just purchase access, generate credentials, go through basic configuration of parameters, and they’re ready to go. And it’s difficult to detect these tools. We’re happy to share some of the names of the tools that are available in private meetings, but we don’t want to promote them in publicly accessible content. In order to stand a chance in this fight, you need profiling capability that is able to recognize that you’re not dealing with a normal user, but instead an excellent imitation. Feel free to reach out via Calendly and book a meeting with one of our experts.