RDP attacks, digital lenders, crypto exchanges and you

RDP attacks target crypto exchanges and digital lenders, & banks. It's more insidious than account takeover and synthetic identity fraud. Learn how.

Filip Swatek

Product Manager
Vector

2 April 2021

Group

8 min read

The online fraud latest technique that we’ve observed involves a combination of social engineering (classic technique) to gain access to non-internet-savvy users’ PCs and using operating the PC remotely to open "fake" accounts based on real identities with the expressed purpose of committing long term, multi-level fraud. For now, let’s call them “RDP attacks”. And if you're lazy and don't feel like phishing, vishing, and SMSishing your way to a user's RDP endpoints, well you can just buy usernames and passwords online for surprising reasonably prices.

The most precious prize for fraudsters: access to a real but new-to-the-web identity

Creating a profound, even a synthetic digital identity with unique background info is really helpful to fraudsters who want to access merchant sites. But what if you want access to banking and lenders? Online banks, digital lenders, and open banks/fintech companies have access to KYC (Know Your Customer) tools that confirm users' identities against their passports and other documents. In this case, fraudsters need access to a real identity. That is why I think we have seen a new type of fraud with higher frequency especially targeting digital lending and crypto exchanges in Europe and Russia. It’s a new type of scam that needs a name… For now, let’s call them RDP attacks.

What are RDP attacks?

Fraudsters target a group of people who have never been internet-savvy, they have never used the internet to purchase goods/services, and do not have an online history. Fraudsters identify such people and target them for a social engineering attack. Social engineering, in broad terms, is an act that influences a person to take an action that may or may not be in their best interest. The top four methodologies of malicious social engineering are the following:

Phishing emails: The practice of sending emails that appear to be from reputable sources with the goal of influencing or gaining personal information.

Vishing: The practice of eliciting information or attempting to influence action via the telephone, may include such tools as phone spoofing. The goal of vishing is to obtain valuable information that could contribute to the direct compromise of an organization. Impersonation: The practice of pretexting as another person with the goal of obtaining information or access to a person, company, or computer system.

SMiShing: The act of using mobile phone text messages (SMS) to influence victims into immediate action. These actions may include downloading mobile malware, visiting a malicious website, as well as calling a fraudulent phone number.

The fraudster just needs to convince a potential victim to install or enable one of the several available remote desktop software applications. The typical script is the following: “Hi, I’m a representative of [insert name of bank or government agency], and we noticed a problem with your account! If we don’t fix it soon, it could mean serious problems for your savings (or tax bill). I can help you fix it over the phone, can you turn on your desktop computer? I will walk you through the steps of fixing the problem!” Victims who are not internet savvy might struggle with the installation steps but often enough are only too happy to comply. Actually it can be a pretty compelling story, ensnaring even veteran internet and PC users! After fraudsters gain access to their PCs and/or mobile phones and devices, then they can literally assume the victim’s identity, commit fraud with it, and even use the victim’s PC to do it. Two problems for the fraudster are addressed at once.

Remote desktopping fraud provides an added bonus to fraudsters: they gain access to all of the files stored on the computer. Naturally, scanned identification documents are the top prize, but many types of documents, photos, and video can be extremely helpful for creating a profound identity as a launchpad for scams. Oftentimes, fraudsters don’t even want access for the person’s money, they just want it for the gateway to open multiple accounts, launder cash, and take out new loans.

More details about RDP attacks

There have been warnings out there about “remote desktopping fraud”, but I wouldn’t exactly classify it as common knowledge. The FBI even sent out a notification related to it: “the US Federal Bureau of Investigation's (FBI) Internet Crime Complaint Center (IC3) is warning companies about the dangers of leaving RDP endpoints exposed online.” RDP stands for Remote Desktop Protocol, a proprietary technology developed by Microsoft in the 1990s that allows a user to log into a remote computer and interact with its operating system via a visual interface that includes mouse and keyboard input -- hence the name "remote desktop." RDP access is rarely enabled on home computers, but it's often turned on for workstations in enterprise networks or for computers located in remote locations, where system administrators need access to, but can't get to in person.

If you don’t want to do the search for RDP Endpoints yourself, you can just buy lists online for surprisingly inexpensive prices. For example, Makost[dot]net is a service advertised on cybercrime forums which sells access to RDPs, mainly Microsoft Windows systems that have been configured to accept “Remote Desktop Protocol” connections from the Internet. MS Windows ships with its own RDP interface built-in; to connect to another Windows desktop or server remotely, you simply open up the Remote Desktop Connection utility in Windows, type in the address of the remote system, and enter the correct username and password for a valid user account on that remote system. Once the connection is made, you’ll see the remote computer’s desktop as if you were sitting right in front of it, and have access to all its programs and files.

rdp-attacks-example

COVID has provided a nice cover for fraudsters’ expansion of remote desktopping. In addition to Microsoft RDP utility, another popular tool for fraudsters is AnyDesk, a remote desktop application that boasts over 300 million downloads worldwide. They offered a free version available to all students “so they can easily maintain a seamless learning environment in today's changing education landscape… to allow them to complete their assignments and stay connected with their educators and classmates." In this case, fraudsters don’t even have to use multi-step social engineering to get a potential victim to download the remote desktop application. Most of the steps are already covered! Other remote desktop applications that are popular with fraudsters include TeamViewer and VNC Connect. Obviously, remote desktop applications have their legitimate, helpful use cases, but it’s important to remember that they’re also extremely powerful tools for fraud.

A new year with new fraud techniques but also some classics

Fraudsters have been innovators for a long time, but this last year has seen an unprecedented spike in activity. With remote desktopping, fraudsters can hide behind the “real” identity of a person that doesn’t have an active online presence and therefore won’t notice the online fraudulent activity. COVID provides some useful cover for this scam because perfectly legal remote desktop applications have become more common and in some cases may have already been downloaded to the PC of a fraud victim. In a future post I will give an overview of the new SaaS tools that are available to online fraudsters, most of which appeared only in the last 12-18 months. It’s part of the trend of “Professionalization of Fraud” that we have observed at Nethone. In the past, unsophisticated fraudsters were limited to carding. Now, as my colleague Hubert Rachwalski recently put it, the barrier to entry to this space is merely having the financial resources to subscribe to these new tools; there is less training needed, fraudsters just purchase access, generate credentials, go through basic configuration of parameters, and they’re ready to go. And it’s difficult to detect these tools. We’re happy to share some of the names of the tools that are available in private meetings, but we don’t want to promote them in publicly accessible content. In order to stand a chance in this fight, you need profiling capability that is able to recognize that you’re not dealing with a normal user, but instead an excellent imitation. Feel free to reach out via Calendly and book a meeting with one of our experts.

RDP attacks - fraud references


If you wish to protect your business from RDP attacks, let us show you how our advanced fraud solution can work for you.

Ready to detect fraud just like Azul?

Ready to detect fraud just like Azul?

Start measuring fraud attacks today and find out if there are bots attacking your site. Arrange a call to discuss a tailored solution or explore our platform for free.

Book a call