Don’t Get Bitten: The Story of the Social RAT-in-the-Browser

Written by

A Remote Access Trojan (RAT) is a malicious malware that runs on your computer giving unlimited access to a cybercriminal who can then steal information or install other malicious software. RATs provide fraudsters with access to infected endpoints and are typically installed invisibly without the victim’s knowledge.

They are able to operate under the radar of traditional security measures because a RAT’s installation mechanism is usually attached to a legitimate program, allowing an intruder to do just about anything on the targeted computer including, access confidential information, such as credit card and social security numbers, activate a system’s video or webcam, distribute malware, or alter files.

From the Mouth of the Rat Springs the RitB

RATs have been used by countries and hacktivists for many years, however recently, we’ve seen this remote access attack vector migrate to online banking fraud, enabling even fraudsters with minimal technical know-how to take over a victim’s mobile device or computer and transfer money out of their account. These specific RATs, termed RAT-in-the-Browser (RitB), give cybercriminals access to banking credentials and account information making fraudsters more eager than ever to find new solutions that help penetrate user networks quickly and easily.

One of the reasons these Trojans have spread so rapidly is because banks often use traditional security measures such as device fingerprinting to validate a device’s reputation, assigning ‘risk’ to new or untrustworthy devices and assigning ‘trust’ to known user devices.

RitB sessions are, therefore, of ten successful since these detection tools won’t find anything unusual. Such attacks differ from RAT slightly by specifically attacking online banking targets. Dyre and Dridex, are both widespread Trojans that are currently targeting commercial banking and use RitB. The increase of such attacks is due in large part to the ease with which a fraudster conducts an end-to-end session, including a fraudulent money transfer.

Introducing the Social RitB

RitB and Social RitB pose a major problem for the banking industry in large part because existing fraud detection solutions cannot adequately detect such attacks. The common solutions today attempt to identify unknown or infected devices, but they are not designed to properly identify attacks that are carried out remotely, leaving banks and their customers vulnerable. Recently, we’ve witnessed a growing RitB trend - Social RitB - that uses social engineering techniques such as phone calls, to convince people to install a remote access tool that is then used to carry out attacks.

A Social RitB, adding another layer of complexity, as fraudsters are beginning to use social engineering to carry out remote access attacks.  All a fraudster needs to do is convince a user to install a standard remote support tool on their computer — for example, Ammyy, UltraVNC, AeroAdmin, or RemotePC — and use it to perpetrate online banking fraud. This type of banking fraud is simple for cybercriminals to carry out since it doesn't require the technical knowhow needed to develop malware and is easy to infect users through various exploitation mechanisms.

Here’s how it works: a fraudster calls a user and convinces him or her that he or she is an employee of a reputable organization (i.e. an Internet service provider or bank), explains to the user that there is a security issue on his computer and then fools the user into downloading and installing a remote support tool (or gives the fraudster access to an existing tool already installed).  The fraudster then convinces the user to login to his or her bank account for a quick ‘security check.’ And voilà, the attacker is in and can submit a fraudulent transaction. This is a relatively easy process for the criminal that requires far less technical know-how and monetary expenditure than a regular RitB attack.

Protecting Against Social RitB

Staying safe from Social RitB is no easy feat and users must know how to protect themselves.

Here are a few suggestions:

  1. Refrain from responding to unsolicited calls.
  2. Upon receiving a call, check in with your bank using a number you know to be genuine and confirm that the request was legitimate.
  3. Do not assume that a person who knows details "only the bank would know" is genuine - as fraudsters obtain this information through phishing, key logging and malware attacks.  
  4. To protect against RAT malware infection, refrain from downloading software coming from untrusted sources and do not click on unknown sites (they may be traps for infecting your computer through exploits!)
  5. Many attacks involve receiving messages from known and trusted people, so it’s important to always check back with that person to make sure they sent you the email in question.

Fraudsters continue to find effective ways to circumvent device and malware detection solutions and expose weaknesses.  That’s why it’s crucial that you remain aware.  Banking Trojans, old and new, will continue to be used in the financial sector due to the enormous monetary payoff for successful cybercriminals. Using effective malware detection solutions, such as behavioral biometrics and staying tuned in to industry updates will also help banks and their customers stay secure.

What’s hot on Infosecurity Magazine?