Imagine a piece of malware that is practically impossible to detect and can suck a victim’s bank account dry – because it was installed by the user, and acts like any other legitimate piece of software. That is exactly what a new form of a socially-engineered RAT (Remote Access Tool) attack does – and according to Israeli financial security tech firm BioCatch, the company’s solution is the only one that can detect and prevent these attacks.

The so-called RAT-in-the-Browser (RitB) attacks are relatively new, said BioCatch. They rely on social engineering to install malware such as Dyre and Dridex. Far more sophisticated than the usual scripts that monitor a user’s activities and upload data on passwords and other sensitive data to servers – activities that good cyber-defense systems can detect – the malware attacks usually include a human element, with victims instructed to call a phone number or install a remote support tool that lets fraudsters see exactly how much money a user has in their account, and monitor communications to the bank server in order to get their login data and suck their accounts dry.

How the RATs work

In a Dyre attack, for example, a user gets a spear-phishing message that prompts them to click on a link, which installs a Trojan horse called Upatre. By itself, Upatre does nothing – but after it is installed, it contacts a hacker server to install the Dyre malware (the one-step removed installation process ensures that cyber-security systems won’t detect the Dyre installation, since the user has not done anything to directly install it).

The next time a user tries to log onto their banking web site, Dyre alters the server’s response, displaying a phone number for the victim to call. The phone number, needless to say, is answered not by the bank, but by hackers – who, using advanced social engineering techniques, extract the relevant information from the victim, or instruct them to install a remote access tool (Teamviewer, LogMeIn, etc.) that let the hacker see what is happening in real time on the victim’s computer. The hacker then has the victim log in their account – taking care to capture the user name and password – and does a log-in themselves either at the same time or shortly afterwards. Either way, the victim’s account is empty.

It’s a sophisticated piece of social engineering – and almost impossible to prevent, because the victim is a direct party to the fraud. But the key word in that phrase is “almost,” said BioCatch – because its system can detect when a user is being fooled by a hacker, and intervene to prevent it.

Fighting back

In the year or so since Dyre, Dridex, and their evil spawn have been in the field, they has been used by hackers to purloin hundreds of millions of dollars from private individuals and businesses – including very big ones. The plague had become so bad that it prompted a special investigation by the US Department of Justice, which announced just this week that it had indicted Andrey Ghinkul, aka Andrei Ghincul and Smilex, 30, of Moldova, for running a scam using the malware. He is currently being held in Cyprus, and the US is desperately seeking his extradition.

But with BioCatch, banks don’t have to wait for the DoJ to protect themselves.BioCatch’s take on security gives it an advantage for a proactive approach to catching cyber-criminals before they actually do anything, BioCatch CEO Ron Moritz told the Times of Israel. “Online finance and banking sites, among others, require users to enter names and passwords to gain access, but that still doesn’t guarantee security. Our system provides a much better level of protection, checking over 400 bio-behavioral, cognitive and physiological parameters to create unique user profiles for visitors to banking and eCommerce sites.”

Similar to handwriting, said Moritz, each user has an individual “web presence” — a certain way of moving their mouse, how fast they move it on the page, which links they click on and in what order, etc. BioCatch calls this the Cognitive Signature, a sum total of all the factors that go into an interactive session. BioCatch’s technology can record all this information, associating it with the specific user who is logged in and interacting with the site.

When a user interacts with a BioCatch-powered site for the first time, the system records their behavior, adding it to their user profile, along with username and password information. When the user returns, the site’s authentication system checks the login information — while BioCatch checks to see if the user’s Cognitive Signature matches the one in their profile. If it doesn’t, that user is barred from accessing the online account and information – even if they have the right password.

That would include exceptional or unusual behavior when interacting with a banking site, said Oren Kedem, VP Products of BioCatch. With its system, BioCatch can determine if the user accessing a bank account is moving the mouse in the usual way, or if they are clicking on links in the usual order. If there is a deviation, the bank is alerted immediately – and the transaction is nipped in the bud. Thus, regardless of how badly a victim has been fooled, the system can prevent them from getting ripped off.

“BioCatch consistently works to stay ahead of the game in combating fraud,” said Kedem. “With each attempted malware attack caught by BioCatch, we are able to derive valuable information that helps us identify and defend against new threats, providing the most sophisticated up-to-date protection for our customers.”

To publicize the attacks, and to spread the word on how to prevent them, BioCatch is inviting users to sign up for its free RAT wars kit, with members getting “access to exclusive data, events and more.” Member of the “RAT club” or not, BioCatch is hoping that banks will heed its call and adopt its solution. “Our customers deserve the most advanced technology on the market capable of protecting against increasingly complex and hostile cyberattacks,” said Avi Turgeman, CTO of BioCatch. “That’s why we are continuously driven to innovate and stay ahead of cyber criminals.”