Social RAT banking attacks on the rise as ‘personalised’ scamming achieves results
Mon 12 Oct 2015
Social RitB (Rat in the Browser) attacks, wherein internet fraudsters abandon infected sites and automated techniques for a ‘personal’ approach to online fraud, is on the rise, according to Israeli RAT (Remote Administration Tool) security specialist Biocatch.
A post today at the company’s site says that the technique, which it describes as ‘relatively new’, involves contacting the potential victim directly by phone or other means in the guise of a representative from their ISP, and persuading them that their systems have noted that the victim’s computer has been compromised. They then persuade the target to log in to his financial provider and then facilitate the download of valid and non-malicious RAT software such as AeroAdmin, RemotePC, UltraVNC or Ammyy, before requesting that the user ‘stand back’ for twenty minutes or so while the PC is cleaned. In fact it’s the victim’s bank account that gets cleaned.
Banks and other financial providers employ fingerprinting techniques in order to build trust with devices which have successfully accessed their services before, and the Social RitB accounts bypasses any warning signals of this nature that might have occurred, since the transaction is undertaken on device with ‘good history’ and in environmental circumstances that are familiar from other sessions.
Though more effortful than ‘drive-by’ downloading of malicious RAT software such as Dridex and Neverquest, Social RitB has the advantage of involving no downloads of software likely to set off the end-user’s own antivirus systems – though even standalone, zero-install RAT applications (malicious or otherwise) are likely to trigger at least one user alert which will need to be clicked away before the program is allowed to execute.
RAT software which permits a remote user to completely take over a host computer is a valid and genuinely useful tool for technical support purposes, and malfeasants have no doubt observed that the users least likely to ask questions about such procedures are also probably the least technical and most credulous.
New behavioural approaches to identifying genuine online banking users have been proposed from various quarters in the last few years, where software analyses how people type and in what way, including an analysis of how people hesitate, or the kind of mistakes they are likely to make. However these are not standard practice in the sector at the moment.
Since RAT attacks are giving legitimate vendors such a bad name by association, there’s increasing ire from them at the abuse. RAT vendor Ammyy has advised its users of the possibility of Social RitB attacks at an advisory.
‘If you receive a phone call claiming to be from ‘Microsoft’ or someone claiming to work on their behalf, telling you that you have a virus on your computer or some errors which they will help you to fix via Ammyy Admin, it is definitely a scam…There also might be phone calls from people presenting themselves as internet service provider technicians or any other tech support specialists…We are advising Ammyy Admin users to treat all unsolicited phone calls with skepticism and not to grant access to your PC to anyone you don’t know personally.’
The post elucidates certain Social RitB victims whose cases it knows about:
“I was recently called by what I thought was my internet service provider technician who used Ammyy to gain remote access to my computer – after I stupidly granted him that permission. It turns out that he was nothing to do with my internet service provider. When I became suspicious and began questioning him he said he would show me who he was and opened a website of a company – the web site triggered my virus software and I then demanded that the remote access be terminated.”
The post also advises users who have already fallen victim to an attack to turn off their computer and phone their financial service providers in order to freeze any vulnerable cards or accounts, and then to boot their PCs into safe mode and run a virus check, and seek further legitimate technical support as necessary.
But PEBCAK problems of this nature are notoriously difficult to address even with sound advice.