In the movie “Identity,” Pruitt Taylor Vince’s character whispers a verse from the poem “Antigonish,” saying, “As I was going up the stairs, I met a man who wasn’t there. He wasn’t there again today. I wish, I wish he’d go away.”

How do you detect and identify criminal behavior? How do cyber criminals masquerade their actions and make themselves invisible to security systems? Some solutions claim the answer is behavioral profiling.

What Is Behavioral Profiling?

The term “behavioral profiling” is most commonly associated with airport security and “CSI” episodes. This interpretation fits quite well with the Wikipedia definition: “Offender profiling, also known as criminal profiling, is a behavioral and investigative tool that is intended to help investigators to accurately predict and profile the characteristics of unknown criminal subjects or offenders. Offender profiling is also known as criminal profiling, criminal personality profiling, criminological profiling, behavioral profiling or criminal investigative analysis.”

In recent years, behavioral profiling has emerged in the online security world, but is it really behavioral profiling per se? Sadly, the answer is no. Real behavioral profiling is focused on identifying a potential criminal, while computer behavioral profiling systems are focused on identifying normal user patterns. That’s quite a difference!

Behavioral profiling in the online world is a tough task. The suspected cyber criminal cannot be visually seen and/or analyzed for a long period, which is not the case in the physical world. This means that online behavioral profiling is based purely on a limited set of user actions collected by detection systems. That is why current detection systems have opted to analyze normal user behavior, define a normal user profile and then raise a red flag if an action outside of that “normal” profile occurs. This approach should sound familiar — it’s called white-listing.

The problem with white-listing, however, is that cyber criminals are aware of its existence and have found clever ways to circumvent it. The following are just three examples of behavioral profile evasion techniques that have been successfully executed by cyber criminals:

1. Familiarizing the System

The first technique, which was the subject of a recent investigation by the innovation team at IBM, involves the use of stolen credentials in an unusual manner. Instead of logging in with the stolen credentials and committing a fraudulent transaction, the criminals access the compromised accounts multiple times but do not transfer any funds. What are they up to?

This type of behavior clearly shows that cyber criminals are aware of behavioral profiling as well as device profiling systems. Since the criminals are using their own devices to fraudulently access an online bank account, they need to use a technique that does not trip any fraud detection wires.

A new device that immediately adds a payee to an account or tries to send funds will undoubtedly be scrutinized. By accessing an account multiple times with the same device and only performing low-risk actions, the criminals are able to familiarize behavioral and device profiling systems with their device and actions. When a fraudulent transfer is ultimately initiated, the device and its behaviors are not identified as suspicious.

2. Use a Victim’s Device

While the above criminal tactic is performed via a new device, another evasion technique goes one step further and uses the victim’s actual device. However, the idea is the same: As long as the device is not flagged as suspicious, most fraudulent transactions will go unnoticed. Using malware with Remote Desktop Protocol (RDP)/Virtual Network Computing (VNC), the attacker mimics the account holder’s typical transaction amounts. These are easily viewed from a transaction history screen. This allows cyber criminals to commit fraud without raising any suspicion.

It is nearly impossible to identify this type of fraud using behavioral and device profiling platforms. Malware developers have also come up with a clever plug-in that helps them learn a user’s normal behavior. Citadel, a popular financial Trojan, helps criminals capture video from a victim’s device in order to study a user’s behavior patterns, including transaction sums and clickstreams.

3. Using an Automatic Script

The third technique also includes the presence of malware; however, this approach uses an automatic script to transfer funds to predefined mule accounts from the victim’s device. Financial malware is capable of injecting complete scripts into a user’s session without the victim noticing any change in browser behavior. These types of scripts run post-log-in and are configured to take over a session and initiate a fraudulent transaction. This eliminates the need to steal credentials and remotely access the victim’s account as well as the manual work involved in running RDP/VNC malware.

Some behavioral profiling systems can identify these scripts by performing various tests on the activity performed on the transaction page. The most common test is to analyze how fast the transaction page was filled in. For example, humans cannot fill in all the transaction fields in less than a second, which is exactly what the script does. To appear more “human” and evade detection, fraudsters have now incorporated a “slow-fill” function in their malware. This function inserts a random pause between each character input that varies between 0.1 seconds to two seconds to make the behavior of the malware appear normal.

To accurately and decisively detect these attack techniques, multiple security metrics must be collected, correlated and analyzed. These include the presence of malware and RDP access during online banking sessions, the evidence of stolen credentials, risk factors and account activity patterns. This holistic view is the only way to achieve true behavioral profiling and uncover “the man who wasn’t there.”

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

More from Fraud Protection

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

How Security Teams Combat Disinformation and Misinformation

“A lie can travel halfway around the world while the truth is still putting on its shoes.” That popular quote is often attributed to Mark Twain. But since we're talking about misinformation and disinformation, you’ll be unsurprised to learn Twain never said that at all. In fact, no one knows who first strung those words together, but the idea that truth spreads slowly while lies spread quickly is at least several hundred years old. The “Twain” quote also serves to…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

New DOJ Team Focuses on Ransomware and Cryptocurrency Crime

While no security officer would rely on this alone, it’s good to know the U.S. Department of Justice is increasing efforts to fight cyber crime. According to a recent address in Munich by Deputy Attorney General Lisa Monaco, new efforts will focus on ransomware and cryptocurrency incidents. This makes sense since the X-Force Threat Intelligence Index 2022 named ransomware as the top attack type in 2021. What exactly is the DOJ doing to improve policing of cryptocurrency and other cyber…