Behavioral Profiling: Finding the Man Who Wasn’t There
In the movie “Identity,” Pruitt Taylor Vince’s character whispers a verse from the poem “Antigonish,” saying, “As I was going up the stairs, I met a man who wasn’t there. He wasn’t there again today. I wish, I wish he’d go away.”
How do you detect and identify criminal behavior? How do cyber criminals masquerade their actions and make themselves invisible to security systems? Some solutions claim the answer is behavioral profiling.
What Is Behavioral Profiling?
The term “behavioral profiling” is most commonly associated with airport security and “CSI” episodes. This interpretation fits quite well with the Wikipedia definition: “Offender profiling, also known as criminal profiling, is a behavioral and investigative tool that is intended to help investigators to accurately predict and profile the characteristics of unknown criminal subjects or offenders. Offender profiling is also known as criminal profiling, criminal personality profiling, criminological profiling, behavioral profiling or criminal investigative analysis.”
In recent years, behavioral profiling has emerged in the online security world, but is it really behavioral profiling per se? Sadly, the answer is no. Real behavioral profiling is focused on identifying a potential criminal, while computer behavioral profiling systems are focused on identifying normal user patterns. That’s quite a difference!
Behavioral profiling in the online world is a tough task. The suspected cyber criminal cannot be visually seen and/or analyzed for a long period, which is not the case in the physical world. This means that online behavioral profiling is based purely on a limited set of user actions collected by detection systems. That is why current detection systems have opted to analyze normal user behavior, define a normal user profile and then raise a red flag if an action outside of that “normal” profile occurs. This approach should sound familiar — it’s called white-listing.
The problem with white-listing, however, is that cyber criminals are aware of its existence and have found clever ways to circumvent it. The following are just three examples of behavioral profile evasion techniques that have been successfully executed by cyber criminals:
1. Familiarizing the System
The first technique, which was the subject of a recent investigation by the innovation team at IBM, involves the use of stolen credentials in an unusual manner. Instead of logging in with the stolen credentials and committing a fraudulent transaction, the criminals access the compromised accounts multiple times but do not transfer any funds. What are they up to?
This type of behavior clearly shows that cyber criminals are aware of behavioral profiling as well as device profiling systems. Since the criminals are using their own devices to fraudulently access an online bank account, they need to use a technique that does not trip any fraud detection wires.
A new device that immediately adds a payee to an account or tries to send funds will undoubtedly be scrutinized. By accessing an account multiple times with the same device and only performing low-risk actions, the criminals are able to familiarize behavioral and device profiling systems with their device and actions. When a fraudulent transfer is ultimately initiated, the device and its behaviors are not identified as suspicious.
2. Use a Victim’s Device
While the above criminal tactic is performed via a new device, another evasion technique goes one step further and uses the victim’s actual device. However, the idea is the same: As long as the device is not flagged as suspicious, most fraudulent transactions will go unnoticed. Using malware with Remote Desktop Protocol (RDP)/Virtual Network Computing (VNC), the attacker mimics the account holder’s typical transaction amounts. These are easily viewed from a transaction history screen. This allows cyber criminals to commit fraud without raising any suspicion.
It is nearly impossible to identify this type of fraud using behavioral and device profiling platforms. Malware developers have also come up with a clever plug-in that helps them learn a user’s normal behavior. Citadel, a popular financial Trojan, helps criminals capture video from a victim’s device in order to study a user’s behavior patterns, including transaction sums and clickstreams.
3. Using an Automatic Script
The third technique also includes the presence of malware; however, this approach uses an automatic script to transfer funds to predefined mule accounts from the victim’s device. Financial malware is capable of injecting complete scripts into a user’s session without the victim noticing any change in browser behavior. These types of scripts run post-log-in and are configured to take over a session and initiate a fraudulent transaction. This eliminates the need to steal credentials and remotely access the victim’s account as well as the manual work involved in running RDP/VNC malware.
Some behavioral profiling systems can identify these scripts by performing various tests on the activity performed on the transaction page. The most common test is to analyze how fast the transaction page was filled in. For example, humans cannot fill in all the transaction fields in less than a second, which is exactly what the script does. To appear more “human” and evade detection, fraudsters have now incorporated a “slow-fill” function in their malware. This function inserts a random pause between each character input that varies between 0.1 seconds to two seconds to make the behavior of the malware appear normal.
To accurately and decisively detect these attack techniques, multiple security metrics must be collected, correlated and analyzed. These include the presence of malware and RDP access during online banking sessions, the evidence of stolen credentials, risk factors and account activity patterns. This holistic view is the only way to achieve true behavioral profiling and uncover “the man who wasn’t there.”