In the movie “Identity,” Pruitt Taylor Vince’s character whispers a verse from the poem “Antigonish,” saying, “As I was going up the stairs, I met a man who wasn’t there. He wasn’t there again today. I wish, I wish he’d go away.”

How do you detect and identify criminal behavior? How do cyber criminals masquerade their actions and make themselves invisible to security systems? Some solutions claim the answer is behavioral profiling.

What Is Behavioral Profiling?

The term “behavioral profiling” is most commonly associated with airport security and “CSI” episodes. This interpretation fits quite well with the Wikipedia definition: “Offender profiling, also known as criminal profiling, is a behavioral and investigative tool that is intended to help investigators to accurately predict and profile the characteristics of unknown criminal subjects or offenders. Offender profiling is also known as criminal profiling, criminal personality profiling, criminological profiling, behavioral profiling or criminal investigative analysis.”

In recent years, behavioral profiling has emerged in the online security world, but is it really behavioral profiling per se? Sadly, the answer is no. Real behavioral profiling is focused on identifying a potential criminal, while computer behavioral profiling systems are focused on identifying normal user patterns. That’s quite a difference!

Behavioral profiling in the online world is a tough task. The suspected cyber criminal cannot be visually seen and/or analyzed for a long period, which is not the case in the physical world. This means that online behavioral profiling is based purely on a limited set of user actions collected by detection systems. That is why current detection systems have opted to analyze normal user behavior, define a normal user profile and then raise a red flag if an action outside of that “normal” profile occurs. This approach should sound familiar — it’s called white-listing.

The problem with white-listing, however, is that cyber criminals are aware of its existence and have found clever ways to circumvent it. The following are just three examples of behavioral profile evasion techniques that have been successfully executed by cyber criminals:

1. Familiarizing the System

The first technique, which was the subject of a recent investigation by the innovation team at IBM, involves the use of stolen credentials in an unusual manner. Instead of logging in with the stolen credentials and committing a fraudulent transaction, the criminals access the compromised accounts multiple times but do not transfer any funds. What are they up to?

This type of behavior clearly shows that cyber criminals are aware of behavioral profiling as well as device profiling systems. Since the criminals are using their own devices to fraudulently access an online bank account, they need to use a technique that does not trip any fraud detection wires.

A new device that immediately adds a payee to an account or tries to send funds will undoubtedly be scrutinized. By accessing an account multiple times with the same device and only performing low-risk actions, the criminals are able to familiarize behavioral and device profiling systems with their device and actions. When a fraudulent transfer is ultimately initiated, the device and its behaviors are not identified as suspicious.

2. Use a Victim’s Device

While the above criminal tactic is performed via a new device, another evasion technique goes one step further and uses the victim’s actual device. However, the idea is the same: As long as the device is not flagged as suspicious, most fraudulent transactions will go unnoticed. Using malware with Remote Desktop Protocol (RDP)/Virtual Network Computing (VNC), the attacker mimics the account holder’s typical transaction amounts. These are easily viewed from a transaction history screen. This allows cyber criminals to commit fraud without raising any suspicion.

It is nearly impossible to identify this type of fraud using behavioral and device profiling platforms. Malware developers have also come up with a clever plug-in that helps them learn a user’s normal behavior. Citadel, a popular financial Trojan, helps criminals capture video from a victim’s device in order to study a user’s behavior patterns, including transaction sums and clickstreams.

3. Using an Automatic Script

The third technique also includes the presence of malware; however, this approach uses an automatic script to transfer funds to predefined mule accounts from the victim’s device. Financial malware is capable of injecting complete scripts into a user’s session without the victim noticing any change in browser behavior. These types of scripts run post-log-in and are configured to take over a session and initiate a fraudulent transaction. This eliminates the need to steal credentials and remotely access the victim’s account as well as the manual work involved in running RDP/VNC malware.

Some behavioral profiling systems can identify these scripts by performing various tests on the activity performed on the transaction page. The most common test is to analyze how fast the transaction page was filled in. For example, humans cannot fill in all the transaction fields in less than a second, which is exactly what the script does. To appear more “human” and evade detection, fraudsters have now incorporated a “slow-fill” function in their malware. This function inserts a random pause between each character input that varies between 0.1 seconds to two seconds to make the behavior of the malware appear normal.

To accurately and decisively detect these attack techniques, multiple security metrics must be collected, correlated and analyzed. These include the presence of malware and RDP access during online banking sessions, the evidence of stolen credentials, risk factors and account activity patterns. This holistic view is the only way to achieve true behavioral profiling and uncover “the man who wasn’t there.”

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

More from Fraud Protection

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Remote access detection in 2023: Unmasking invisible fraud

3 min read - In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through behavioral analysis. A rising threat As Fraud detection methods become more and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today