March 31, 2013 By Etay Maor 6 min read

IBM Security has been successfully fighting fraud, particularly financial fraud, with its Trusteer Rapport software solution for the past six years. During this period, both financial fraud and Trusteer Rapport have made huge leaps in technology. Some of the concepts introduced back in 2007 and 2008 are no longer applicable, and some of the techniques fraudsters were using at the time are no longer being used. This is an ongoing battle, one that’s fought every day with help from financial institutions and other IBM partners. It requires accurate and timely intelligence, highly skilled teams that work around the clock and a great deal of innovation and creativity.

IBM Security Trusteer Rapport was created in 2006 following the realization that malware is the future of financial fraud. Malware gives fraudsters absolute power over online communication between customers and their banks. It also provides fraudsters some added agility, as software can be quickly updated and improved. Traditional anti-malware solutions had to address a wide range of viruses and weren’t capable of focusing on the threat of financial malware. This gave fraudsters the opportunity to develop effective methods of evading these vendors’ solutions. Analysts determined that the best way to fight financial malware is through dedicated online banking security software that applies deep knowledge of how financial malware works, and that can rapidly adapt to any change the fraudsters will implement. By focusing on that single task and collaborating with the banks themselves, the company enabled the industry to better prepare for the looming flood of advanced financial malware.

The First Generation

How was Trusteer Rapport designed to meet that challenge? The key requirement was to build a system that is extremely dynamic. Developers invested in a very flexible infrastructure that allows them to safely and quickly update millions of endpoints with new algorithms against financial malware attacks. This shouldn’t be confused with signatures or heuristics updates used by other anti-malware solutions. Trusteer’s updates include new algorithms for fighting financial malware threats, giving the firm enormous power and flexibility in stopping financial fraud.

The first protection algorithms were designed to address the first generation of financial malware, introduced between 2006 and 2007. These were mainly key-loggers, screen-capturing programs and information-stealing browser extensions (BHOs). Trusteer introduced basic algorithms for scrambling keystrokes, blocking attempts to capture the screen while the user accesses online banking and for blocking BHOs from accessing information inside an online banking session. These protection algorithms were very effective in stopping the first generation of financial malware attacks, but analysts knew the fraudsters would advance their capabilities. They just didn’t know in which direction.

The Second Generation

The second generation of financial malware was the man-in-the-browser (MitB). This type of financial malware injects its code into the browser and controls the information exchange between the bank and the customer by tampering with content displayed. MitB became the weapon of choice for fraudsters as it allowed them to tamper with Web traffic and collect a lot of information beyond just usernames and passwords. For example, it allowed fraudsters to change login pages and ask for details that later allow fraudsters to answer out-of-pocket questions. The success of MitB has made key-logging, screen capturing and BHOs obsolete, and their use for financial fraud has practically stopped.

To address MitB, IBM Security introduced several new algorithms into its Trusteer Rapport focused on preventing financial malware from injecting code into the browser. The team identified the main pathways that financial malware can use to inject itself into the browser and created effective ways to control these pathways without affecting legitimate browser activities. Fraudsters will have to change their tactics. But like before, it was impossible to know what that change will be.

The Third Generation

The company then started seeing a third generation of financial malware toolkits. What’s unique about these toolkits is that they’re modular and include an ever-growing set of capabilities, such as remote access and proxying through the user’s device. They also include advanced update capabilities so fraudsters can update infected computers with new features at any given time. Company developers realized that fighting fraud on a feature-by-feature basis puts them at a disadvantage. If a certain financial malware toolkit is installed on thousands of infected computers, and is being updated with a capability they don’t block, there is immediately a huge gap in protection abilities. Even with a quick reaction, there are briefly thousands of infected computers that cyber criminals could abuse for fraudulent purposes.

Fighting Fraud in Teams

Instead of addressing financial malware feature-by-feature, the firm decided to address each financial malware toolkit separately with the goal of not just blocking the toolkit, but making sure that all IBM Security Trusteer customers remained clean of financial malware toolkits. The company split its malware research group into teams, each focused on a different financial malware toolkit. The number of financial malware toolkits is relatively small.

The space consists of a few dozen toolkits. Some are more active and malicious than others, such as Gozi, Bugat, Zeus, Tinba, Carberp, Tatanga, SpyEye, Torpig, Shylock, Ramnit, Silon, Oddjob and Tilon. For each one of these toolkits, teams constantly gather intelligence from their 30 million Rapport installations, hundreds of customer banks and different partner intelligence groups. For each one of these malicious toolkits, team members constantly add algorithms designed to block installations, stop their execution and remove them from the computer. Trusteer’s algorithms go very deep into the behaviors of each one of these toolkits. Teams of engineers take these toolkits apart and derive specific algorithms to address each one of them.

Trusteer Rapport is constantly receiving updates, which is why it remains the most effective solution against financial fraud. Continuous evolution is the only way to stay in the game. The industry is hard-pressed to predict what fraudsters will do next, but Trusteer’s people, process and products take this war to the next level. A fraud manager at one of the firm’s first large banking customers originally said they saw Trusteer Rapport as a six- to nine-month solution before it would become obsolete like all other fraud prevention tools they deployed. Six years later, it’s even more effective and the bank couldn’t be happier with its investment in the technology.

Evolving Prevention

IBM Security’s support team occasionally receives questions about its presentation in the 44CON conference from 2011, and one of them inspired this account of Trusteer Rapport. A researcher demonstrated how a Trusteer Rapport-aware piece of software can bypass Trusteer Rapport’s character-scrambling mechanism. Customers were interested in understanding how the team addressed these findings. The researcher did a great job demonstrating how dynamic this space is and how each malware-prevention feature or algorithm can only provide a limited defense for a short while. IBM agrees, and this is exactly why Trusteer Rapport keeps evolving.

Since that presentation, Trusteer Rapport has changed multiple times and its algorithms against financial malware were replaced with new ones. Developers no longer rely on character scrambling, screen-capture blocking and many other algorithms introduced over the years. The algorithms applied today are very focused on detecting, terminating and removing a specific set of financial malware toolkits that are used against financial institutions worldwide. The list of toolkits addressed by IBM is determined using an ongoing intelligence gathering and risk analysis process conducted in partnership with hundreds of financial institutions across the globe.

Most of the older algorithms described above are still included in Trusteer Rapport. Protection algorithms are rarely removed from the product, as they could always have an incremental value. However, their development is frozen, and they can’t stop modern malware by themselves. Newer and more advanced versions of some of these algorithms did find their way into other IBM Security Trusteer products where applicable.

IBM is committed to keeping Trusteer Rapport up-to-date with protection algorithms against all financial malware toolkits that are actively attacking financial institutions. Customers benchmark IBM Security solutions against other protection layers, and the results they’re getting are the reason users are seeing so many banks promoting Trusteer Rapport. The product may seem like yet another security software, but it is backed by hundreds of people working around the clock to prevent fraud from reaching a user’s doorstep. A huge amount of expertise and collaboration with banks across the world — as well as tremendous intelligence and forensic investigation activities — are taking place on a daily basis to make sure that Trusteer Rapport maintains the upper hand in this joint war against financial fraud.

Trusteer Rapport‘s Role in a Larger Initiative

The evolution of fighting fraud goes way beyond Trusteer Rapport, which is one part of a broader solution set that consists of multiple components. Some of these components are placed on the bank’s Web servers and formulate a deep understanding of attack patterns against the bank. They look at different aspects of the online session with the bank and are capable of correlating events and behaviors over time. Using this back end presence, Trusteer is capable of understanding when fraudsters are using a person’s login information to access his or her account and whether the PC itself has been attacked or compromised. Like Trusteer Rapport, these components apply different algorithms that are constantly changing to detect new attack patterns that fraudsters are adopting.

Again, intelligence is critical to IBM Security. In any battle, it is absolutely key to sustaining an edge. Not a single day passes at the company without a new discovery about one or more fraud groups. Fraudsters are extremely active and keep changing their tactics and tools. Building a network that could monitor this activity and react to it in a timely manner is a very big challenge, and it couldn’t have been done without the ongoing contribution of hundreds of banks and their fraud experts. Developers receive a vast amount of human and technology resources, and this wouldn’t have been possible without tens of millions of consumers running Trusteer Rapport on their computers — creating the biggest online fraud prevention network in the world.

IBM welcomes the contribution of the security research community, having established a white hat advisory board that enables researchers to contribute to the war against fraud and help protect the banks and their customers. Any security researcher willing to contribute is welcome to join. The firm also asks security researchers, who encounter financial malware not covered by Trusteer Rapport, to step forward in exchange for the monetary rewards always offered at the company.

More from Fraud Protection

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today