October 1, 2014 By Etay Maor 4 min read

In my last article, I discussed how cybercriminals defeat multifactor authentication. While different forms of authentication measures will continue to be used, we know today that advanced malware overcomes these by spoofing the victim’s behavior, proxying through the victim’s device or just downright asking the victim for his or her passwords using social-enginnering techniques.

Roughly 10 years ago, security vendors started working on solutions to the authentication issue and, thus, authentication risk engines were born. Today, there is a wide variety of risk engine flavors to choose from. Leading vendors offer what they call adaptive authentication platforms that offer multiple deployment models, integration options, application programming interfaces and management platforms that all have one very basic weakness: The solution was designed for the 2005 fraud threat landscape.

Today’s fraudsters have used a wide variety of tools and techniques to build all kinds of new fraud methods specifically intended to evade these adaptive solutions. The following is a look into how these risk engines are designed and the root cause for their failure in detecting today’s cybercriminals:

Why Statistical Models Are Failing

The three main issues with statistical-based risk engines are as follows:

  1. They increase investigation time and have an operational impact.
  2. They negatively impact the customer experience.
  3. Worst of all — and the root cause for the previous two issues — they provide inaccurate risk scores.

When statistical risk-based authentication models were introduced, they were based on the assumption that fraud could be prevented using simple authentication. This assumption allowed these products to identify a relatively high percentage of transactions as risky and perform elevated authentication for all of them. As threats have become more sophisticated and bypassing two-factor authentication has become common for cybercriminals, stopping fraud now requires more decisive action, such as putting the transaction on hold and manually reviewing high-risk and high-value transactions. Most traditional risk engines use a pure statistical model for risk scoring, such as Naïve Bayesian, Decision Trees and Neural Networks.

However, these statistical models rely heavily on device identification as their detection method. They lack visibility into risk factors and pre-login activity, such as the user visiting a phishing site or getting infected with advanced malware. They use a limited subset of the population and possible events as their learning platform and are designed to identify historical fraud tactics instead of protecting the account against the actual method of operation (modus operandi) used by the attacker.

The statistical models are inaccurate and operate in a predictive/pattern-based mode, tuned to generate alerts for a given percent of users. This results in a high rate of false positives and false negatives. Once this ratio is established, changes to the model are difficult and slow, constituting a significant barrier to rapid and effective handling in the evolving and constantly changing fraud landscape.

Cybercriminals Can Look Like Normal Users

Let’s take a look at one example where a traditional risk engine has little to no chance of detecting the cybercriminal’s attack.

Citadel malware has been around for several years. In addition to offering traditional Trojan tools such as a keylogger, screen scraper and HTML injection, Citadel also offers two very interesting modules: a Virtual Network Connection (VNC) option and a video-capturing option. The video-capturing option lets attackers make videos of the victim’s login process. Why would cybercriminals trouble themselves with making videos? This is a very easy way to learn about users’ behavior and how they interact with online banking sites. This allows cybercriminals to imitate and emulate victims’ behavior when trying to take over an account.

Combine the knowledge of how the user interacts with the website along with stolen credentials and the ability to proxy through the victim’s machine, and the attack is likely to be a success. The VNC module takes this idea a step further. The attacker can comfortably wait until a user has authenticated the online banking session, and as soon as the victim has entered his or her bank account, the cybercriminal VNCs into the targeted device (the user will see a message “from the bank” asking to pause for security reasons) and takes over the authenticated session using the victim’s machine.

This type of attack was so successful that new Citadel variants have a way to ensure VNC capabilities remain persistent on the targeted device even if the Citadel malware is removed, and the malware is also used to target enterprises and corporations as well as online banking victims.

Risk Engines: Is There a Better Way?

So what’s next? How can we fight back against the latest threats?

It seems that GameOver Zeus, Tinba, Gozi, Citadel and other types of Trojan malware are getting the best of us, so we need a new way to prevent these sophisticated attacks. An evidence-based criminal detection solution that is founded upon visibility to current threats, correlation of risk factors across multiple channels and attack vectors and the continuous research of future trends is the answer we need to combat the new world of Web fraud techniques.

By combining data from multiple account access points (such as online and mobile) along with additional threat detection systems (such as malware detection and phishing detection), an organization can benefit from a holistic solution that helps detect fraud across multiple vectors, devices and fraud techniques that may put the account at risk. This is all performed without burdening the end user with additional authentication requests while also minimizing false positive rates to assure the bank’s security team is not overloaded with investigating legitimate accesses.

Fraud teams are seeking a new approach to risk-based authentication solutions due to their typically inaccurate risk scores and their negative impact on both operations and end users. The next-generation approach to fraud prevention needs to use evidence-based fraud indicators to more accurately and effectively detect fraudulent transactions while improving the end-user experience and reducing the operational impact.

More from Fraud Protection

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today