In my last article, I discussed how cybercriminals defeat multifactor authentication. While different forms of authentication measures will continue to be used, we know today that advanced malware overcomes these by spoofing the victim’s behavior, proxying through the victim’s device or just downright asking the victim for his or her passwords using social-enginnering techniques.

Roughly 10 years ago, security vendors started working on solutions to the authentication issue and, thus, authentication risk engines were born. Today, there is a wide variety of risk engine flavors to choose from. Leading vendors offer what they call adaptive authentication platforms that offer multiple deployment models, integration options, application programming interfaces and management platforms that all have one very basic weakness: The solution was designed for the 2005 fraud threat landscape.

Today’s fraudsters have used a wide variety of tools and techniques to build all kinds of new fraud methods specifically intended to evade these adaptive solutions. The following is a look into how these risk engines are designed and the root cause for their failure in detecting today’s cybercriminals:

Why Statistical Models Are Failing

The three main issues with statistical-based risk engines are as follows:

  1. They increase investigation time and have an operational impact.
  2. They negatively impact the customer experience.
  3. Worst of all — and the root cause for the previous two issues — they provide inaccurate risk scores.

When statistical risk-based authentication models were introduced, they were based on the assumption that fraud could be prevented using simple authentication. This assumption allowed these products to identify a relatively high percentage of transactions as risky and perform elevated authentication for all of them. As threats have become more sophisticated and bypassing two-factor authentication has become common for cybercriminals, stopping fraud now requires more decisive action, such as putting the transaction on hold and manually reviewing high-risk and high-value transactions. Most traditional risk engines use a pure statistical model for risk scoring, such as Naïve Bayesian, Decision Trees and Neural Networks.

However, these statistical models rely heavily on device identification as their detection method. They lack visibility into risk factors and pre-login activity, such as the user visiting a phishing site or getting infected with advanced malware. They use a limited subset of the population and possible events as their learning platform and are designed to identify historical fraud tactics instead of protecting the account against the actual method of operation (modus operandi) used by the attacker.

The statistical models are inaccurate and operate in a predictive/pattern-based mode, tuned to generate alerts for a given percent of users. This results in a high rate of false positives and false negatives. Once this ratio is established, changes to the model are difficult and slow, constituting a significant barrier to rapid and effective handling in the evolving and constantly changing fraud landscape.

Cybercriminals Can Look Like Normal Users

Let’s take a look at one example where a traditional risk engine has little to no chance of detecting the cybercriminal’s attack.

Citadel malware has been around for several years. In addition to offering traditional Trojan tools such as a keylogger, screen scraper and HTML injection, Citadel also offers two very interesting modules: a Virtual Network Connection (VNC) option and a video-capturing option. The video-capturing option lets attackers make videos of the victim’s login process. Why would cybercriminals trouble themselves with making videos? This is a very easy way to learn about users’ behavior and how they interact with online banking sites. This allows cybercriminals to imitate and emulate victims’ behavior when trying to take over an account.

Combine the knowledge of how the user interacts with the website along with stolen credentials and the ability to proxy through the victim’s machine, and the attack is likely to be a success. The VNC module takes this idea a step further. The attacker can comfortably wait until a user has authenticated the online banking session, and as soon as the victim has entered his or her bank account, the cybercriminal VNCs into the targeted device (the user will see a message “from the bank” asking to pause for security reasons) and takes over the authenticated session using the victim’s machine.

This type of attack was so successful that new Citadel variants have a way to ensure VNC capabilities remain persistent on the targeted device even if the Citadel malware is removed, and the malware is also used to target enterprises and corporations as well as online banking victims.

Risk Engines: Is There a Better Way?

So what’s next? How can we fight back against the latest threats?

It seems that GameOver Zeus, Tinba, Gozi, Citadel and other types of Trojan malware are getting the best of us, so we need a new way to prevent these sophisticated attacks. An evidence-based criminal detection solution that is founded upon visibility to current threats, correlation of risk factors across multiple channels and attack vectors and the continuous research of future trends is the answer we need to combat the new world of Web fraud techniques.

By combining data from multiple account access points (such as online and mobile) along with additional threat detection systems (such as malware detection and phishing detection), an organization can benefit from a holistic solution that helps detect fraud across multiple vectors, devices and fraud techniques that may put the account at risk. This is all performed without burdening the end user with additional authentication requests while also minimizing false positive rates to assure the bank’s security team is not overloaded with investigating legitimate accesses.

Fraud teams are seeking a new approach to risk-based authentication solutions due to their typically inaccurate risk scores and their negative impact on both operations and end users. The next-generation approach to fraud prevention needs to use evidence-based fraud indicators to more accurately and effectively detect fraudulent transactions while improving the end-user experience and reducing the operational impact.

More from Fraud Protection

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

How Security Teams Combat Disinformation and Misinformation

“A lie can travel halfway around the world while the truth is still putting on its shoes.” That popular quote is often attributed to Mark Twain. But since we're talking about misinformation and disinformation, you’ll be unsurprised to learn Twain never said that at all. In fact, no one knows who first strung those words together, but the idea that truth spreads slowly while lies spread quickly is at least several hundred years old. The “Twain” quote also serves to…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

New DOJ Team Focuses on Ransomware and Cryptocurrency Crime

While no security officer would rely on this alone, it’s good to know the U.S. Department of Justice is increasing efforts to fight cyber crime. According to a recent address in Munich by Deputy Attorney General Lisa Monaco, new efforts will focus on ransomware and cryptocurrency incidents. This makes sense since the X-Force Threat Intelligence Index 2022 named ransomware as the top attack type in 2021. What exactly is the DOJ doing to improve policing of cryptocurrency and other cyber…