Fraud Detection
Prevent hackers from performing fraudulent transactions after asking the victim to install a remote support tool.
Get in Touch Download WhitepaperThe Attack
"Fake Support" Calls
So-called "Fake Support" attacks target individuals and companies alike. The remote attacker, pretending to call in the name of a financial institution support, or a generic vendor support (e.g., Microsoft), asks the victim to install a remote controlling application (such as TeamViewer, AnyDesk, etc.). The victim is persuaded to follow the instructions from the attacker, as they seem to try to fix computer problems (which are typical) or checking if all is well following an update on the financial institution end. The attacker pretends to want to assist the victim in making sure that they can still access the e-banking portal and perform transactions.
Once the “test” transaction is submitted successfully, the attacker takes control of the victim's machine through the remote software, asks the victim to leave the computer on for a few minutes, and proceeds to perform a number of payments, typically to the same money mule account.
The Problem
Nothing suspicious detected by the fraud engine: the user manually approves a first transaction.
The attack is successful, for a number of reasons. First of all, the fraud detection engine of the financial service typically works on the following data points: IP addresses/location, Abnormal user behavior, Unknown recipients whitelisting. Second, unlike remote phishing attacks, or session hijacking attacks, this information is reported to the fraud engine.
IP Address
The usual victim's IP address/location, overall generating from known networks (the IP address is the victim's ISP address, and not the remote attacker's).
Abnormal User Behavior
The victim performs standard operations, such as entering a new payment and approving it when the step-up process is initialized, including performing the relevant MFA step.
Unknown Recipients Whitelisting
Following the first payment, the money mule account is whitelisted and, no additional steps are required for performing subsequent transactions to the money mule account.
Solution
Futurae has developed a JavaScript component (blitz.js) that can be installed in the financial services e-banking portal. Blitz will record anonymized user details and activity and submit them to the Futurae processing server. The server constantly feeds on the received information and uses a trained algorithm to detect if the interaction happening on the e-banking website is local or from a remote actor. The Futurae server feedbacks to the Blitz component in real time when an attack is detected, and internally logs suspicious activity.
Feedback Loop
The feedback loop can be performed backend to frontend (typically used during PoC), or backend to backend (typically used for production systems). Furthermore, the solution can also be integrated with existing fraud detection mechanisms already in use by the financial institution.
Backend to Backend
Backend to Frontend
blitz.js Operations
The blitz.js component needs to be embedded on the e-banking website pages and initialized with a random identifier, that persists throughout a user session. We refer to the technical documentation for a correct initialization and usage.
The JavaScript component will perform the following operations, reporting to the Futurae server:
- On initialization, it will report a browser fingerprint (when features are available): user agent, language, color depth, device memory, concurrency capabilities, screen resolution, time zone, storage capabilities, platform, plugins, webGL renderer, AdBlock, touch support, fonts.
- It will hook into the keypress and mouse movement events triggered by the user's browser, accumulate them in local storage, and report them in the following form:
- 'key up', 'key down', 'mouse movement', '<x,y> coordinates', timestamp
- Upon reporting, the local storage is cleared.
- Upon customer request, the Futurae server does not keep any log of the browser's IP address.
The Blitz JavaScript operations have been tested on a variety of browsers (Chrome, Firefox, Safari, Opera, Internet Explorer down to IE11). Incompatible browsers would fail gracefully, with no degradation on user's experience (and, clearly, no possibility of attack detection).
Server Operations
The Futurae servers analyze in real time the information captured and detect anomalies
The Futurae Server accepts incoming measurements only when properly authorized by a shared API key. For each session that is created, the server measures a variety of analytics and reports back through the feedback loop channel whether a remote user is interacting with the website.
The Futurae server does not store any sensitive user information or Personally identifiable information and is hosted on a FINMA-compliant Swiss cloud data center.
Blitz Detection Analysis
A visualization of two user sessions can be seen, as follows. First a legitimate session, second an attack session.
I want to learn more
Let's talk about your use case and how we can help
Futurae offers companies an AI-based, user-centric authentication suite that complies to the strictest regulatory and security guidelines
Guaranteed 99.9% Uptime
24/7 Support from our Security Experts
Data Securely Stored at the Heart of the Swiss Alps
Regular Penetration Testing and Highest Industry Standard Security Audits
© 2021 Futurae Technologies AG. All rights reserved.