OK 2015, IT'S A WRAP!

5 Simple Ways to Protect Your eCom from Online Fraud

Once upon a RAT: the story of Social RitB (RAT-in-the-Browser)

A Sneak Peek to BioCatch Upcoming Activities

BioCatch says 'Adiós to Dyre malware'

Our path to behavioral biometrics innovation

Friction-reduction US Patent granted to Citibank – Device Binding to replace login

Payment Security: the New #1 Priority

YOU are the weakest link

Is This Really the End of User Name and Password

A Tale of Two Yous: Misuse of Multiple User Access

Welcome to BioCatch New Blog

Once upon a RAT: the story of Social RitB (RAT-in-the-Browser)

Oren Kedem, VP Products
Oct 12, 2015
2 min read

In the past few months BioCatch researchers have identified a new variant of RAT-in-the-Browser (RitB) fraud attacks on online banking – Social RitB.

RitB – what is it?

RAT-in-the-Browser (RitB) attacks are in and of themselves fairly new. In this attack the fraudster takes over the user's device (remotely), accesses the online banking site through the standard browser and submits a fraudulent transaction.

[endif]--Banks use traditional device fingerprinting to validate device reputation, assigning "risk" to new or known bad devices and assigning "trust" to known user devices. RitB sessions are always carried out by human operators remotely accessing the user's known "trusted" device. As such, attacks remain undetected by device fingerprinting and malware (MitB) detection solutions.

In RitB attacks, remote access is achieved through the use of new generation financial malware, such as Dyre, Dridex, Neverquest (in fact, no self-respecting financial malware today will be released without this RAT functionality). To install malware fraudsters leverage standards malware infection mechanisms such as Drive-by Download.

Social RitB

This recent evolution - Social RitB - doesn't require the fraudster to lure the user to

a site with embedded malicious exploit code for infection, nor does it require to develop or buy financial malware. Instead, fraudsters use "social engineering" to convince the user to install a standard Remote Support Tool (e.g. Ammyy, UltraVNC, AeroAdmin, RemotePC,) and use it to perpetrate online banking fraud.

Investigation conducted by the bank's fraud teams with Social RitB victims reveals the following modus operandi of the attacker:

[See Abbreviated Sample Attack Script above]

So what can users do to avoid this?

Ammyy – a leading support tool released the following official warning which serves to explain this attack and ways to avoid falling victim to it

"!!! If you receive a phone call claiming to be from 'Microsoft' or someone claiming to work on their behalf, telling you that you have a virus on your computer or some errors which they will help you to fix via Ammyy Admin, it is definitely a scam…

There also might be phone calls from people presenting themselves as internet service provider technicians or any other tech support specialists…

In case you received such type of phone call - hang up, do not let them have remote control access to your computer…

If you got scammed...

Turn off your Internet connection, then turn off the PC and call your bank to freeze all your bank accounts…"

And what should banks do?

Deploy fraud detection tools that can detect RAT in action.

![endif]--