Skip to main content

Rats and RATs: How biometrics can 'exterminate' harmful hacks

There are some interesting parallels between one of the oldest scourges that plagues man, and one of the newest weapons used by cyber-criminals to steal money, passwords, and other resources off computers and mobile devices. Both are hard to catch, requiring special tools and methods to uncover – and while they are at large, they can cause untold damage to their victims.

For the vermin kind of rats, exterminators will set traps and use various methods to draw the offending creature into a compromising position (often easier said than done). For computer RATs, users often don't even know that they have a problem – and to help them, they need to rely on outside technology - like biometrics, a technology that allows banks, shopping sites, and others to “exterminate” the RAT exploits that seek to steal money and resources from their customers.

RATs – the acronym stands for Remote Administration Tools, but in the context of hacking they are often referred to as remote-access trojans – have been in the news (opens in new tab) lately, thanks to a widely-circulated photo of Mark Zuckerberg's laptop (opens in new tab), which shows the Facebook founder's computer webcam with a piece of tape over it. Why? Because of RATs; as numerous incidents in recent years have shown, hackers can get access to cameras (opens in new tab), microphones, data, apps, or anything else they want via remote access tools that users install, often voluntarily. A RAT, deposited on a system via a virus or trojan, can even turn off the green indicator light that usually goes on when a camera is active, so users will have no idea that they are being watched. Tape, it turns out, is the most effective weapon in battling camera-oriented RATs.

But, switching on your camera without you knowing is not the worst you can expect from a RAT. In what is known as a RAT-in-the-Browser (RitB) attack, hackers use a variety of infection methods, ranging from phishing email campaigns to website compromises to infectious banner ads or social network links, in order to launch an attack that gracefully combines malware, social engineering, and human interaction to accomplish its goal of separating victims from their money. In one scenario, the attacker installs evasive malware such as Dyre or Dridex. These nasty, highly advanced Trojans target many financial institutions and wait until the user attempts to log into their online banking site. Then they instantly redirect the user to a fake site that looks identical to the real online banking site, grabbing every piece of information the attacker needs to commit the fraud – including a user’s name, password, and any one-time-code sent to the user. They then use the freshly obtained data to remotely log in from the trusted victim’s device. Once in, they simply send as much money as they can from the account, at times double-defrauding the bank by first asking for a sizable loan and then wiring out even more.

In another scenario, known as the Social RAT or a Rogue Helpdesk scam, the attacker will call the victim, posing as the helpdesk of a trusted third party – either the bank, the Internet provider, or a big software company that many people use. They will explain that there is something wrong and offer to assist remotely. If you don’t know how remote assistance works, it’s rather easy: just google Team Viewer or LogmeIn which are used for remote assistance. Download the software, install it, and then configure it to grant the help desk remote access. That’s it! They can now run some tests on your computer and let you know once they’re done.

An amazingly high number of people fall for the attack; elderly victims and young adults are twice as likely to fall for the scam than people aged 25 to 65 years old. There are multiple cover stories with varying degrees of effectiveness, and lots of ways to actually commit the fraud. There are also hybrid attack scenarios where the fraudster first installs a basic, free-to-use Trojan that, when triggered by the user going to the bank’s login page, presents the “bank's” phone number which the user needs to urgently call for service. The number, of course, connects to the cyber-crooks' lair, with the victim instructed again to install the remote access tool (Teamviewer, LogMeIn, etc.) to allow a bank “employee” to see why they can't connect. Once inside, the hacker has the victim log into their account – capturing the information, which will be later used to empty their account.

After that happens, the customer will of course call up the real bank, only to be told that they were fooled, and that there is little that can be done at this point. Most retail banks refund users who fall for such scams, but some claim it’s a degree of gullibility they don’t want or need to support. Corporate users and small businesses are normally completely exposed, and the bank will rarely compensate them for their losses – unless they wish to avoid the publicity. Police or bank investigators may or may not try to trace where the money went – but probably won't, because they know that the money has been bounced around the Internet, and following the spoofed IP addresses and permutations of connections is an impossible to resolve morass.

There's little a customer can do. Deploying common sense is always a good advice, but fraudsters are old hands in coming up with new and clever tricks. But there is much the bank can do, and the novel technology of behavioural biometrics can help them do it. Banks can automatically detect if the person on the other side of the computer screen is really whom they claim to be.

Biometrics, of course, is the science of measuring human behaviour characteristics. With a biometric system in place, for example, offices and factories can dispense of entry cards (which can be lost or forged), relying on gestures, thumbprints, or other characteristics to identify people. Since each individual's “secret sauce” is different, there's little chance that an imposter will be able to get into the facility posing as a legitimate employee.

Behavioural biometric technology does the same thing, only remotely. The system is able to verify identities by analysing a number of different factors - including press-size, hand tremor and eye-hand coordination of users, combined with behavioural traits, such as usage preferences. The data goes towards establishing a "cognitive DNA,” enabling the site to understand who it is interacting with – and automatically interdicting that transaction if the user's biometric and usage behaviour does not match the user profile. With each attempted malware attack, the system captures even more behavioural information that helps identify and defend against new threats, ensuring that protection is as up-to-date as possible.

With a system like this, sites can help protect users that interact with them, and trust them with their money, credit, reputation, and other assets. Companies demand loyalty from customers, and seek to ensure that they stay within “the family” - but family watches out for each other.

Instituting a biometric analysis system that can help prevent users become victims of RAT hackers is something they owe their customers.

Uri Rivner, Head of Cyber Strategy at BioCatch (opens in new tab)

Image source: Shutterstock/Carlos Amarillo