Online Fraud Prevention Requires End-to-End Application Integrity

Online fraud is on the rise across all industries. For example, in 2017 banking trojans increased  77% year over year and the figures for 2018 already show similar trends. It is expected that malware-based attacks will continue to increase with the wider adoption of digital payments and application based mobile banking.

Today advanced attacks to online services are becoming more and more sophisticated and leverage new techniques and attack vectors that enable fraudsters to easily attack the targeted service o the user side, that is by infecting end-user devices, what are known as “endpoints.” Consequently, endpoints represent today the weakest link in the information security chain and the target for cybercriminals seeking sensitive payment and user data to feed online fraudsters.

According to another recent survey,  only 38% of security executives said they have high confidence in having the right tools and skills to fight fraud and 71% having plans to invest in anti-fraud technologies. Indeed, one of the main factors behind the growing issue of online fraud is the failure of traditional approaches against targeted attacks to online services.

The figure below illustrates the chain of events that occur in a typical advanced attack where a user endpoint is infected and becomes part of the fraudster botnet, thus allowing fraudsters to collect user profile and transaction information and steal authorization credentials, until they can execute the fraud and disappear back into the ether.

The specific attack technique and vectors used may vary. Sometimes, it involves leveraging a remote access trojan (RAT)-in-the-browser to remotely access the endpoint and issue a brand-new transaction from the user endpoint itself by leveraging stolen legitimate user credentials and closely mimicking normal user behavior. In other cases, it involves leveraging a local-proxy acting as a Man-In-the-Middle and modifying real end-user transactions on-the-fly (e.g. modifying the IBAN reference of the external account money is transferred to) while making these users believe they have correctly performed their intended transactions. Whatever is the specific attack technique and vector, today advanced attacks completely bypass transaction monitoring and user behaviour analysis.

These advanced attacks also defeat most of malware detection solutions, whether installed by users on their endpoints, as it is the case of anti-virus (AV) software, via Endpoint Protection Platform solutions or delivered clientlessly as part of the provided service. Solutions based on signatures and pattern-patching technology are not effective anymore against targeted malware that have been crafted for a specific application or polymorphic malware that is designed to prevent detection by changing overtime. This is also testified by the constant growth of web and mobile malware variants  by 88% and 54% year over year, respectively, according to the latest reports.

The key missing capability of most fraud management solutions against targeted attacks is the ability to validate the integrity of the application from end to end. In all these kinds of advanced attacks some malicious code is injected into the content delivered by the application, thus compromising the integrity of the application at the endpoint. This usually happens in the early phases of the attack campaign, while the fraudster is still crafting the targeted attack. Unfortunately, since these initial signs of compromise usually go undetected, the attack will be in full swing before the malware is identified (if ever). Even if signatures and matching rules are implemented at some point, by then the malware will have changed to escape detection. Moreover, these attack campaigns usually leverage multiple sets of infected endpoints (i.e. botnets), to replace those blacklisted by anti-fraud teams as being compromised.

Consequently, anti-fraud teams today face massive attack campaigns with their fraud detection systems either failing to flag transactions as high-risk or becoming overwhelmed by too many open incidents and endpoints that could be potentially compromised. In either case, they completely lack visibility into the attacker’s tactics, techniques and procedures (TTP) or the user experience under attack that would help them to improve their security posture.

Cleafy, where I work, approaches this problem in a different way. Cleafy’s approach is based on continuously monitoring the application traffic and assessing in real-time the risk associated with each user session, even before the authentication or transaction phase. Thanks to its patented threat detection and protection technology, Cleafy verifies in real-time the integrity of the application end-to-end and prevents any application tampering on unmanaged web and mobile endpoints. Cleafy is clientless, does not impacts the application backend and does not require any change to managed applications, so it can be easily deployed with no impact on either end-users and delivered service. It can also be easily integrated with any already deployed component of the fraud management system, such as Transaction Monitors or SIEMs, for example to contribute to a more comprehensive Transactional Risk Analysis, as required by PSD2 regulation.

Our solution has been successfully adopted by leading corporate and retail banks for preventing online frauds while minimizing false positives. By providing real-time threat detection since the early phases and predictive visibility on attack campaigns, Cleafy has also been demonstrated its benefits also in supporting investigations and forensic analysis, prioritizing actions against higher risk campaigns and helping security teams in improving their security posture.

To read more about Cleafy, go to our website.