Fraud Detection

Prevent hackers from performing fraudulent transactions after asking the victim to install a remote support tool.

Get in Touch Download Whitepaper

The Attack

"Fake Support" Calls

So-called "Fake Support" attacks target individuals and companies alike. The remote attacker, pretending to call in the name of a financial institution support, or a generic vendor support (e.g., Microsoft), asks the victim to install a remote controlling application (such as TeamViewer, AnyDesk, etc.). The victim is persuaded to follow the instructions from the attacker, as they seem to try to fix computer problems (which are typical) or checking if all is well following an update on the financial institution end. The attacker pretends to want to assist the victim in making sure that they can still access the e-banking portal and perform transactions.

Once the “test” transaction is submitted successfully, the attacker takes control of the victim's machine through the remote software, asks the victim to leave the computer on for a few minutes, and proceeds to perform a number of payments, typically to the same money mule account.

The Problem

Nothing suspicious detected by the fraud engine: the user manually approves a first transaction.

The attack is successful, for a number of reasons. First of all, the fraud detection engine of the financial service typically works on the following data points: IP addresses/location, Abnormal user behavior, Unknown recipients whitelisting. Second, unlike remote phishing attacks, or session hijacking attacks, this information is reported to the fraud engine.

  • IP Address

    The usual victim's IP address/location, overall generating from known networks (the IP address is the victim's ISP address, and not the remote attacker's).

  • Abnormal User Behavior

    The victim performs standard operations, such as entering a new payment and approving it when the step-up process is initialized, including performing the relevant MFA step.

  • Unknown Recipients Whitelisting

    Following the first payment, the money mule account is whitelisted and, no additional steps are required for performing subsequent transactions to the money mule account.

Feedback Loop

The feedback loop can be performed backend to frontend (typically used during PoC), or backend to backend (typically used for production systems). Furthermore, the solution can also be integrated with existing fraud detection mechanisms already in use by the financial institution.

Backend to Backend

Backend to Frontend

Blitz.js Anti-fraud Solution

blitz.js Operations

The blitz.js component needs to be embedded on the e-banking website pages and initialized with a random identifier, that persists throughout a user session. We refer to the technical documentation for a correct initialization and usage.

The JavaScript component will perform the following operations, reporting to the Futurae server:

  • On initialization, it will report a browser fingerprint (when features are available): user agent, language, color depth, device memory, concurrency capabilities, screen resolution, time zone, storage capabilities, platform, plugins, webGL renderer, AdBlock, touch support, fonts.
  • It will hook into the keypress and mouse movement events triggered by the user's browser, accumulate them in local storage, and report them in the following form:
    • 'key up', 'key down', 'mouse movement', '<x,y> coordinates', timestamp
  • Upon reporting, the local storage is cleared.
  • Upon customer request, the Futurae server does not keep any log of the browser's IP address.

The Blitz JavaScript operations have been tested on a variety of browsers (Chrome, Firefox, Safari, Opera, Internet Explorer down to IE11). Incompatible browsers would fail gracefully, with no degradation on user's experience (and, clearly, no possibility of attack detection).

Server Operations

The Futurae servers analyze in real time the information captured and detect anomalies

The Futurae Server accepts incoming measurements only when properly authorized by a shared API key. For each session that is created, the server measures a variety of analytics and reports back through the feedback loop channel whether a remote user is interacting with the website.

The Futurae server does not store any sensitive user information or Personally identifiable information and is hosted on a FINMA-compliant Swiss cloud data center.

Fraud Dectetion ML Analysis AI

Blitz Detection Analysis

A visualization of two user sessions can be seen, as follows. First a legitimate session, second an attack session.

Ready to Get Started?

Try the Futurae Authentication Suite today - 3 months for free.