Whether it’s preventing friction that can lead to customer dropoffs, strengthening authentication through the use of two-factor authentication or securing remote workers, the ability to detect trusted user devices is a necessary capability for businesses today. But as more accounts are tied to users’ devices, they become increasingly attractive targets for a type of attack known as device takeover.
By hacking into legitimate users’ trusted devices, fraudsters can gain the keys to their victims’ kingdom, making it all the more imperative for businesses to understand and guard against device takeover attacks. In this blog post, we will delve into what device takeover attacks are, the reasons for their rising threat, how they are executed, and most importantly, how businesses can detect and prevent these attacks.
Device takeover is a type of attack where hackers gain remote access to the victim’s device, typically by exploiting a remote desktop connection (RDC). By hacking into users’ devices, attackers gain unauthorized access to the victim’s online accounts (such as email or bank account) to commit account takeover and other malicious activities.
By hiding behind the “real” identity of legitimate users, attackers can leverage their victims’ good reputations to bypass fraud prevention systems that rely on common elements of risk and trust detection, like known devices and IP.
This enables attackers to steal users’ data, lock users out of accounts and execute other attacks even without authenticating as the user. With device takeover, attackers can even bypass multi-factor and passwordless authentication, as well as step-up protections designed to mitigate fraud throughout the user journey.
The past few years have seen increased demand for the use of remote desktop services as a way to improve customer service with faster and more customized IT support. But the prevalence of these tools has also given fraudsters a new attack vector to exploit, leading to a rise in device takeover attacks.
In a public service announcement published by the US FBI Internet Crime Complaint Center (IC3), the FBI warns companies about the dangers of leaving RDP endpoints exposed online, as reported in ZDNET. Over the past year, device takeover marketplaces have also arisen on the dark web — enabling fraudsters to trade breached devices using cryptocurrencies.
Two of the most common tactics used to execute device takeover attacks are using social engineering to get users to voluntarily install RDCs or installing a type of malware known as a remote access trojan (RAT) without the user’s knowledge.
Just as RDCs can be used by businesses to remotely provide technical support to customers and employees, attackers can use these legitimate tools to trick users into giving them control over their devices. This is often done through social engineering — a type of attack where fraudsters gain the trust of users to enlist their help in circumventing security protocols.
Attackers typically gain users’ trust by posing as reputable sources, using techniques such as:
For example, in the case of vishing, the attacker may call the victim, posing as technical support, and convince them to download a legitimate remote access program, such as TeamViewer, AnyDesk, LogMeIn, or GoToAssist, designed for help desk support and troubleshooting. Once the program is installed, the attacker can act on behalf of the user after authentication, enabling a range of fraudulent activities.
In addition to account access, device takeover provides an added bonus to attackers: they gain access to all the files stored on their victim’s device. This may include scanned ID cards, documents, photos and videos, which can be leveraged to commit identity theft.
Another way that attackers can gain control over end users’ devices is by using a type of malware known as a remote access trojan (RAT). Once the RAT is running on the infected desktop or mobile device, the attacker can send it commands and receive data in response.
Unlike RDCs, RATs aren’t legitimate remote access programs and are installed without the user’s knowledge. This malware makes its way onto victims’ devices through specially crafted email attachments, macros in Office tools, web links, download packages or torrent files. Attackers may trick their victims into installing RATs by masquerading as legitimate applications or even install it themselves by gaining temporary physical access to the desired device.
Device takeover poses a significant threat to businesses, but it can be detected. Using the techniques below, fraud analysts and security teams can determine whether actions taken by a user’s device were performed by the user or a remote — and potentially malicious — actor.
The Remote Desktop Protocol (RDP), is usually based on User Datagram Protocol (UDP), which provides a connectionless, unreliable and low-overhead transmission of datagrams or packets over a network. As a result, packets are discarded and lost over the connection regardless of whether the access is gained using a remote access program or a RAT. Because of this, processes performed remotely via RDP will involve fewer mouse or touchscreen movements.
Based on this hypothesis, Transmit Security Research Labs developed a technique to detect device takeover based on the frequency of these movements. During our research, we witnessed an event rate that is almost an order of magnitude lower in RDP compared to normal local desktops.
In the image below, you can see the mouse movement frequency for a local desktop.
And here you can see the mouse movement frequency for RDP.
This image shows the touch movement frequency for a normal mobile device:
And here is the touch movement frequency for mobile RDC:
With this knowledge, we have developed a detection mechanism that can identify RDC using mouse and touch movement frequency.
Within the Internet Protocol (IP), ports are numbered addresses for network traffic used in combination with IP addresses to facilitate network communication. Different kinds of services use different ports by default. Common ports for remote desktop connections are 3389 and 5938.
Port mapping, a process that redirects network traffic from one IP address and port combination to another, provides information that can be used to identify which open ports are being used. This can help identify whether an action was performed using a remote desktop connection by determining whether RDP traffic is being sent to a specific device or server.
However, this information alone may not be enough to catch a clever attacker. Fraudsters who are aware of port mapping may avoid using common ports for remote desktop connections in order to avoid detection. To handle these evasive tactics, we maintain a port reputation mechanism that identifies suspicious open ports. This includes scanning and detection of open ports through network analysis, building port reputation maps and continuously evaluating maps in order to detect RDP attacks in real time.
With device takeover on the rise, what used to be a premium attack vector has become common and regularly used. To mitigate these attacks, businesses must avail themselves of advanced detection techniques, such as analyzing user behaviors to determine movement frequency and identify remote desktop ports.
In the Transmit Security Research Labs, our in-house research team has worked to develop these and other state-of-the-art mechanisms to detect device takeover attacks and will continue our research to map new techniques and cover additional platforms. By implementing these methods within our Detection and Response Services, we can continue to strengthen our protection against device takeover.
For more information on Detection and Response, check out our service brief or read our case study on how a leading US bank leveraged our services to gain a 1300% return on investment by detecting risk, trust, fraud, bots and behavior in their applications.