The goal of the project was to prevent "fake technical support" attacks, where a hacker claims to call in the name of a financial institution to offer technical support service. The remote attacker asks the victim to install a remote control tool (such as TeamViewer). The victim is convinced to follow the attacker’s instructions, which usually involve the payment of a small amount. Once the transaction is made, the attacker takes control of the user's machine and proceeds to make more payments to the same money mule account. Such attacks are hard to detect, as the first transaction is approved by the user and the user’s behaviour during the transaction seems normal.
Futurae's solution is a JavaScript component (blitz.js) that is installed in the financial institute’s e-banking portal. Blitz records the user activity (such as mouse movement and key press events) and looks for anomalies in the user's behaviour. For the anomaly detection, we train an ensemble of CNN-LSTM models on augmented user data and real attacks. This approach gives us very good recall in differentiating local user interactions from interactions happening from a remote attacker.