Cyberheist Snippet 4: More on Trusteer Rapport



As we mentioned in Cyberheist Snippet 1, 2, and 3, we're working on a book here at KnowBe4.com, and it features Cyberheist as the first word in its title. Here's a fourth snippet from the book, this one taken from Chapter 14 "Managing Online Banking Security Issues." It digs into the browser add-in software from Trusteer called Rapport, which is designed specifically to address phishing attacks, especially those that might lead to fraudulent funds transfers.





[caption id="attachment_309" align="aligncenter" width="503" caption="You must register with the site to download Rapport"]You must register with the site to download Rapport[/caption]





Trusteer Rapport works by acting upon a PC’s runtime environment whenever users access any designated websites. This means that the software kicks in only when a user accesses an online banking, brokerage, or other online financial services site. At that point, Rapport steps in to block local behaviors that might compromise online security.

Here’s a list of things that Rapport does to prevent security breaches or lapses that might aid data harvesting and support phishing attacks:



  • Keyloggers and Screencaps: Keylogger Trojans record keystrokes or make screen captures whenever specific activity occurs on their host systems. Fi-nancial activity of any kind will usually trigger this behavior. Rapport blocks such behavior, and alerts users if it occurs while they are visiting a Rapport-protected site. (There’s a server-side piece to this software, too, that protects the other side of online banking interactions.) Rapport also encrypts keyboard data before it hits the network. This enforces local security on the PC, and prevents keylogging, before keystrokes are handed off to SSL.


  • Man-in-the-middle or Redirection Attacks: Rapport uses delivery confirmation for financial (or Rapport-protected) websites. This prevents attackers from mounting man-in-the-middle attacks, hijacking existing online banking ses-sions, bogus redirection, and other phishing techniques. Rapport succeeds in verifying that the site a user wishes to access is actually being accessed, and none other.


  • Phishing and social engineering scams: Rapport tags all sensitive user data and associates it with legitimate sites where it may safely and properly be used. Any time the software detects use of such information for another site, it halts communication and warns the user. Only if the user specifically allows such use, will that tagged information be sent to other sites.




Rapport sounds pretty good to most users, and to a lot of banks. As we write this chapter, it’s been downloaded nearly 19 million times. The server side of its software is becoming more standard at online banking sites as well.

The combination of a Rapport client on the user side, along with Rapport serv-er software at the online banking or financial services site appears to offer the best hope for foiling fraudulent funds transfers available today. We can only hope that Rapport becomes more widespread. We also hope that more banks start providing Rapport’s client to work with their Rapport-enhanced server in-stallations.

There are some downsides to working with Rapport, however. It does restrict the functionality of the user desktop while a Web browser is running. (That’s most of the time that people use their computers nowadays.) Rapport can also slow Internet access because of the extra layers of software it uses to provide additional security.

We recommend that those who use Rapport set up a special, limited access user account strictly for online banking. Then they need install Rapport only for that account. The security trick is to make sure all online banking activity oc-curs only when logged into that account, and at no other time. All other work can go on unhindered by Rapport in some other account. Rapport will provide those very hindrances by design when online banking is underway — just when you want them to prevent any kind of questionable activity!



Definitions: Man-in-the-middle, bogus redirection, session hijacking

A man-in-the-middle attack involves intercepting traffic in both directions for an ongoing connection, then relaying all data sent and received between the two parties. The proverbial man in the middle (the attacker) can record, read, or even alter the contents of that traffic. Such attacks are easily foiled by address verification because both sides must interact with the attacker, rather than each other, for this attack to work.

Bogus redirection captures traffic addressed to a legitimate site, and sends (redirects) it to a different site instead. Some malware does automatic redirection to fool users into thinking they're interacting with a valid and legitimate site, rather than a malicious one. Here again, address verification easily foils this attack.

Session hijacking is an attack method that captures the attributes of a session from one of the parties involved (usually the client or user end). It then takes over (hijacks) the session from the legitimate user. The attacker keeps the session going, and impersonates the user. That user usually blames an Internet hiccup for an apparently lost or broken session and simply reconnects through another session. Ongoing connection validation is needed to detect hijacking. Rapport also supports this capability and breaks any hijacked sessions with seconds of such an attack.



Stu Sjouwerman



KnowBe4

Topics: Cybercrime, KnowBe4



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews