Cybercriminals are getting smarter and using RDP connections to cloak themselves from threat detection systems. Does that make device fingerprinting useless?
Committing Fraud With RDP Connections - Does Device Fingerprinting Work?
Cybercriminals use VPNs and residential proxies to hide their identity. This isn’t a well-kept secret. VPNs and residential proxies are great tools for fraudsters to hide behind, and they are complicated technologies for any business with an online presence to mitigate. But, what’s worse than criminals hiding behind a VPN connection? Criminals that conceal their identity with an RDP connection.
Keep reading if you haven’t heard why cybercriminals use RDP connections to commit fraud. Hint: This article has nothing to do with tech support scams.
What is RDP?
RDP is a protocol for accessing and manipulating a remote machine running the Windows OS. Other operating systems can also use RDP, but its primary use is for remotely controlling a computer running Windows for tasks requiring HEDs (e.g., using a workstation remotely for CAD or 3D modeling) or administrating Windows-based servers nowadays.
Anyone who’s worked in a corporate environment is probably familiar with RDP or a tool like it. Help desk techs commonly use tools similar to RDP, like Daemon Tools or TeamViewer, to help end-users fix computer problems. These tools let tech support agents remotely control a computer as if they were sitting in front of it.
So, that gives you an idea of how RDP works.
Why is RDP used for fraud?
I’d pay money that you’re thinking tech support scams, right? Those support scams are so popular they’ve already cycled out of local news cycles. By the time cybercrime trends hit the local news, it’s typically weeks out of date.
RDP Connections and Residential Proxies: A Device Fingerprinting Nightmare
While tech support scams are annoying, RDP is used for fraud in a more sinister way. One of the side benefits of using an RDP connection for credit card fraud is that the RDP connection can help bypass fraud detection systems.
How Do Fraud Detection Systems Work?
Many fraud detection systems use device fingerprinting tools, KYC data, and payment history data to catch illegal activities like fraudulent transactions or affiliate fraud. Each fraud prevention solution is typically implemented in different parts of the customer journey.
Device fingerprinting is typically implemented on the customer-facing website or front-end services. Businesses use device fingerprinting to ID individual devices in the same way that a user ID or email address identifies specific individuals. Device-specific IDs help track duplicate accounts, build heuristic rulesets for identifying cloaked devices, and much more.
KYC data helps businesses understand and verify who a customer is. Banks and loan services use KYC data to demonstrate that their customer is a worthwhile risk to lend money to and verify their customer isn’t committing identity theft or loan fraud.
Payment processors (e.g., Stripe) and merchant service networks (e.g., Chase for Business) use payment history data to look for things like purchasing trends for individuals, a history of chargebacks, etc.
How do RDP Connections Bypass Fraud Detection Systems?
Information systems engineers and cybersecurity experts aren’t the only ones doing secOps. The recon phase of the threat kill chain is universal among cybercriminals, too, and it’s not a process limited to elite criminal groups either. Even low-end credit card thieves perform recon work.
When a cybercriminal utilizes an RDP connection to commit fraud, they do their research to pick an attack vector that simulates their victim.
Think about it this way. A typical customer for a B2C E-commerce business is likely to:
-
Use a residential ISP or mobile device connection
-
Use a connection near their home or place of business
-
Use versions of a modern OS like Windows, Mac OS, Android or iOS
-
Use versions of a modern, common browser like Chrome, Safari, or Firefox
Cybercriminals are picking targets with attack vectors available with those traits. For example, if John Doe’s credit card was stolen in a data breach, a cybercriminal will try and find a proxy or VPN connection that exits near where John Doe lives and use a modern OS and browser for fraudulent activities.
Fraud detection systems, like device fingerprinting, can be used to detect things like VPN or proxy usage. Device fingerprinting tools are good at detecting bots, too. But, fraud detection systems only work if the attacker produces the proper noise for detection systems to hear.
This is why RDP connections have become a popular tool with fraudsters. Credit card thieves and other cybercriminals use RDP connections to hide their device’s identity. Device fingerprinting tools will fingerprint the computer being remotely controlled and not the attacker’s real machine. Since the computer being remotely controlled is most likely a common device (like a laptop running Windows 11 Home) using an up-to-date browser on a residential connection, it doesn’t appear suspicious to a business.
Advanced Fraud Prevention Tools
Catching fraud is a constant cat-and-mouse game. As cyber criminals deploy new tactics to commit fraud, the cybersecurity industry creates new tools to detect them. It’s a vicious cycle.
This article’s intentions are not to say that device fingerprinting is useless - far from it. Device fingerprinting is an excellent tool for preventing online fraud, and it’s time to create more tools to beef up cyber defenses.
IPQS recognized the issues around device fingerprinting years ago. Malicious RDP connections aren’t the only threat to device fingerprinting. Various laws and regulations around privacy, Google’s push to update browsers to Manifest V3, browsers like Chrome and Firefox pushing to limit browser APIs heavily, and other trends are making device fingerprinting techniques harder to deploy.
This is why IPQS includes threat analysis data with device fingerprints. Threat data can help businesses make better decisions about their customer interactions (e.g., online payments, account sign-ups, affiliate offers, etc.) even if fraudsters take extreme actions to cloak themselves.
Data from the IPQS Advanced Threat Network is used to measure the risk of online purchases using the IPQS Transaction Risk Measurement tools, fill in gaps that other KYC systems leave open, and look for suspicious activity exhibited by bots or other advanced tools that help to commit fraud.
AI Fraud Detection
Building on the IPQS Advanced Threat Network data, we use machine learning to look for trends in data points. We also use those machine learning tools to help predict new fraud trends. This is how IPQS can supply fraud data that is only a few days old.
IPQS isn’t the only company that uses AI to detect fraud either. Microsoft and Google have been using advanced AI routines to analyze fraud data for a few years. IPQS also partners with many cybersecurity businesses specializing in niche segments of the anti-fraud industry to detect malicious activities.
So, while fraudsters are becoming more sophisticated and trying to hide themselves with tools like RDP, the anti-fraud industry is staying ahead of the curve. New heuristical algorithms are constantly being created that can pierce the vale that cybercriminals use to hide themselves.
Are you ready to learn more? Schedule a meeting with one of our team members to see how IPQS can help you. Be on the lookout for new blog posts and product announcements as well!
