Skip to content

Vishing – RAT Fraud vs Fraud Kill Chain

26 March 2024

This third episode covers what happens when scammers call you up on your phone. They pretend to be your bank, Microsoft, or the police. Their goal: to take over your device via a Remote Access Toolkit (RAT). Voice Phishing is often abbreviated to Vishing. The Scam is called an Impersonation Scam, or a Vishing – RAT scam.

These scams happen all over the world – although some regions (like the Nordics and the UK) are being targeted more often at the time of writing.

This blog is part of a series, where we will offer the tools to check your fraud detection capabilities for readiness on the most prolific fraud and scam types. From Malware campaigns to scams, we’ll analyze TTPs, Kill-Chain mappings, and detection gaps.

The Problem 

Vishing Scams requires the criminals to have people, and internet and phone infrastructures at scale. They sometimes operate from call centers. They will go through a process that looks like this:

  • Initial Contact: The scammer makes a phone call, often pretending to be from a reputable company or government agency, to gain the victim's trust.
  • Creating Urgency: They create a sense of urgency, claiming there's a security issue or outstanding debt that needs immediate attention.
  • Requesting Personal Information: The scammer asks for personal details, such as passwords, Social Security numbers, or bank account information.
  • Directing to a Website: The victim is directed to a website that looks legitimate but is controlled by the scammer.
  • Downloading Software: The scammer persuades the victim to download a software tool, which is actually a RAT.
  • Granting Access: Once installed, the RAT gives the scammer remote access to the victim's device.
  • Exploiting Access: The scammer can now monitor the victim's activities, access sensitive information, or install additional malware.
  • Financial Fraud: They may perform unauthorized financial transactions or steal identity information for fraudulent purposes.
  • Maintaining Control: The scammer keeps access to the device for as long as possible to continue their malicious activities.

Our research shows one in 5 scams are performed in this way.

Screenshot 2024-03-26 at 09.44.50

About the Fraud Kill Chain

With the right tools, anti-fraud teams should be able to pick up the tell-tale signs of these attacks. The Fraud Kill-chain is a useful tool to identify detection opportunities and gaps. It allows anti-fraud teams to map capabilities to attacks, and helps controlling a wide variety of fraud and scams.

Screenshot 2024-03-04 at 08.52.04

Many scams are hard to detect due to the lack of “technical” TTPs. Vishing – RAT, however, has some touch points on the mobile (an incoming call), and on the device: a RAT installation, and an active RAT.

Screenshot 2024-03-04 at 08.51.20

Vishing – RAT vs Fraud Kill Chain 

We can see a plethora of TTPs identifying various stages of attacks before, during, and after. This means there is a lot of opportunity for detection, but it requires sensors and processes in digital channels.  


Detection Gaps & Opportunities 

Gap 1: Mobile Visibility / Device Risk 

Incoming Phone Calls, and Active Phone Calls can be detected on the Mobile device. It is key that Device Risk uses Threat Intelligence, so anti-fraud teams understand what kinds of attacks are seen “in the wild”, and how Device Risk is integrated in your Anti-Fraud environment. 

Gap 2: Behavioral Biometrics 

When criminals are operating your account, their behavior will be different than yours. While Behavioral Biometrics is the best technology available, it’s key to have multiple models:

  • The “attack” perspective, spotting manipulation, pressure, and hesitation.
  • The “individual use” perspective, which detects when a customer’s interaction with the device if “different than normal”.

Gap 3: Multi-Channel and Correlation

By correlating Device Risk and Behavioral Risk, you can correlate “on-call” with “active RAT” with “behavioral risk”. Your capabilities should include visibility on both web and mobile – since often an scam operates on both, or moves from one channel to another during the attempt.


Conclusion & Takeaways 

As scammers are raking in billions, anti-fraud teams are to perform the following checks:

  1. Check your detection processes for Mobile Visibility
  2. Check your detection processes for Device Risk
  3. Check if you have visibility on your Web channels
  4. Check if you can correlate risk signals over multiple on-line channels and technologies (Device and Behavioral Risk)
  5. Stay up to date with the threat evolution with mobile threat intelligence

Detection Readiness Workshop 

ThreatFabric helps banks and financials globally perform these analyses. If you’re interested in a detection readiness workshop, use the link below for a free consultation.


Questions or demo?