Fraudsters have been using Remote Access Tools (RATs) in combination with phishing attacks to compromise digital devices like mobile phones, tablets, laptops and desktops.  These RATs are tools that are used for legitimate purposes – IT support for example.  However, bad actors can abuse the tools in order to steal assets and data.

How RAT-based attacks work:

• First, the fraudster sends a phishing email with a link or attachment that appears legitimate.
• Once the victim clicks, the RAT is installed on that device without any notification to the user and automatically connects to a remote server controlled by the attacker.
• At this point, the attacker can:
  • Steal sensitive data (passwords, financial details, etc.)
  • Monitor user behavior through keylogging and screen recording
  • Gain access to anything the user accesses using the infected device, which can include Schwab Advisor Center or Schwab Alliance. This online access can let them set up fraudulent trades and/or money movements.
• This type of attack is difficult to detect for many reasons, including:
  • The fraudulent activity is generated by a device that's trusted by the user.
  • These attacks may use legitimate applications, so the problem may not show up in antivirus/malware scans.

Unlike many other scams, RAT-based attacks do not require interaction with a scammer or taking action to download malicious software—for that reason, these attacks can seem "invisible". RAT-based attacks are versatile and difficult to detect, so they are particularly dangerous. It's important to look out for these red flags:

• Clicking a link or attachment in seemingly legitimate communication from a government department or trusted institution may appear to do nothing, Unfortunately, a RAT may have been installed with no other notification.
• If your device suddenly displays a blue or black screen and a message like "Do not turn off your computer. Computer is currently being scanned," this may be a sign that a RAT attack is in progress. Immediately shut down the device, contact your IT professional and report the incident to your advisor or custodian whose platform you may have interacted with ASAP.
• Watch for any account activity that does not align with typical behavior.

Real-World RAT Attack Scenarios:

Example #1: Using a RAT to access website (i.e. account custodian, bank account, etc.) 

An individual clicks a link from a phishing email, but nothing appears to happen. In the background, though, a RAT has been installed on the device. The next time the individual log into their service provider’s website and completes two-factor authentication, the bad actor piggybacks on this login, and can remotely engage in unauthorized activity (i.e. wire funds from the account, trade, etc.) without the legitimate user's knowledge.

Example #2: Online account takeover

An individual receives a text message that appears to be from their financial institution, asking them to verify account information by clicking a link. This phishing text directs the user to a spoofed website, a RAT is downloaded to the device, and then the bad actor uses the remote tool to gain access to the user's online accounts to steal data or funds. 

In case of suspected RAT infection: 

• Disconnect from the internet immediately. This prevents the RAT from communicating with the attacker.  Caution: If you are unsure or unable to identify and/or remove the RAT yourself, consult a cybersecurity expert as soon as possible.
• If you are still unable to remove the software, consider factory resetting your device—this may be required to ensure complete removal of the RAT.
• Assume your credentials have been compromised, but don't change them until after you have successfully removed the RAT. Otherwise, the attacker may be able to discover and leverage your new credentials.

Other Best Practices:

• Close the browser window you use to access secure websites as soon as your session is over.
• Power down your devices daily, including your phone
• Be sure you have reputable antivirus/anti-malware software active on each device you use.
• Avoid clicking on unknown or unsolicited links or attachments.
• To avoid landing on spoofed websites, type its full URL into your browser’s address bar, and then add it to as a favorite for your convenience later.
• Remove recently downloaded applications that you do not recognize.
• Take advantage of advanced security features, such as multi-factor authentication, and biometrics.
• Keep devices updated and patched.  

REMEMBER:  REPORT ANY SUSPICIOUS ACTIVITY AND/OR UNAUTHORIZED TRANSACTIONS TO YOUR CUSTODIAN AND YOUR ADVISER!

Learn more & Resources:

Visit these sites for more information and best practices:

• National Cybersecurity Alliance > StaySafeOnline.org
• Federal Trade Commission > OnGuardOnline.gov
• Federal Deposit Insurance Corporation > Consumer Assistance Topics
• Federal Bureau of Investigation > Scams and Safety

^{RubinBrown Advisors is an SEC-registered investment adviser.  This information was obtained from sources deemed reliable.  This piece is intended for general educational purposes only.  Any reference to a specific custodian or product should not be considered an endorsement or imply any sort of affiliation.  Please contact your advisor if you have any specific questions.}