As if fraud fighters didn’t have enough to deal with at work, remote access attacks, which in the past have typically been seen in cyber breach and banking contexts, are now coming to digital commerce as well.
Forter’s analysis of fraud attacks over the 2024 holiday period showed an 8% increase in remote access attacks compared to 2023. Unfortunately, that trend wasn’t just a blip connected to the holidays, when fraudsters usually attempt to maximize their profit over the lucrative end-of-year season. Remote access attacks look set to be a significant new factor in online fraud.
What is an RDP Attack, and Why Do They Matter?
Until recently, remote access attacks were rare in digital commerce, so folks in online fraud, payments, or customer experience may not be familiar with how they work. (Given that, you should consider sharing this information internally to help your organization catch up with the new threat.)
RDP stands for Remote Desktop Protocol. It’s the process that Microsoft put in place for two reasons: 1) so that remote workers could access distant corporate servers and workstations, and 2) so administrators and technical support could remotely access individual computers to check things were in order, diagnose problems, and fix issues from afar.
Other remote work applications often have something similar, so remote attacks are by no means confined to Microsoft — even though this type of attack is usually referred to as RDP. When used correctly, it’s a great feature.
Cybercriminals, of course, view remote access as a golden tool for crime. It’s an ideal entry point for threat actors because it gives them control over the device and means they can use its access to sites or systems to view data, infiltrate networks, steal information, change data, and so on.
RDP has traditionally required more work than fraud attack methods like credit card fraud, account takeover, etc., which are more common in digital commerce. For that reason, fraudsters have not usually employed it unless they’re going for a giant target with a payoff comparable to attacking a bank account. That’s now changing.
Remote Attacks: A Growing Threat
Remote access attacks rapidly took off during the coronavirus pandemic, when many workplaces shifted to remote or hybrid work. Remote access was a practical and effective way for organizations to manage their newly distributed workforce and its technical challenges.
Naturally, cybercriminals weren’t slow to realize the potential. Midway through 2021, the U.K.’s National Cyber Security Centre reported that these attacks were “the most common attack vector used by threat actors to gain access to networks.”
Unfortunately, the uptick in remote attacks turned out to be something of a “Covid keeper” and didn’t fade away with the coronavirus and its associated restrictions. A 2024 report found that cybercriminals used RDP in nine of every 10 cyberattacks.
AI and automation have helped criminals speed up and more easily scale their operations by helping write or test malicious code, composing phishing emails and messages, managing social engineering chats, etc. It’s no surprise that, as the barrier to entry for cybercrime is lowered, more sophisticated attacks, such as remote access attacks, are becoming more widespread and breaking new ground, such as infiltrating the digital commerce space.
How Remote Access Can Harm Digital Commerce
Fraudsters usually gain access to a victim’s device through their credentials, either by stealing or purchasing them or tricking the victim into providing them through phishing or other forms of social engineering. That’s a problem for digital commerce for various reasons, including:
- Instant access: If the user is signed into any commerce sites — and they often are — then the fraudster instantly has access to them, too.
- Saved payment methods: Many users save payment methods to their favorite sites, which the fraudster can use if they gain access.
- Digital doppelganger: It’s challenging for retailers to identify when a fraudster is accessing a device remotely because, by definition, the digital footprint is the same as usual. The fraudster has access to the user’s account history so that they can match past purchases and so on. Behavioral analytics, on the other hand, may show something strange.
- New account details: Because the fraudster digitally looks like the real user, it’s easy to add new (stolen) payment methods or new email or physical addresses they control.
- Invisible: Victims often have no idea the attack has occurred unless a chargeback comes through on their card.
- Scale: Fraudsters will often attack several times in a short period, often across different sites, cashing in while they have access.
In a way, you could think of it as an ATO attack on steroids — but one which can’t be identified by many of the methods you use to catch ATO.
Where Do You Need to Protect?
Depending on your industry, the type of goods you sell, and the devices your typical customers use, you might be more or less at risk from the new remote attack trend. Here are some factors that indicate higher risk:
- Windows devices are particularly susceptible to this kind of attack, and to a lesser extent, so are Android devices. As a result, users with these device types are more likely to fall victim.
- Desktop computers and laptops are much more vulnerable to remote attacks than mobile devices. Forter’s research indicates that remote attacks are about four times more likely to be against desktops and laptops than mobiles.
- High-end goods are particularly likely to be attacked when it’s a remote access attack. Digital goods, valuable electronics, and luxury goods are all popular targets. High-ticket items are nearly five times more likely to be attacked.
Even if your site doesn’t have Windows device users or valuable items, experience indicates that the more common an attack type becomes, the more it spreads. Now is the time for retailers to put protections in place against remote access attacks before they reach that stage.
Talk to your cybersecurity department, which likely has ways of identifying remote access attacks against your employees; maybe your org can repurpose some of those methods to guard against fraud. Talk to your fraud provider to establish how effectively they can identify and protect you from this threat. It may be that, like Forter, they’re already aware of this trend and can show you the attacks they’ve been stopping in recent months.
As always, talk to the fraud community to share experiences, ideas, and what works. Remote access attacks aren’t an addition to the fraud-fighting landscape that I’m excited about, but at least we have plenty of opportunities for remote communication. Together, we can all stay ahead of the fraudsters.
Doriel Abrahams is the Principal Technologist at Forter and host of ‘What the Fraud?,’ where he monitors emerging trends in the fight against fraudsters, including new fraud rings, attacker MOs, rising technologies, etc. His mission is to provide digital commerce leaders with the latest risk intel so they can adapt and get ahead of what’s to come.
