Recently, the use of electronic keys (tokens) and smart cards with non-recoverable cryptographic keys, which are used to sign legally significant documents and money transfers, has ceased to be considered a reliable method of protection against fraudsters. The most common scheme to bypass these means is the use of malicious software for unauthorized collection of login information, PIN codes, passwords on the “victim's” device, followed by remote access to his/her device and performing actions in information systems as if the legitimate user.
Such attacks have ceased to be isolated and are particularly widely used by cyber fraudsters in the theft of money through various online payment systems and remote banking services. Such publicly available programs as Microsoft Remote Desktop, TeamViewer, Lite Manager, Ammyy Admin, Remote Admin, a VNC-based family are often used for remote access.
The most known method to detect the use of remote access is to record changes in screen parameters, such as its width and height, as well as colour depth. For example, in case of remote control using Microsoft Remote Desktop, the default screen settings from which remote access is performed are used. These screen parameters are accessible through JavaScript, and can be read when the user accesses the web resource accordingly. This method uses a wide range of antifraud solutions, such as ThreatMetrix, RSA Transaction Monitoring, NICE Actimize, Kaspersky Fraud Prevention, etc.
However, in case of Microsoft Remote Desktop use, the fraudster can explicitly set the necessary screen parameters, and when using other remote access tools such as VNC, Ammyy Admin, TeamViewer, these default parameters typically correspond to the screen settings of the controlled device. In this case, the remote connection using the said method will not be revealed, and this is its significant disadvantage.