Dark Reading: Detecting Malicious User Behavior Within and Across Applications
RevealSecurity logo
Case Study

Detecting External Imposters
on an e-Banking Application

Detected malicious activities

A group of attackers succeeded via social engineering to target several customers and obtain individual credentials (including OTPs), bypassing the MFA process. The attackers then logged into the application as legitimate customers and succeeded to perform (several) money transfer transactions (even receiving the OTP required to approve money transfer transactions from targeted victims).

Rule-based systems employed by the bank were not able to detect many of these attacks, and in fact generated several false positives.

User journey analyzed

The sequence of activities performed by a customer in an application session (a journey was created per application session).

Process and assumptions

TrackerIQ learned typical journeys in the e-banking application for each customer, and each customer journey was compared to typical journeys learned for this customer. The underlying assumption is that the attacker’s journey in the e-banking application is different from a customer’s typical journeys.

TrackerIQ Analysis Results (over 12 months monitoring of log data)

  • ~750 journeys were flagged as suspicious
  • 98% of malicious money transfers were detected by TrackerIQ, many of which had not been detected by the bank’s rule-based system

TrackerIQ Benefits

  • Quick initial tuning of the detection model using historical data, including detection of past suspicious activities
  • Continuous monitoring of customer activities as a compensation control to attackers succeeding to bypass MFA mechanisms and other authentication mechanisms controls, such as OTP
  • Few alerts (averaging around 2 alerts per day) allow analysts to focus on true suspicious activities
  • An easy-to-use investigation tool for the business analyst


Banking, publicly traded.

Application type


Application usage

An e-banking application (web and mobile) used by the bank’s customers to manage accounts. The application enables customers to perform money transfer transactions to a 3rd party account.

Data analyzed

application audit logs describing user (i.e. customer) activities in the e-banking application.