A recent survey from a European association for IT security reported that malware attacks from end-user devices, or endpoints, against online services grew by 95 percent over the last year and represent the most relevant threat (40 percent). As a matter of comparison, present-day SQL injection attacks represent less than 1 percent of attacks (an 80 percent decrease from the previous year).

Advanced attacks on online services can easily infect endpoints by using sophisticated techniques and attack vectors, such as Man-in-the-Browser (MITB), Man-in-the-Middle (MITM), RAT-in-the-Browser, SMS Grabbing, and Mobile Overlay. Depending on the specific type of targeted online service, cybercriminals might be seeking to grab user credentials and other sensitive user data, collect pricing or other competitive information, or commit payment fraud.

In a typical advanced attack on an internet banking service, user endpoints get infected and become part of the fraudster botnet. This enables fraudsters to collect user-profile information and steal authorization credentials. They can then carry out their fraud and disappear back into the ether.

Specific attack techniques and vectors may vary. Sometimes, it involves leveraging banking Trojans to hijack user credentials and remote-access Trojans (RAT) to remotely access the endpoint to issue brand-new transactions from the user endpoint itself, while closely mimicking normal user behavior. In other cases, it involves leveraging a local-proxy, acting as a Man-In-the-Middle and modifying real end-user transactions on the fly. Here, they might modify the banking account reference of the external account money is transferred to, while making these users believe they have correctly performed their intended transactions.

Whatever the specific attack technique and vector, advanced attacks today completely bypass transaction monitoring and user-behavior analysis. Malware detection solutions are less and less effective because they are based on signatures and pattern-matching technology. Targeted attacks today are crafted for a specific application, leveraging polymorphic malware that is also designed to prevent detection by changing over time, thus representing zero-days.

End-to-End Application Security Is Required

What’s missing here?

The ability to validate the integrity of the application, from end to end.

Indeed, in all these advanced attacks some malicious code gets injected into the content delivered by the application, compromising the integrity of the application on the endpoint. This usually happens in the early phases of the attack campaign, while the attacker is still crafting the targeted attack. Because these initial indicators of compromise (IOCs) usually go undetected, the attack is typically in full swing before the malware is identified (if ever).

Cleafy, a Citrix Ready solution, validated with the latest versions of Citrix ADC, is an innovative solution designed to protect online services against advanced threats to unmanaged endpoints. Cleafy’s approach is based on continuously monitoring application traffic and assessing in real-time the risk associated to every session event (i.e. HTTP request/response, API call, and user interaction), even before the authentication phase.

Cleafy’s patented threat-detection technology verifies in real-time the integrity of the application as delivered to endpoints by identifying malicious web injections and mobile apps and detecting anomalous behaviors, even in the early phases of an attack. Cleafy also enables adaptive threat response and provides patented threat protection that can be dynamically and selectively activated to prevent application and data tampering.

How would this work? Consider an attack campaign that uses automatic transfer system (ATS) techniques. This campaign might attempt to modify real user transactions on the fly, so that money was transferred to different bank accounts than those originally intended by the users, while displaying the transactions as if they had been correctly executed. During the user session the risk score would be increased in real time as the session unfolded, and Cleafy would detect IOCs and malicious code.

Thanks to Cleafy’s end-to-end application integrity, these attacks would be detected in real time, and the customer would be able to identify the attacker’s tactics, techniques, and procedures (TTPs) and the new campaign as an ATS attack.

Citrix + Cleafy: Unparalleled Application-Protection Capabilities

Cleafy provides an innovative threat-detection and protection solution against advanced cyber threats. It smoothly integrates with Citrix ADC and perfectly complements Citrix Web App Firewall capabilities. The combined Citrix and Cleafy solution delivers unparalleled application-protection capabilities in a tightly integrated solution.

Citrix ADC is a world-class Application Delivery Controller (ADC) with the proven ability to load balance, accelerate, optimize, and secure applications. Citrix Web App Firewall is a modern WAF technology that protects applications against both Layer 7 and HTTP attacks such as distributed denial-of-service (DDoS), SQL injection, cross-site scripting (XSS), and SSL attacks. The Citrix Web App Firewall also provides IP reputation and integration with vulnerability scanners.

Cleafy delivers both threat detection and protection without requiring any additional component and can also support a dynamic, selective approach to application protection. In particular, thanks to Citrix ADC’s unique traffic switching and transformation mechanisms (e.g. rewrite policies and HTTP callouts), Cleafy can be deployed without any change to the application-delivery infrastructure. And because Cleafy does not touch the application back-end and does not require any change to managed applications, it can be easily deployed without any impact on the user experience and customer application lifecycle.

Leading corporate and retail banks, payment services, online lenders and other companies who need to protect their online services and end users against advanced threats have successfully adopted Cleafy, which is listed in Gartner’s latest Market Guide for Online Fraud Detection. Together, Cleafy and Citrix protect customers and their online services from advanced threats and enable you to deliver a people-centric approach to security.

For more information on Cleafy and Citrix ADC, watch the joint Cleafy/Citrix webinar below, check out this white paper on integrating Cleafy and Citrix, and visit the Cleafy page in the Citrix Ready Marketplace.


Giuseppe Nardiello has been Director of Product Management and Business Development at Cleafy since 2016. He holds a PhD in computer science and has more than 20 years of experience helping start-ups and large corporations to become market leaders.