CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Ramnit Malware Steals One-Time Passwords to Defraud Online Bankers

A new variant of the Ramnit malware is targeting is targeting bankers in the UK with a one-time password [OTP] scam, another example of how attackers are stepping up their social engineering schemes.

A new variant of the Ramnit malware is targeting is targeting bankers in the UK with a one-time password [OTP] scam, another example of how attackers are stepping up their social engineering schemes.

The variant, which has been spotted targeting several large UK banks, relies on HTML injection to make changes to banking sites in order to trick users into giving up their OTP to get around two-factor authentication. According to Trusteer Senior Security Strategist George Tubin, the victims are infected with Ramnit the same way as usual – phishing emails with malicious attachments and links to malicious sites.

The malware stays idle until the user successfully logs into their account, after which it presents them with a message about configuring their OTP service.

“While the user is reading the message, Ramnit connects to its command and control server and obtains the details of a designated mule account,” blogged Trusteer Fraud and Prevention Solutions Manager Etay Maor. “This is followed by the initiation of a wire transfer to the money mule. But, there is still one more obstacle in the way of the malware – to complete the transaction a One Time Password (OTP) must be entered by the user.”

“The temporary receiver number,” he continued, “in the message is in fact the mule’s account number. The user then receives the SMS and thinking that he must complete the ‘OTP service generation’, enters their OTP. By entering the OTP, the user unknowingly enables the malware to complete the fraudulent transaction and finalize the payment to the mule account. This is yet another example of how well designed social engineering techniques help streamline the fraud process.”

The scam goes even further however.  To ward off the suspicions of victims, the Ramnit authors altered the FAQ [Frequently Asked Questions] section on the bank’s FAQ page.

“A simple switch of the word ‘transaction’ to ‘operation’ helps reflect the use of the OTP in the fake ‘OTP service registration’ process,” Maor blogged. “Note that the authors most likely used ‘find and replace’ to switch the two words that resulted in the grammatical mistake ‘a option.’ Nevertheless, by changing multiple entries in the FAQ section Ramnit demonstrates that its authors did not leave anything to chance – even if the victim decides to go the extra step, Ramnit is already there. “

“The security industry has a common saying: ‘Your system is only as secure as its weakest link,’ which is usually followed by: ‘humans are the weakest link,’” blogged Maor. “With online fraud continuing to generate headlines, users are becoming more security aware. This poses a problem for fraudsters – if they can’t con users, their business is at risk.” 

Advertisement. Scroll to continue reading.
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.