Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

New Ramnit Malware Steals One-Time Passwords to Defraud Online Bankers

A new variant of the Ramnit malware is targeting is targeting bankers in the UK with a one-time password [OTP] scam, another example of how attackers are stepping up their social engineering schemes.

A new variant of the Ramnit malware is targeting is targeting bankers in the UK with a one-time password [OTP] scam, another example of how attackers are stepping up their social engineering schemes.

The variant, which has been spotted targeting several large UK banks, relies on HTML injection to make changes to banking sites in order to trick users into giving up their OTP to get around two-factor authentication. According to Trusteer Senior Security Strategist George Tubin, the victims are infected with Ramnit the same way as usual – phishing emails with malicious attachments and links to malicious sites.

The malware stays idle until the user successfully logs into their account, after which it presents them with a message about configuring their OTP service.

“While the user is reading the message, Ramnit connects to its command and control server and obtains the details of a designated mule account,” blogged Trusteer Fraud and Prevention Solutions Manager Etay Maor. “This is followed by the initiation of a wire transfer to the money mule. But, there is still one more obstacle in the way of the malware – to complete the transaction a One Time Password (OTP) must be entered by the user.”

“The temporary receiver number,” he continued, “in the message is in fact the mule’s account number. The user then receives the SMS and thinking that he must complete the ‘OTP service generation’, enters their OTP. By entering the OTP, the user unknowingly enables the malware to complete the fraudulent transaction and finalize the payment to the mule account. This is yet another example of how well designed social engineering techniques help streamline the fraud process.”

The scam goes even further however.  To ward off the suspicions of victims, the Ramnit authors altered the FAQ [Frequently Asked Questions] section on the bank’s FAQ page.

“A simple switch of the word ‘transaction’ to ‘operation’ helps reflect the use of the OTP in the fake ‘OTP service registration’ process,” Maor blogged. “Note that the authors most likely used ‘find and replace’ to switch the two words that resulted in the grammatical mistake ‘a option.’ Nevertheless, by changing multiple entries in the FAQ section Ramnit demonstrates that its authors did not leave anything to chance – even if the victim decides to go the extra step, Ramnit is already there. “

“The security industry has a common saying: ‘Your system is only as secure as its weakest link,’ which is usually followed by: ‘humans are the weakest link,'” blogged Maor. “With online fraud continuing to generate headlines, users are becoming more security aware. This poses a problem for fraudsters – if they can’t con users, their business is at risk.” 

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...