A new variant of the Ramnit malware is targeting is targeting bankers in the UK with a one-time password [OTP] scam, another example of how attackers are stepping up their social engineering schemes.
The variant, which has been spotted targeting several large UK banks, relies on HTML injection to make changes to banking sites in order to trick users into giving up their OTP to get around two-factor authentication. According to Trusteer Senior Security Strategist George Tubin, the victims are infected with Ramnit the same way as usual – phishing emails with malicious attachments and links to malicious sites.
The malware stays idle until the user successfully logs into their account, after which it presents them with a message about configuring their OTP service.
“While the user is reading the message, Ramnit connects to its command and control server and obtains the details of a designated mule account,” blogged Trusteer Fraud and Prevention Solutions Manager Etay Maor. “This is followed by the initiation of a wire transfer to the money mule. But, there is still one more obstacle in the way of the malware – to complete the transaction a One Time Password (OTP) must be entered by the user.”
“The temporary receiver number,” he continued, “in the message is in fact the mule’s account number. The user then receives the SMS and thinking that he must complete the ‘OTP service generation’, enters their OTP. By entering the OTP, the user unknowingly enables the malware to complete the fraudulent transaction and finalize the payment to the mule account. This is yet another example of how well designed social engineering techniques help streamline the fraud process.”
The scam goes even further however. To ward off the suspicions of victims, the Ramnit authors altered the FAQ [Frequently Asked Questions] section on the bank’s FAQ page.
“A simple switch of the word ‘transaction’ to ‘operation’ helps reflect the use of the OTP in the fake ‘OTP service registration’ process,” Maor blogged. “Note that the authors most likely used ‘find and replace’ to switch the two words that resulted in the grammatical mistake ‘a option.’ Nevertheless, by changing multiple entries in the FAQ section Ramnit demonstrates that its authors did not leave anything to chance – even if the victim decides to go the extra step, Ramnit is already there. “
“The security industry has a common saying: ‘Your system is only as secure as its weakest link,’ which is usually followed by: ‘humans are the weakest link,’” blogged Maor. “With online fraud continuing to generate headlines, users are becoming more security aware. This poses a problem for fraudsters – if they can’t con users, their business is at risk.”