April 30, 2013 By Etay Maor 3 min read

The security industry has a common saying: “Your system is only as secure as its weakest link,” which is usually followed by, “Humans are the weakest link.” With online fraud continuing to generate headlines, users are becoming more security-aware. This poses a problem for fraudsters — if they can’t con users, their business is at risk. In recent months, the security team of Trusteer, an IBM company, has discovered several new malware variants that have stepped up their social engineering techniques.

Legitimate Malware Requires Perfectionism

Using HTML injection, these malware variants present the victim with new input fields, data security warnings and customized text during login, account navigation and transaction stages. Some malware variants go as far as creating custom, localized pages that are generated based on the victim’s language preference. Obviously, attackers don’t want a victim who attempts to access the Spanish version of an e-commerce site to see an English version. This type of attention to detail takes a lot of time and effort from malware authors, but it is necessary to trick victims into believing the fake pages are legitimate. One malware variant took this approach a step further.

Trusteer’s security team recently analyzed a Ramnit variant that is targeting a U.K. bank using a clever one-time password (OTP) scam. The malware stays idle until the user successfully logs in to his or her account, at which time it presents one of the following messages:

While the user is reading the message, Ramnit connects to its command and control server and obtains the details of a designated mule account. This is followed by the initiation of a wire transfer to the money mule. However, there is still one more obstacle in the way of the malware: To complete the transaction, a OTP must be entered by the user. To overcome this requirement, Ramnit displays the following message:

The temporary receiver number in the message is, in fact, the mule’s account number. The user then receives the SMS and, thinking that he or she must complete the “OTP service generation,” enters his or her OTP. By entering the OTP, the user unknowingly enables the malware to complete the fraudulent transaction and finalize payment to the mule account. This is yet another example of how perfectionism in well-designed social engineering techniques help streamline the fraud process. Unfortunately, the story doesn’t end here.

Fake FAQs

The new process Ramnit created may raise the suspicion of users who are accustomed to a specific work flow on their bank’s website. Anticipating that some suspicious users may reference the bank’s FAQ page, Ramnit authors took the extra step of altering the FAQ section to fit the new process. One example is the following fake FAQ entry contained in a Ramnit webinjection page:

When you perform a operation that requires OTP, when you reach the ‘Confirm details’ screen, you will immediately be sent an OTP which you should receive in seconds. In exceptional circumstances it could take a couple of minutes depending on network coverage. The OTP code is only valid for the current operation so you don’t need to memorise it.

This is the original FAQ text that was altered by the fraudsters:

When you perform a transaction that requires OTP, when you reach the ‘Confirm details’ screen, you will immediately be sent an OTP which you should receive in seconds. In exceptional circumstances it could take a couple of minutes depending on network coverage. The OTP code is only valid for the current transaction so you don’t need to memorise it.

A simple switch of the word “transaction” to “operation” helps reflect the use of the OTP in the fake “OTP service registration” process. It’s worth noting that the authors most likely used “find and replace” to switch the two words, resulting in the grammatical mistake, “a option.” Nevertheless, by changing multiple entries in the FAQ section, Ramnit demonstrates that its authors did not leave anything to chance — even if the victim decides to go the extra step, Ramnit is already there.

If MitB malware hinges on perfectionism, so must a user’s security against it. To mitigate social engineering attacks, MitB malware must be detected, stopped and removed from the user’s device. Trusteer Rapport can prevent threats and scenarios like the one described above and protect the “weakest link.”

More from Fraud Protection

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today