The security industry has a common saying: “Your system is only as secure as its weakest link,” which is usually followed by, “Humans are the weakest link.” With online fraud continuing to generate headlines, users are becoming more security-aware. This poses a problem for fraudsters — if they can’t con users, their business is at risk. In recent months, the security team of Trusteer, an IBM company, has discovered several new malware variants that have stepped up their social engineering techniques.

Legitimate Malware Requires Perfectionism

Using HTML injection, these malware variants present the victim with new input fields, data security warnings and customized text during login, account navigation and transaction stages. Some malware variants go as far as creating custom, localized pages that are generated based on the victim’s language preference. Obviously, attackers don’t want a victim who attempts to access the Spanish version of an e-commerce site to see an English version. This type of attention to detail takes a lot of time and effort from malware authors, but it is necessary to trick victims into believing the fake pages are legitimate. One malware variant took this approach a step further.

Trusteer’s security team recently analyzed a Ramnit variant that is targeting a U.K. bank using a clever one-time password (OTP) scam. The malware stays idle until the user successfully logs in to his or her account, at which time it presents one of the following messages:

While the user is reading the message, Ramnit connects to its command and control server and obtains the details of a designated mule account. This is followed by the initiation of a wire transfer to the money mule. However, there is still one more obstacle in the way of the malware: To complete the transaction, a OTP must be entered by the user. To overcome this requirement, Ramnit displays the following message:

The temporary receiver number in the message is, in fact, the mule’s account number. The user then receives the SMS and, thinking that he or she must complete the “OTP service generation,” enters his or her OTP. By entering the OTP, the user unknowingly enables the malware to complete the fraudulent transaction and finalize payment to the mule account. This is yet another example of how perfectionism in well-designed social engineering techniques help streamline the fraud process. Unfortunately, the story doesn’t end here.

Fake FAQs

The new process Ramnit created may raise the suspicion of users who are accustomed to a specific work flow on their bank’s website. Anticipating that some suspicious users may reference the bank’s FAQ page, Ramnit authors took the extra step of altering the FAQ section to fit the new process. One example is the following fake FAQ entry contained in a Ramnit webinjection page:

When you perform a operation that requires OTP, when you reach the ‘Confirm details’ screen, you will immediately be sent an OTP which you should receive in seconds. In exceptional circumstances it could take a couple of minutes depending on network coverage. The OTP code is only valid for the current operation so you don’t need to memorise it.

This is the original FAQ text that was altered by the fraudsters:

When you perform a transaction that requires OTP, when you reach the ‘Confirm details’ screen, you will immediately be sent an OTP which you should receive in seconds. In exceptional circumstances it could take a couple of minutes depending on network coverage. The OTP code is only valid for the current transaction so you don’t need to memorise it.

A simple switch of the word “transaction” to “operation” helps reflect the use of the OTP in the fake “OTP service registration” process. It’s worth noting that the authors most likely used “find and replace” to switch the two words, resulting in the grammatical mistake, “a option.” Nevertheless, by changing multiple entries in the FAQ section, Ramnit demonstrates that its authors did not leave anything to chance — even if the victim decides to go the extra step, Ramnit is already there.

If MitB malware hinges on perfectionism, so must a user’s security against it. To mitigate social engineering attacks, MitB malware must be detected, stopped and removed from the user’s device. Trusteer Rapport can prevent threats and scenarios like the one described above and protect the “weakest link.”