April 30, 2013 By Etay Maor 3 min read

The security industry has a common saying: “Your system is only as secure as its weakest link,” which is usually followed by, “Humans are the weakest link.” With online fraud continuing to generate headlines, users are becoming more security-aware. This poses a problem for fraudsters — if they can’t con users, their business is at risk. In recent months, the security team of Trusteer, an IBM company, has discovered several new malware variants that have stepped up their social engineering techniques.

Legitimate Malware Requires Perfectionism

Using HTML injection, these malware variants present the victim with new input fields, data security warnings and customized text during login, account navigation and transaction stages. Some malware variants go as far as creating custom, localized pages that are generated based on the victim’s language preference. Obviously, attackers don’t want a victim who attempts to access the Spanish version of an e-commerce site to see an English version. This type of attention to detail takes a lot of time and effort from malware authors, but it is necessary to trick victims into believing the fake pages are legitimate. One malware variant took this approach a step further.

Trusteer’s security team recently analyzed a Ramnit variant that is targeting a U.K. bank using a clever one-time password (OTP) scam. The malware stays idle until the user successfully logs in to his or her account, at which time it presents one of the following messages:

While the user is reading the message, Ramnit connects to its command and control server and obtains the details of a designated mule account. This is followed by the initiation of a wire transfer to the money mule. However, there is still one more obstacle in the way of the malware: To complete the transaction, a OTP must be entered by the user. To overcome this requirement, Ramnit displays the following message:

The temporary receiver number in the message is, in fact, the mule’s account number. The user then receives the SMS and, thinking that he or she must complete the “OTP service generation,” enters his or her OTP. By entering the OTP, the user unknowingly enables the malware to complete the fraudulent transaction and finalize payment to the mule account. This is yet another example of how perfectionism in well-designed social engineering techniques help streamline the fraud process. Unfortunately, the story doesn’t end here.

Fake FAQs

The new process Ramnit created may raise the suspicion of users who are accustomed to a specific work flow on their bank’s website. Anticipating that some suspicious users may reference the bank’s FAQ page, Ramnit authors took the extra step of altering the FAQ section to fit the new process. One example is the following fake FAQ entry contained in a Ramnit webinjection page:

When you perform a operation that requires OTP, when you reach the ‘Confirm details’ screen, you will immediately be sent an OTP which you should receive in seconds. In exceptional circumstances it could take a couple of minutes depending on network coverage. The OTP code is only valid for the current operation so you don’t need to memorise it.

This is the original FAQ text that was altered by the fraudsters:

When you perform a transaction that requires OTP, when you reach the ‘Confirm details’ screen, you will immediately be sent an OTP which you should receive in seconds. In exceptional circumstances it could take a couple of minutes depending on network coverage. The OTP code is only valid for the current transaction so you don’t need to memorise it.

A simple switch of the word “transaction” to “operation” helps reflect the use of the OTP in the fake “OTP service registration” process. It’s worth noting that the authors most likely used “find and replace” to switch the two words, resulting in the grammatical mistake, “a option.” Nevertheless, by changing multiple entries in the FAQ section, Ramnit demonstrates that its authors did not leave anything to chance — even if the victim decides to go the extra step, Ramnit is already there.

If MitB malware hinges on perfectionism, so must a user’s security against it. To mitigate social engineering attacks, MitB malware must be detected, stopped and removed from the user’s device. Trusteer Rapport can prevent threats and scenarios like the one described above and protect the “weakest link.”

More from Fraud Protection

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today