The security industry has a common saying: “Your system is only as secure as its weakest link,” which is usually followed by, “Humans are the weakest link.” With online fraud continuing to generate headlines, users are becoming more security-aware. This poses a problem for fraudsters — if they can’t con users, their business is at risk. In recent months, the security team of Trusteer, an IBM company, has discovered several new malware variants that have stepped up their social engineering techniques.

Legitimate Malware Requires Perfectionism

Using HTML injection, these malware variants present the victim with new input fields, data security warnings and customized text during login, account navigation and transaction stages. Some malware variants go as far as creating custom, localized pages that are generated based on the victim’s language preference. Obviously, attackers don’t want a victim who attempts to access the Spanish version of an e-commerce site to see an English version. This type of attention to detail takes a lot of time and effort from malware authors, but it is necessary to trick victims into believing the fake pages are legitimate. One malware variant took this approach a step further.

Trusteer’s security team recently analyzed a Ramnit variant that is targeting a U.K. bank using a clever one-time password (OTP) scam. The malware stays idle until the user successfully logs in to his or her account, at which time it presents one of the following messages:

While the user is reading the message, Ramnit connects to its command and control server and obtains the details of a designated mule account. This is followed by the initiation of a wire transfer to the money mule. However, there is still one more obstacle in the way of the malware: To complete the transaction, a OTP must be entered by the user. To overcome this requirement, Ramnit displays the following message:

The temporary receiver number in the message is, in fact, the mule’s account number. The user then receives the SMS and, thinking that he or she must complete the “OTP service generation,” enters his or her OTP. By entering the OTP, the user unknowingly enables the malware to complete the fraudulent transaction and finalize payment to the mule account. This is yet another example of how perfectionism in well-designed social engineering techniques help streamline the fraud process. Unfortunately, the story doesn’t end here.

Fake FAQs

The new process Ramnit created may raise the suspicion of users who are accustomed to a specific work flow on their bank’s website. Anticipating that some suspicious users may reference the bank’s FAQ page, Ramnit authors took the extra step of altering the FAQ section to fit the new process. One example is the following fake FAQ entry contained in a Ramnit webinjection page:

When you perform a operation that requires OTP, when you reach the ‘Confirm details’ screen, you will immediately be sent an OTP which you should receive in seconds. In exceptional circumstances it could take a couple of minutes depending on network coverage. The OTP code is only valid for the current operation so you don’t need to memorise it.

This is the original FAQ text that was altered by the fraudsters:

When you perform a transaction that requires OTP, when you reach the ‘Confirm details’ screen, you will immediately be sent an OTP which you should receive in seconds. In exceptional circumstances it could take a couple of minutes depending on network coverage. The OTP code is only valid for the current transaction so you don’t need to memorise it.

A simple switch of the word “transaction” to “operation” helps reflect the use of the OTP in the fake “OTP service registration” process. It’s worth noting that the authors most likely used “find and replace” to switch the two words, resulting in the grammatical mistake, “a option.” Nevertheless, by changing multiple entries in the FAQ section, Ramnit demonstrates that its authors did not leave anything to chance — even if the victim decides to go the extra step, Ramnit is already there.

If MitB malware hinges on perfectionism, so must a user’s security against it. To mitigate social engineering attacks, MitB malware must be detected, stopped and removed from the user’s device. Trusteer Rapport can prevent threats and scenarios like the one described above and protect the “weakest link.”

More from Fraud Protection

Kronos Malware Reemerges with Increased Functionality

6 min read - The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

6 min read

How Security Teams Combat Disinformation and Misinformation

4 min read - “A lie can travel halfway around the world while the truth is still putting on its shoes.” That popular quote is often attributed to Mark Twain. But since we're talking about misinformation and disinformation, you’ll be unsurprised to learn Twain never said that at all. In fact, no one knows who first strung those words together, but the idea that truth spreads slowly while lies spread quickly is at least several hundred years old. The “Twain” quote also serves to…

4 min read

A View Into Web(View) Attacks in Android

9 min read - James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

9 min read

New DOJ Team Focuses on Ransomware and Cryptocurrency Crime

4 min read - While no security officer would rely on this alone, it’s good to know the U.S. Department of Justice is increasing efforts to fight cyber crime. According to a recent address in Munich by Deputy Attorney General Lisa Monaco, new efforts will focus on ransomware and cryptocurrency incidents. This makes sense since the X-Force Threat Intelligence Index 2022 named ransomware as the top attack type in 2021. What exactly is the DOJ doing to improve policing of cryptocurrency and other cyber…

4 min read