A dangerous variant of the Ramnit malware has been discovered targeting the UK's financial sector. Trusteer claims to have discovered an interesting trojan based attack technique that injects highly convincing and interactive real-time messages into the user Web stream that they encounter when logging into a UK online banking session.
The Ramnit worm was discovered in 2010, but in 2011 researchers spotted a new strain that had incorporated source code from the notorious Zeus banking trojan.
Cyber criminals are stepping up their use of social engineering techniques to bypass increasingly security-aware users of online banking and e-commerce sites.
The malware reportedly avoids detection by going into an idle sleep mode until its intended victim logs into their online bank account, at which point it activates and presents them with a fraudulent phishing message.
Ramnit circumvented the OTP feature at the target bank using a ‘Man in the Browser’ attack to inject bogus HTML pages into a customer’s online banking session. Malware variants present the victim with new input fields, security warnings and customized text during login, account navigation and transactions. Some malware variants go as far as creating custom, localized pages that are generated based on the victim’s language preference.
This semi-automated approach, says Maor, allows the cybercriminals to inject highly specific `error messages’ that pop up on the screens of the online banking user in their local language. While the victim is reading the messages, Ramnit connects to its command and control server and obtains the details of a designated money laundering bank account and sets up a wire transfer.
“The fact that they’ve changed the FAQ section to support this fake new process is astonishing to me in terms of details,” Moar said. “The attackers are exploiting the trust relationship the user has with the bank. They have no idea the malware is in the middle and injecting new screens. It’s amazing how much effort they put into making sure someone falls victim; it’s a new level of social engineering.”
Online scammers have become increasingly sophisticated in attacks. So far, fewer than 10 banks have been targeted in the U.K.