Using HTML injection, these malware variants present the victim with new input fields, security warnings and customized text during login, account navigation and transactions. Some malware variants go as far as creating custom, localized pages that are generated based on the victim’s language preference. After all, you wouldn’t want a victim who accesses the Spanish version of an eCommerce site to see an English version, would you?
This type of attention to detail takes a lot of time and effort on behalf of the malware authors, but it is a necessary evil if they want their fake pages to trick victims into believing they are legitimate. One malware variant took this approach a step further.
Trusteer’s security team recently analyzed a Ramnit variant that is targeting a UK bank with a clever one-time password (OTP) scam. The malware stays idle until the user successfully logs into their account, at which time it presents them with one of the following messages:
While the user is reading the message, Ramnit connects to its command and control server and obtains the details of a designated mule account. This is followed by the initiation of a wire transfer to the money mule. But, there is still one more obstacle in the way of the malware – to complete the transaction a One Time Password (OTP) must be entered by the user. To overcome this requirement Ramnit displays the following message:
The temporary receiver number in the message is in fact the mule’s account number. The user then receives the SMS and thinking that he must complete the “OTP service generation”, enters their OTP. By entering the OTP, the user unknowingly enables the malware to complete the fraudulent transaction and finalize the payment to the mule account. This is yet another example of how well designed social engineering techniques help streamline the fraud process. Unfortunately, the story doesn’t end here.
The new process Ramnit created may raise the suspicion of users who are accustomed to a specific workflow on their bank’s website. Anticipating that some suspicious users may reference the bank’s FAQ page, Ramnit authors took the extra step of altering the FAQ section to fit the new process. One example is the following fake FAQ entry that is contained in a Ramnit web injection page:
When you perform a operation that requires OTP, when you reach the ‘Confirm details’ screen, you will immediately be sent an OTP which you should receive in seconds. In exceptional circumstances it could take a couple of minutes depending on network coverage. The OTP code is only valid for the current operation so you don’t need to memorise it.
This is the original FAQ text that was altered by the fraudsters:
When you perform a transaction that requires OTP, when you reach the ‘Confirm details’ screen, you will immediately be sent an OTP which you should receive in seconds. In exceptional circumstances it could take a couple of minutes depending on network coverage. The OTP code is only valid for the current transaction so you don’t need to memorise it.
A simple switch of the word transaction to operation helps reflect the use of the OTP in the fake “OTP service registration” process. Note that the authors most likely used ‘find and replace’ to switch the two words that resulted in the grammatical mistake “a option.” Nevertheless, by changing multiple entries in the FAQ section Ramnit demonstrates that its authors did not leave anything to chance – even if the victim decides to go the extra step, Ramnit is already there. To mitigate social engineering attacks MitB malware must be detected, stopped and removed from the user’s device. Trusteer Rapport can prevent attacks scenarios as the one described in this blog – and protect the “weakest link”.