New Ramnit variant seeks to evade two-factor authentication

Share this article:

Once a persistent worm, Ramnit has evolved into a banking trojan capable of injecting victims' web browsers to conduct and conceal fraudulent wire transfers.

The variant uses HTML injection to display subtle changes in banking sites with the hopes of luring users into revealing their one-time passwords (OTP), an additional mode of authentication that is valid for only one login session, according to new findings from security firm Trusteer.

The Ramnit worm was discovered in 2010, but in 2011 researchers spotted a new strain that had incorporated source code from the notorious Zeus banking trojan. Trusteer researchers now classify Ramnit as financial malware.

The fresh variant, which has been targeting banks in the U.K. over the last couple of weeks, waits until users login to their bank accounts before launching the OTP scam, according to Etay Maor, fraud prevention solutions manager at Trusteer.

Victims see a message that they need to configure their OTP service with their bank, while Ramnit initiates a wire transfer to fraudsters without the victim noticing. The user receives the one-time password via SMS, and once they enter it into the web page, Ramnit uses the password to complete the wire transfer to a "money mule" account.

In a Tuesday interview, Maor told SCMagazine.com that Ramnit's browser injection feature is a significant development.

“It's changing the HTML that the user sees,” Maor said. “Why try to hack a bank website that's super secure, when you can attack the victim's computer, which is pretty easy?”

So far, fewer than 10 banks have been targeted in the U.K., Maor said. The malware is still being analyzed, but Maor added that attackers are likely delivering Ramnit to victims via drive-by download, in which they are unknowingly infected simply by visiting a website.

In one incident, Ramnit attackers went as far as to inject their own text into a banking site's "FAQ" section, in case users sought to learn more information about how OTP works.

“The malware uses the same idea of injection [for the] FAQ section," Maor said. "I've never seen so much attention to detail. Usually [fraudsters] are just worried about getting all the information from the user, not covering all the other things." 

Share this article:

Sign up to our newsletters

More in News

In Cisco probe, misuse or compromise spotted on all firms' networks

In Cisco probe, misuse or compromise spotted on ...

Cisco analyzed the business networks of 30 multinational companies last year, and revealed the findings in its 2014 Annual Security Report.

Fareit trojan observed spreading Necurs, Zbot and CryptoLocker

The Necurs and Zbot trojans, as well as CryptoLocker ransomware, has been observed by researchers as being spread through another trojan, known as Fareit.

Post Heartbleed, tech giants join initiative to bolster open source

Post Heartbleed, tech giants join initiative to bolster ...

The newly formed Core Infrastructure Initiative, created to boost under-funded open source projects, will tackle OpenSSL first.