Nowhere is the cat-and-mouse game between attackers and the security of users more evident than with social engineering schemes. Users’ awareness of phishing campaigns, for example, may be improving, but that’s just forcing attackers bent on identity theft and stealing payment card information to up their games.

Researchers at security company Trusteer report today the last salvo in this back-and-forth, this time with a variant of the Ramnit malware family. Ramnit’s authors have been prolific in moving the malware in many new directions. Variants have been tuned to steal social media credentials, banking credentials, and avoid detection by security companies with rootkit functionality.

The latest variant to be discovered is targeting a number of UK banks with a one-time password SMS attack, Trusteer fraud prevention solutions manager Etay Maor said. Once the malware infects a victim’s computer, it waits for the user to log in to their online bank account to conduct a man-in-the-browser attack, injecting convincing screens into the victim’s browser asking them to configure a new one-time password service.

The service is a legitimate one already in place at the banks in question to initiate transactions. This one differs, however, in that it’s purporting to the user that the bank now requires a one-time password for all operations related to their online accounts. The attackers even went so far as to soothe the potential concerns of any security conscious users by altering the banking site’s FAQ page to reflect the changes implemented by the malware.

“The fact that they’ve changed the FAQ section to support this fake new process is astonishing to me in terms of details,” Moar said. “The attackers are exploiting the trust relationship the user has with the bank. They have no idea the malware is in the middle and injecting new screens. It’s amazing how much effort they put into making sure someone falls victim; it’s a new level of social engineering.”

Once the user logs into their bank account, the malware kicks in and injects a screen with instructions on how to configure a new one-time password service. The user is told that a new single-use destination number will be generated and that they are to enter their one-time password into the input field.

In the background, the Ramnit variant is connecting to the attacker’s server which is sending back details of a money mule account, Maor said. Once that’s complete, a wire transfer is initiated to the mule, but in order to complete the robbery, the user must be tricked into entering the one-time password and sending it to the temporary receiver number, which is the mule’s account number.

“By entering the OTP, the user unknowingly enables the malware to complete the fraudulent transaction and finalize the payment to the mule account,” Maor wrote in a blogpost. “This is yet another example of how well designed social engineering techniques help streamline the fraud process.”

Maor said that in past attacks he’s studied, attackers have built in pre-defined mule accounts, but that tactic isn’t feasible because those are easier to block and trace than the dynamic list that seems to be integrated into this particular attack.

“Mules are an important part of the process; you cannot cash out without one,” Maor said. “Usually criminals won’t re-use the mule in other attacks; they won’t last too often. Now it’s more dynamic.”

Categories: Malware