Ramnit Banking Trojan Edits FAQ to Make Fraud Harder to Spot

Researchers have found a variant of the Ramnit Trojan that changes banks’ customer-support documents to camouflage fraudulent transactions.

Online thieves continue to refine their social-engineering techniques to increase the chances that potential victims will fall prey to their fraudulent schemes.

Now, attackers are using their access to the victim's browser to modify a bank's customer-support documents and add legitimacy to their attack techniques, according to researchers at security firm Trusteer.

Because online banks increasingly use a transaction code to verify a user's intent to transfer money, banking Trojans now regularly attempt to fool the user into believing that a code sent to their mobile phone is needed to continue their banking sessions. In reality, the code—a one-time password (OTP) —was sent to confirm a transaction that the attacker's malware is conducting behind the scenes.

Such activity can raise suspicions. So, in an effort to alleviate those suspicions, the latest version of the Ramnit Trojan actually tweaks customer-support documents displayed in the victim's browser to make the behavior seem legitimate, Etay Maor, fraud prevention solutions manager for Trusteer, a provider of anti-cyber-crime software, told eWEEK.

"In case the user is suspicious that he might have fallen victim to fraud and goes to the FAQ or a couple of other sections on the Website and tries to learn more about this, the attackers have modified those sections to support this type of operation," he said.

To allay suspicions that a transaction might have taken place, the Trojan removes the phrase "OTP transaction" and changes it to "OTP operation" on any displayed pages.

The technique is only one of the ways that Ramnit and other recent cyber-crime software have improved on social engineering, Maor said. Once Ramnit infects a victim's system, the program stays dormant to escape detection by anti-virus and other security software. Only when the victim goes to a targeted banking site does the banking Trojan begin operations, according to Maor.

Once users log into their banks' networks, the Trojan displays an alert that exactly matches the site's layout. The alert tells the user that the bank has changed its e-banking transaction process and the user needs to set up an OTP service phone number. While the victim reads the announcement, the software looks up an available money-mule account to send stolen funds to and then enters a transaction to transfer money. Money mules are low-level criminals or victims of fraud who receive illicit funds and transfer them to other accounts owned by online thieves to make the money trail harder to follow.

The bank sends the user a one-time password to confirm the transaction. If the user enters the number into the alert box, Ramnit uses the information to confirm the transaction.

"By entering the OTP, the user unknowingly enables the malware to complete the fraudulent transaction and finalize the payment to the mule account," Maor wrote in the blog post. "This is yet another example of how well designed social engineering techniques help streamline the fraud process."