Ramnit Banking Trojan Edits FAQ to Make Fraud Harder to Spot
Researchers have found a variant of the Ramnit Trojan that changes banks’ customer-support documents to camouflage fraudulent transactions.Online thieves continue to refine their social-engineering techniques to increase the chances that potential victims will fall prey to their fraudulent schemes.
Now, attackers are using their access to the victim's browser to modify a bank's customer-support documents and add legitimacy to their attack techniques, according to researchers at security firm Trusteer.Because online banks increasingly use a transaction code to verify a user's intent to transfer money, banking Trojans now regularly attempt to fool the user into believing that a code sent to their mobile phone is needed to continue their banking sessions. In reality, the code—a one-time password (OTP) —was sent to confirm a transaction that the attacker's malware is conducting behind the scenes. Such activity can raise suspicions. So, in an effort to alleviate those suspicions, the latest version of the Ramnit Trojan actually tweaks customer-support documents displayed in the victim's browser to make the behavior seem legitimate, Etay Maor, fraud prevention solutions manager for Trusteer, a provider of anti-cyber-crime software, told eWEEK.
"In case the user is suspicious that he might have fallen victim to fraud and goes to the FAQ or a couple of other sections on the Website and tries to learn more about this, the attackers have modified those sections to support this type of operation," he said.To allay suspicions that a transaction might have taken place, the Trojan removes the phrase "OTP transaction" and changes it to "OTP operation" on any displayed pages.