14 DAY TRIAL // Cybercriminals are constantly improving the methods they utilize to hijack the online banking accounts of Internet users. Security firm Trusteer has identified a new variant of the Ramnit worm that uses a clever one-time password (OTP) scam to trick the customers of a UK bank.
According to experts, the malware stays idle until the victim logs in to his/her banking account. Once the login is successful, users are presented with a message which informs them that they must configure their OTP service (see first screenshot).
Then, an account security setting page is displayed (see second screenshot).
In the meantime, Ramnit connects to its command and control server and obtains the details of a money mule account. Then, a certain amount of money is transferred from the victim’s account into the mule account.
However, most European banks require the user to provide an OTP sent to him/her via SMS to complete money transfers.
To obtain the OTP, victims are presented with a third page which informs them that they must enter the passwords from the SMS in order to complete the so-called “OTP service configuration.”
By entering the OTP on the page generated by Ramnit, users are actually handing it over to the fraudsters, allowing them to transfer money to the mule account.
But that’s not all. In order to avoid raising any suspicion, the worm also modifies the bank’s FAQ page.
If users want to check out the FAQ to see if the OTP is required when performing such operations, they will be presented with an altered page in which the word “transaction” has been replaced with “operation.”
By doing so, the new FAQ section will lead users to believe that they’re required to enter the OTP when they perform any operation, not just when they perform transactions.
“By changing multiple entries in the FAQ section Ramnit demonstrates that its authors did not leave anything to chance – even if the victim decides to go the extra step, Ramnit is already there,” Trusteer’s Etay Maor said.
