Using HTML injection, new malware variants present the victim with new input fields, security warnings and customised text during login, account navigation and transactions.
Some malware variants go as far as creating custom, localised pages that are generated based on the victim’s language preference to make fake, malicious websites appear legitimate.
The malware stays idle until the user logs into their account, but then it presents them with a message about configuring their OTP service or about a new security process.
New malware variants present the victim with new input fields, security warnings and customised text during login, account navigation and transactions
While the victim is reading the messages, Ramnit connects to its command and control server and obtains the details of a designated money laundering bank account and sets up a wire transfer.
This triggers an OTP to be sent to the victim, who is then asked by the malware to enter the OTP they have just received.
The victim thinks the OTP is required to complete the fake security update process, meanwhile they are supplying the cyber criminal with the critical element needed to complete the wire transfer.
more on social engineering
- Block Windows Help files to help prevent social engineering attacks
- Combat social engineering attacks with these mantras
- Social engineering, employee gaffes require full attention, says expert
- Social engineering penetration testing: Four effective techniques
- Using social engineering testing to foster anti-social engineering training
- Socialisation, social engineering, and securing the enterprise
- Strong passwords are no use against social-engineering iHack
“This is yet another example of how well-designed social engineering techniques help streamline the fraud process,” said Etay Maor, fraud prevention solutions manager at Trusteer.
Cyber criminals are even modifying frequently asked questions on bank sites to make their methods seem even more plausible, he said.
For example, Trusteer found at one bank that the word “transaction” had been replaced with “operation” in the OTP entry to make it more plausible that OTPs would be used in a variety of ways.