F5 security researchers recently analyzed the Ramnit banking Trojan campaign that was active over the holiday season and discovered it’s not much of a banking Trojan anymore. The research showed:

Ramnit’s authors likely had high hopes for this holiday shopping season when they added major online retailers to their targets, which makes sense if you are a threat actor trying to optimize your attack. Why not expand your fraud net to sites that have a high likelihood of activity over the holidays? Most financial organizations already recognize that the holiday season is also peak fraud season so they elevate their state of security. Additionally, financial institutions have been targeted by banking Trojans for so long that most use advance web defenses to detect if a user is infected with a known Trojan.

Non-financial industries, on the other hand, traditionally haven’t been targeted and are less likely to have the same defenses in place. So, instead of hunting bank account information, the Ramnit authors zeroed in on credit card theft, collecting social security numbers, mothers’ maiden names, secret question answers, and other critical personally identifiable information during the interaction they had with users and the targeted site.

Ramnit Targets: Where People Shop, Eat & Entertain
Retailers and their e-commerce sites were clearly the biggest focus for the Ramnit authors; they accounted for 64% of the targets. Although banks represented a smaller portion, some of the largest banks in the world were included in their effort. The Ramnit authors covered what people do over the holidays: shop, eat, check their bank account, and entertain.

Expansion Is an Easy Shift
The free web testing and monitoring tool Webinjects can perform the same way whether used during online banking interactions or retail purchases. When a user logs into a banking site, in some cases (for example, when the user is accessing from a new system), the bank will ask additional validation questions before granting account access. When browsing e-commerce sites, most sites ask for login details in order to get additional information about a user. Ramnit can inject an external script with an additional request and ask the user for whatever it wants. In this case, the script asked for credit card information in addition to other personal information, including a social security number.

Ramnit Infection Flow
For users to become victims, their device must first be infected with the Trojan. This typically happens through some sort of social engineering attack to trick a user into clicking malicious links or opening attachments that download the Trojan malware. When the infected user accesses a targeted URL, Ramnit triggers an external script to the requested page and sends back the stolen information to a C&C server named Tables.

Ramnit attack path (Image Source F5)

There are two major lessons to be learned from this scenario:

Lesson 1: Regardless of industry, advanced web fraud protections should be widely adopted across high traffic web properties that collect personally identifiable user data. What’s notable about fraud on an e-commerce site versus a financial institution is that the impact is typically felt by credit card providers and the users themselves via identity theft, not the e-commerce sites directly. The impact on a financial institution is in dollars drained out of bank accounts that banks must mitigate on behalf of the defrauded user. The process is time consuming and expensive, which gives financial institutions an incentive to purchase additional security controls. The typical e-commerce site not might feel the impacts of banking Trojan fraud in the same way.

Lesson 2: Even though a user has been infected by a malware, there are a lot of steps that must be completed before the fraud is successful. Security awareness is critical for combatting this type of attack. Many financial institutions create security pages where they provide tips for identifying fraud, for example, telling users that their customer service department would never ask for a user’s full social security number or credit card CVV over the phone or web, or to be suspicious of web pages with broken English, incorrect grammar, spelling errors, and strange or misplaced characters.

Get the latest application threat intelligence from F5 Labs.