Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
2/1/2018
09:00 AM
Doron Voolf
Doron Voolf
Partner Perspectives
Connect Directly
LinkedIn
RSS
50%
50%

Ramnit's Holiday Shopping Spree: Retailers & E-commerce

This past season, the authors of a traditional banking Trojan focused on what people do between Thanksgiving and New Year's Day: shop, eat, check their bank account, and entertain.

F5 security researchers recently analyzed the Ramnit banking Trojan campaign that was active over the holiday season and discovered it’s not much of a banking Trojan anymore. The research showed:

  • 64% of Ramnit's targets were retail e-commerce sites, including Amazon.com, BestBuy, Forever21, Gap, Zara, Carter’s, Oshkosh B’gosh, Macy’s, Victoria’s Secret, H&M, Overstock.com, Toys"R"Us, Zappos, and many others.
  • Although banks were a smaller portion of targets, the target list included some of the largest banks in the world, including Bank of America, CitiBank, PNC, Chase, TD Bank, and US Bank.
  • The C&C framework collecting the stolen user data is shared by several banking Trojans, including Ramnit, Gozi, GootKit, and Tinba.
  • The Ramnit command and control server is registered to a network in Russia, JSC MediaSoft Ekspert, that shows up often in F5 Labs threat research.
  • For the fraud to be accomplished, users must be tricked in several phases, pointing to the need for continued security awareness training.

Ramnit’s authors likely had high hopes for this holiday shopping season when they added major online retailers to their targets, which makes sense if you are a threat actor trying to optimize your attack. Why not expand your fraud net to sites that have a high likelihood of activity over the holidays? Most financial organizations already recognize that the holiday season is also peak fraud season so they elevate their state of security. Additionally, financial institutions have been targeted by banking Trojans for so long that most use advance web defenses to detect if a user is infected with a known Trojan.

Non-financial industries, on the other hand, traditionally haven’t been targeted and are less likely to have the same defenses in place. So, instead of hunting bank account information, the Ramnit authors zeroed in on credit card theft, collecting social security numbers, mothers’ maiden names, secret question answers, and other critical personally identifiable information during the interaction they had with users and the targeted site.

Ramnit Targets: Where People Shop, Eat & Entertain
Retailers and their e-commerce sites were clearly the biggest focus for the Ramnit authors; they accounted for 64% of the targets. Although banks represented a smaller portion, some of the largest banks in the world were included in their effort. The Ramnit authors covered what people do over the holidays: shop, eat, check their bank account, and entertain.

Ramnit 2017 Holiday Targets by Industry (Image Source: F5)
Ramnit 2017 Holiday Targets by Industry (Image Source: F5)

Expansion Is an Easy Shift
The free web testing and monitoring tool Webinjects can perform the same way whether used during online banking interactions or retail purchases. When a user logs into a banking site, in some cases (for example, when the user is accessing from a new system), the bank will ask additional validation questions before granting account access. When browsing e-commerce sites, most sites ask for login details in order to get additional information about a user. Ramnit can inject an external script with an additional request and ask the user for whatever it wants. In this case, the script asked for credit card information in addition to other personal information, including a social security number.

Ramnit Infection Flow
For users to become victims, their device must first be infected with the Trojan. This typically happens through some sort of social engineering attack to trick a user into clicking malicious links or opening attachments that download the Trojan malware. When the infected user accesses a targeted URL, Ramnit triggers an external script to the requested page and sends back the stolen information to a C&C server named Tables.

Ramnit attack path (Image Source F5)
Ramnit attack path (Image Source F5)

There are two major lessons to be learned from this scenario:

Lesson 1: Regardless of industry, advanced web fraud protections should be widely adopted across high traffic web properties that collect personally identifiable user data. What’s notable about fraud on an e-commerce site versus a financial institution is that the impact is typically felt by credit card providers and the users themselves via identity theft, not the e-commerce sites directly. The impact on a financial institution is in dollars drained out of bank accounts that banks must mitigate on behalf of the defrauded user. The process is time consuming and expensive, which gives financial institutions an incentive to purchase additional security controls. The typical e-commerce site not might feel the impacts of banking Trojan fraud in the same way.

Lesson 2: Even though a user has been infected by a malware, there are a lot of steps that must be completed before the fraud is successful. Security awareness is critical for combatting this type of attack. Many financial institutions create security pages where they provide tips for identifying fraud, for example, telling users that their customer service department would never ask for a user’s full social security number or credit card CVV over the phone or web, or to be suspicious of web pages with broken English, incorrect grammar, spelling errors, and strange or misplaced characters.

Get the latest application threat intelligence from F5 Labs.

 

Working at F5 for almost 5 years, Doron handles and analyzes cyber threat investigations for most of the major malware families in recent years. Doron holds a Bachelor of Science focused in Computer Science. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.
CVE-2020-7222
PUBLISHED: 2020-01-18
An issue was discovered in Amcrest Web Server 2.520.AC00.18.R 2017-06-29 WEB 3.2.1.453504. The login page responds with JavaScript when one tries to authenticate. An attacker who changes the result parameter (to true) in this JavaScript code can bypass authentication and achieve limited privileges (...