Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
2/1/2018
09:00 AM
Doron Voolf
Doron Voolf
Partner Perspectives
Connect Directly
LinkedIn
RSS
50%
50%

Ramnit's Holiday Shopping Spree: Retailers & E-commerce

This past season, the authors of a traditional banking Trojan focused on what people do between Thanksgiving and New Year's Day: shop, eat, check their bank account, and entertain.

F5 security researchers recently analyzed the Ramnit banking Trojan campaign that was active over the holiday season and discovered it’s not much of a banking Trojan anymore. The research showed:

  • 64% of Ramnit's targets were retail e-commerce sites, including Amazon.com, BestBuy, Forever21, Gap, Zara, Carter’s, Oshkosh B’gosh, Macy’s, Victoria’s Secret, H&M, Overstock.com, Toys"R"Us, Zappos, and many others.
  • Although banks were a smaller portion of targets, the target list included some of the largest banks in the world, including Bank of America, CitiBank, PNC, Chase, TD Bank, and US Bank.
  • The C&C framework collecting the stolen user data is shared by several banking Trojans, including Ramnit, Gozi, GootKit, and Tinba.
  • The Ramnit command and control server is registered to a network in Russia, JSC MediaSoft Ekspert, that shows up often in F5 Labs threat research.
  • For the fraud to be accomplished, users must be tricked in several phases, pointing to the need for continued security awareness training.

Ramnit’s authors likely had high hopes for this holiday shopping season when they added major online retailers to their targets, which makes sense if you are a threat actor trying to optimize your attack. Why not expand your fraud net to sites that have a high likelihood of activity over the holidays? Most financial organizations already recognize that the holiday season is also peak fraud season so they elevate their state of security. Additionally, financial institutions have been targeted by banking Trojans for so long that most use advance web defenses to detect if a user is infected with a known Trojan.

Non-financial industries, on the other hand, traditionally haven’t been targeted and are less likely to have the same defenses in place. So, instead of hunting bank account information, the Ramnit authors zeroed in on credit card theft, collecting social security numbers, mothers’ maiden names, secret question answers, and other critical personally identifiable information during the interaction they had with users and the targeted site.

Ramnit Targets: Where People Shop, Eat & Entertain
Retailers and their e-commerce sites were clearly the biggest focus for the Ramnit authors; they accounted for 64% of the targets. Although banks represented a smaller portion, some of the largest banks in the world were included in their effort. The Ramnit authors covered what people do over the holidays: shop, eat, check their bank account, and entertain.

Ramnit 2017 Holiday Targets by Industry (Image Source: F5)
Ramnit 2017 Holiday Targets by Industry (Image Source: F5)

Expansion Is an Easy Shift
The free web testing and monitoring tool Webinjects can perform the same way whether used during online banking interactions or retail purchases. When a user logs into a banking site, in some cases (for example, when the user is accessing from a new system), the bank will ask additional validation questions before granting account access. When browsing e-commerce sites, most sites ask for login details in order to get additional information about a user. Ramnit can inject an external script with an additional request and ask the user for whatever it wants. In this case, the script asked for credit card information in addition to other personal information, including a social security number.

Ramnit Infection Flow
For users to become victims, their device must first be infected with the Trojan. This typically happens through some sort of social engineering attack to trick a user into clicking malicious links or opening attachments that download the Trojan malware. When the infected user accesses a targeted URL, Ramnit triggers an external script to the requested page and sends back the stolen information to a C&C server named Tables.

Ramnit attack path (Image Source F5)
Ramnit attack path (Image Source F5)

There are two major lessons to be learned from this scenario:

Lesson 1: Regardless of industry, advanced web fraud protections should be widely adopted across high traffic web properties that collect personally identifiable user data. What’s notable about fraud on an e-commerce site versus a financial institution is that the impact is typically felt by credit card providers and the users themselves via identity theft, not the e-commerce sites directly. The impact on a financial institution is in dollars drained out of bank accounts that banks must mitigate on behalf of the defrauded user. The process is time consuming and expensive, which gives financial institutions an incentive to purchase additional security controls. The typical e-commerce site not might feel the impacts of banking Trojan fraud in the same way.

Lesson 2: Even though a user has been infected by a malware, there are a lot of steps that must be completed before the fraud is successful. Security awareness is critical for combatting this type of attack. Many financial institutions create security pages where they provide tips for identifying fraud, for example, telling users that their customer service department would never ask for a user’s full social security number or credit card CVV over the phone or web, or to be suspicious of web pages with broken English, incorrect grammar, spelling errors, and strange or misplaced characters.

Get the latest application threat intelligence from F5 Labs.

 

Working at F5 for almost 5 years, Doron handles and analyzes cyber threat investigations for most of the major malware families in recent years. Doron holds a Bachelor of Science focused in Computer Science. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32606
PUBLISHED: 2021-05-11
In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)
CVE-2021-3504
PUBLISHED: 2021-05-11
A flaw was found in the hivex library in versions before 1.3.20. It is caused due to a lack of bounds check within the hivex_open function. An attacker could input a specially crafted Windows Registry (hive) file which would cause hivex to read memory beyond its normal bounds or cause the program to...
CVE-2021-20309
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11 and before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. The highest threat from this vulnerability is to ...
CVE-2021-20310
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero ConvertXYZToJzazbz() of MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. The highest threat from this...
CVE-2021-20311
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero in sRGBTransformImage() in the MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker processed by an application using ImageMagick. The highest threat from t...