Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
2/1/2018
09:00 AM
Doron Voolf
Doron Voolf
Partner Perspectives
Connect Directly
LinkedIn
RSS
50%
50%

Ramnit's Holiday Shopping Spree: Retailers & E-commerce

This past season, the authors of a traditional banking Trojan focused on what people do between Thanksgiving and New Year's Day: shop, eat, check their bank account, and entertain.

F5 security researchers recently analyzed the Ramnit banking Trojan campaign that was active over the holiday season and discovered it’s not much of a banking Trojan anymore. The research showed:

  • 64% of Ramnit's targets were retail e-commerce sites, including Amazon.com, BestBuy, Forever21, Gap, Zara, Carter’s, Oshkosh B’gosh, Macy’s, Victoria’s Secret, H&M, Overstock.com, Toys"R"Us, Zappos, and many others.
  • Although banks were a smaller portion of targets, the target list included some of the largest banks in the world, including Bank of America, CitiBank, PNC, Chase, TD Bank, and US Bank.
  • The C&C framework collecting the stolen user data is shared by several banking Trojans, including Ramnit, Gozi, GootKit, and Tinba.
  • The Ramnit command and control server is registered to a network in Russia, JSC MediaSoft Ekspert, that shows up often in F5 Labs threat research.
  • For the fraud to be accomplished, users must be tricked in several phases, pointing to the need for continued security awareness training.

Ramnit’s authors likely had high hopes for this holiday shopping season when they added major online retailers to their targets, which makes sense if you are a threat actor trying to optimize your attack. Why not expand your fraud net to sites that have a high likelihood of activity over the holidays? Most financial organizations already recognize that the holiday season is also peak fraud season so they elevate their state of security. Additionally, financial institutions have been targeted by banking Trojans for so long that most use advance web defenses to detect if a user is infected with a known Trojan.

Non-financial industries, on the other hand, traditionally haven’t been targeted and are less likely to have the same defenses in place. So, instead of hunting bank account information, the Ramnit authors zeroed in on credit card theft, collecting social security numbers, mothers’ maiden names, secret question answers, and other critical personally identifiable information during the interaction they had with users and the targeted site.

Ramnit Targets: Where People Shop, Eat & Entertain
Retailers and their e-commerce sites were clearly the biggest focus for the Ramnit authors; they accounted for 64% of the targets. Although banks represented a smaller portion, some of the largest banks in the world were included in their effort. The Ramnit authors covered what people do over the holidays: shop, eat, check their bank account, and entertain.

Ramnit 2017 Holiday Targets by Industry (Image Source: F5)
Ramnit 2017 Holiday Targets by Industry (Image Source: F5)

Expansion Is an Easy Shift
The free web testing and monitoring tool Webinjects can perform the same way whether used during online banking interactions or retail purchases. When a user logs into a banking site, in some cases (for example, when the user is accessing from a new system), the bank will ask additional validation questions before granting account access. When browsing e-commerce sites, most sites ask for login details in order to get additional information about a user. Ramnit can inject an external script with an additional request and ask the user for whatever it wants. In this case, the script asked for credit card information in addition to other personal information, including a social security number.

Ramnit Infection Flow
For users to become victims, their device must first be infected with the Trojan. This typically happens through some sort of social engineering attack to trick a user into clicking malicious links or opening attachments that download the Trojan malware. When the infected user accesses a targeted URL, Ramnit triggers an external script to the requested page and sends back the stolen information to a C&C server named Tables.

Ramnit attack path (Image Source F5)
Ramnit attack path (Image Source F5)

There are two major lessons to be learned from this scenario:

Lesson 1: Regardless of industry, advanced web fraud protections should be widely adopted across high traffic web properties that collect personally identifiable user data. What’s notable about fraud on an e-commerce site versus a financial institution is that the impact is typically felt by credit card providers and the users themselves via identity theft, not the e-commerce sites directly. The impact on a financial institution is in dollars drained out of bank accounts that banks must mitigate on behalf of the defrauded user. The process is time consuming and expensive, which gives financial institutions an incentive to purchase additional security controls. The typical e-commerce site not might feel the impacts of banking Trojan fraud in the same way.

Lesson 2: Even though a user has been infected by a malware, there are a lot of steps that must be completed before the fraud is successful. Security awareness is critical for combatting this type of attack. Many financial institutions create security pages where they provide tips for identifying fraud, for example, telling users that their customer service department would never ask for a user’s full social security number or credit card CVV over the phone or web, or to be suspicious of web pages with broken English, incorrect grammar, spelling errors, and strange or misplaced characters.

Get the latest application threat intelligence from F5 Labs.

 

Working at F5 for almost 5 years, Doron handles and analyzes cyber threat investigations for most of the major malware families in recent years. Doron holds a Bachelor of Science focused in Computer Science. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
Why Enterprises Can't Ignore Third-Party IoT-Related Risks
Charlie Miller, Senior Vice President, The Santa Fe Group,  5/14/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
F5 makes apps go-faster, smarter, and safer. With solutions for the cloud and the data center, F5 technology provides unparalleled visibility and control, allowing customers to secure their users, applications, and data. For more information, visit www.f5.com.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11232
PUBLISHED: 2018-05-18
The etm_setup_aux function in drivers/hwtracing/coresight/coresight-etm-perf.c in the Linux kernel before 4.10.2 allows attackers to cause a denial of service (panic) because a parameter is incorrectly used as a local variable.
CVE-2017-15855
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, the camera application triggers "user-memory-access" issue as the Camera CPP module Linux driver directly accesses the application provided buffer, which resides in u...
CVE-2018-3567
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing the HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP messages.
CVE-2018-3568
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, in __wlan_hdd_cfg80211_vendor_scan(), a buffer overwrite can potentially occur.
CVE-2018-5827
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing an extscan hotlist event.