Ramnit Worm Threatens Online Accounts

Facebook Targeted by Fraudsters Seeking Log-in Credentials
Ramnit Worm Threatens Online Accounts
Researchers at Seculert say the Ramnit worm, which last year defeated two-factor authentication measures used to protect online banking accounts and corporate networks, is now targeting Facebook - a development that should especially concern financial service businesses.

See Also: How to Take the Complexity Out of Cybersecurity

Lab researchers working for the Israel-based provider of cyberthreat management services say Ramnit has been linked to the compromise of more than 45,000 Facebook log-in credentials, primarily hitting users in the United Kingdom and France.

"We suspect that the attackers behind Ramnit are using the stolen credentials to log in to victims' Facebook accounts and to transmit malicious links to their friends, thereby magnifying the malware's spread even further," says a blog posted on Seculert's website Jan. 5. "In addition, cybercriminals are taking advantage of the fact that users tend to use the same password in various web-based services (Facebook, Gmail, Corporate SSL VPN, Outlook Web Access, etc.) to gain remote access to corporate networks."

Because users often use the same log-in and password credentials for multiple accounts, the threat of Ramnit attacks should be concerning to every industry, not just financial services, though financial institutions often have the most to lose when consumers online banking accounts are breached.

"As demonstrated by the 45,000 compromised Facebook subscribers, the viral power of social networks can be manipulated to cause considerable damage to individuals and institutions when it is in the wrong hands," Securlet says.

Ramnit: Evolving

Ramnit is a worm, which means, unlike malware, it can spread to other computers without being sent through e-mail or a malicious website. Ramnit, which surfaced in April 2010, continues to evolve.

In August 2011, security vendor Trusteer was the first to discover Ramnit's merger with the Zeus variant designed to target online banking accounts. The Ramnit-Zeus hybrid was superior because of its advanced man-in-the-browser capabilities, which enabled it to steal online banking and corporate log-in credentials. The Ramnit hybrid bypassed two-factor authentication, and between September 2011 and December 2011, Trusteer estimated that some 800,000 machines had been infected.

Amit Klein, chief technology officer of Trusteer, says Seculert's new findings show how quickly Ramnit is evolving to use multiple distribution vectors. "The combination of file infection, social network propagation and man-in-the-browser capabilities creates an aggressive threat," he says. "Ramnit can reach a corporate employee machine through propagation via stolen social network accounts."

Once launched on a corporate PC, Ramnit's browser penetration module steals internal and software-as-a-service credentials. Incoming web pages can then be modified using an HTML injection to request and steal more sensitive information.

Ramnit's man-in-the-middle looks like an actual social-media or bank-account sign-in page that captures a user's ID and password, and sometimes other personal information en route to the actual log-in page. The difference, however, is that the page in the middle captures authentication data and allows the attacker to gain access to the victim's accounts at will.

Dave Jevans of the Anti-Phishing Working Group says stealing credentials from social-networking sites is big business. "We have seen up to a million people per day being directed to malicious websites through FB worms," he says.

A Call for Multifactor Authentication

Bill Wansley an analyst at Booz Allen Hamilton, says every organization should take Ramnit's rapid evolution as a sign that outdated authentication measures are no longer effective.

"Passwords are not very useful for anything anymore," Wansley says. "They are just too easy to forget, copy or break. Everyone needs to go to multifactor authentication - like Google has recently - for social-media sign-in, and certainly for anything that is for financial or medical-related accounts."

Passphrases are better than passwords, but multifactor authentication is the new standard. "Nobody should be using their social-media passwords or phrases for their financial accounts," Wansley says.

In the financial space, cybercriminals increasingly use older malware to capture individual passwords and personal information that is later exploited to gain access to financial accounts. "The Ramnit example is typical of these type attacks," Wansley says. "Ramnit is actually an older malicious code that has been updated with new features to achieve other purposes."


About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.