Ramnit Worm Threatens Online AccountsFacebook Targeted by Fraudsters Seeking Log-in Credentials
See Also: How to Defend Your Attack Surface
Lab researchers working for the Israel-based provider of cyberthreat management services say Ramnit has been linked to the compromise of more than 45,000 Facebook log-in credentials, primarily hitting users in the United Kingdom and France.
"We suspect that the attackers behind Ramnit are using the stolen credentials to log in to victims' Facebook accounts and to transmit malicious links to their friends, thereby magnifying the malware's spread even further," says a blog posted on Seculert's website Jan. 5. "In addition, cybercriminals are taking advantage of the fact that users tend to use the same password in various web-based services (Facebook, Gmail, Corporate SSL VPN, Outlook Web Access, etc.) to gain remote access to corporate networks."
Because users often use the same log-in and password credentials for multiple accounts, the threat of Ramnit attacks should be concerning to every industry, not just financial services, though financial institutions often have the most to lose when consumers online banking accounts are breached.
"As demonstrated by the 45,000 compromised Facebook subscribers, the viral power of social networks can be manipulated to cause considerable damage to individuals and institutions when it is in the wrong hands," Securlet says.
Ramnit is a worm, which means, unlike malware, it can spread to other computers without being sent through e-mail or a malicious website. Ramnit, which surfaced in April 2010, continues to evolve.
In August 2011, security vendor Trusteer was the first to discover Ramnit's merger with the Zeus variant designed to target online banking accounts. The Ramnit-Zeus hybrid was superior because of its advanced man-in-the-browser capabilities, which enabled it to steal online banking and corporate log-in credentials. The Ramnit hybrid bypassed two-factor authentication, and between September 2011 and December 2011, Trusteer estimated that some 800,000 machines had been infected.
Amit Klein, chief technology officer of Trusteer, says Seculert's new findings show how quickly Ramnit is evolving to use multiple distribution vectors. "The combination of file infection, social network propagation and man-in-the-browser capabilities creates an aggressive threat," he says. "Ramnit can reach a corporate employee machine through propagation via stolen social network accounts."
Once launched on a corporate PC, Ramnit's browser penetration module steals internal and software-as-a-service credentials. Incoming web pages can then be modified using an HTML injection to request and steal more sensitive information.
Ramnit's man-in-the-middle looks like an actual social-media or bank-account sign-in page that captures a user's ID and password, and sometimes other personal information en route to the actual log-in page. The difference, however, is that the page in the middle captures authentication data and allows the attacker to gain access to the victim's accounts at will.
Dave Jevans of the Anti-Phishing Working Group says stealing credentials from social-networking sites is big business. "We have seen up to a million people per day being directed to malicious websites through FB worms," he says.
A Call for Multifactor Authentication
Bill Wansley an analyst at Booz Allen Hamilton, says every organization should take Ramnit's rapid evolution as a sign that outdated authentication measures are no longer effective.
"Passwords are not very useful for anything anymore," Wansley says. "They are just too easy to forget, copy or break. Everyone needs to go to multifactor authentication - like Google has recently - for social-media sign-in, and certainly for anything that is for financial or medical-related accounts."
Passphrases are better than passwords, but multifactor authentication is the new standard. "Nobody should be using their social-media passwords or phrases for their financial accounts," Wansley says.
In the financial space, cybercriminals increasingly use older malware to capture individual passwords and personal information that is later exploited to gain access to financial accounts. "The Ramnit example is typical of these type attacks," Wansley says. "Ramnit is actually an older malicious code that has been updated with new features to achieve other purposes."