F5 security researchers analyzed the Ramnit banking trojan campaign that was active over the holiday season and discovered it’s not much of a banking trojan anymore.

• 64% of its targets were retail eCommerce sites, including Amazon.com, Best Buy, Forever 21, Gap, Zara, Carter’s, OshKosh B’gosh, Macy’s, Victoria’s Secret, H&M, Overstock.com, Toys“R”Us, Zappos, and many others.
• Although banks were a smaller portion of targets, the target list included some of the largest banks in the world, including Bank of America, CitiBank, PNC, Chase, TD Bank, and US Bank.
• The C&C framework collecting the stolen user data is shared by several banking trojans, including Ramnit, Gozi, GootKit, and Tinba.
• The Ramnit C&C server is registered to a network in Russia, JSC MediaSoft Ekspert, that shows up often in F5 Labs threat research.
• For the fraud to be accomplished, users must be tricked in several phases, pointing to the need for continued security awareness training.

Ramnit’s authors likely had high hopes for this holiday shopping season when they added major online retailers to their targets. And it makes sense if you are a threat actor trying to optimize your attack. Why not expand your fraud net to sites that have a high likelihood of activity over the holidays? Most financial organizations recognize that the holiday season is also their peak fraud season and, as such, they maintain an elevated state of security awareness. Additionally, financial institutions have been targeted by banking trojans for so long that most have adopted advance web defenses (that is, they can detect if a user is infected with a known trojan) to combat the problem. Other industries, on the other hand, traditionally haven’t been targeted and are therefore less likely to have the same defenses in place. So, instead of hunting bank account information, the Ramnit authors zeroed in on credit card theft, collecting social security numbers, mothers’ maiden names, secret question answers, and other critical personally identifiable information.

Ramnit Holiday Campaign Targets

Retailers and their eCommerce sites were clearly the biggest focus for the Ramnit authors over the holidays as they accounted for 64% of the targets. Although banks were a smaller portion of the targets, those targeted included some of the largest banks in the world. Other notable targets were travel sites, entertainment, food delivery, shipping, online auctions, dating, and porn sites. The Ramnit authors covered what people actually do over the holidays; shop, ship, eat, check their bank account, and entertain themselves.