UK users are the latest targets of cyber crooks leveraging the Retefe banking Trojan and a rogue root certificate.
The malware is out to steal online banking credentials of customers of several UK banks – Barclays, HSBC, NatWest, Santander, Ulster Bank, Tesco bank, etc. – but also other account login credentials for sites with “.com” and “.co.uk” domains:
Usually, users would have to confirm the installation of such a certificate, but the crooks decided to automate the process with a powershell script.
The victims only see the prompt for a few seconds, and then it’s gone.
The pop up says that the root certificate is from Comodo CA, but that’s a lie. The truth is that the certificate was issued by a suspicious issuer. Unfortunately, once the certificate has been admitted on the system, the system (and the browser) will trust any certificate signed with it, for any website.
When the victims visit their bank’s online banking website, they will be seamlessly redirected through the malicious proxy to a fake one. Every piece of information – whether login credentials or personal info – submitted to the site will pass through the proxy, and the criminals are able to see it and collect it.
In the meantime, the padlock in the address bar will be green, as the attackers issued a valid certificate signed with the above mentioned rogue root certificate, and the system will flag it as trusted.
“This type of malware is a serious threat for unaware users, because most people trust the certificate signs on HTTPS sites and, therefore, do not verify the certificate’s issuer. This makes it easy for the Retefe banker Trojan to steal important data and money,” Avast researchers pointed out.
The banks whose customers are targeted have been warning them of this active campaign, but chances are many users got infected, their info stolen and misused, and possibly their account pilfered.
So beware of unsolicited email, iffy attachments, and unexpected root certificates being installed on your computer without your permission.