For clarification, this article is focused on providing information on the increased activity of the Retefe banking trojan, which has been targeting various banks, mostly in Switzerland, Austria, and the UK. While this is happening at the same time as news breaking that Tesco Bank suffered a major cyberattack, there is no concrete evidence that Retefe is behind this.
Tesco Bank, which recently saw thousands of its customers lose funds to cybercriminals, has been found on the target list of the so-called Retefe malware. This trojan horse goes after users’ online banking credentials, which can be then misused to conduct fraudulent transactions. Many more thousands might be at risk as the malware’s target list contains several other banks.
In a statement, Tesco Bank’s chief executive Benny Higgins said: “Tesco Bank can confirm that, over the weekend, some of its customers’ current accounts have been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently.”
According to the BBC, approximately 40,000 saw suspicious transactions over the weekend and about 20,000 of them had money stolen. Tesco Bank later confirmed that around 9,000 customers were affected. Higgins assured that Tesco would continue to cooperate with the authorities and keep their customers informed through their website and other channels.
Tesco Bank decided to temporarily stop online transactions from current accounts, but left its other services such as cash withdrawals, both chip and PIN payments, as well as all existing bill payments and direct debits available for the current account customers. Based on that decision, one can assume that its core infrastructure hasn’t been affected and there are no additional details that would suggest otherwise.
Our active malware monitoring and ESET Threat Intelligence services show that Tesco Bank has recently been on the target list of Retefe trojan horse.
Disturbingly, our analysis shows that there is quite a lengthy list of other banks located in many other countries in this malware’s crosshairs. It must also be said that this campaign began at least as far back as February 2016. (Note that the Retefe malware had already been active even prior to this date but had been using different techniques to infect victims’ computers.)
If a user had been infected by this malicious code and tried to connect to any of the targeted online banking services, the malware modified the banking webpage in an attempt to harvest logon credentials.
Detected by ESET as JS/Retefe, this malicious code is usually spread as an email attachment pretending to be an order, an invoice or a similar file. Once executed it installs several components including anonymizing service Tor and uses these to configure a proxy for targeted banking sites.
The effect of this malware technique is that when an infected user tries to access their online banking website (full list of affected domains at the end of the blog post) they are covertly redirected to a fake copy instead.
Retefe also adds a fake root certificate disguised as if issued and verified by a well-known certification authority, Comodo. This makes the fraud very difficult to spot from a user’s perspective.
This is not a security issue on the side of any of the affected banks.
by Peter Stancik, ESET We Live Security