Expert update about the Retefe banking Trojan

Security researchers have been posting updates about the Retefe banking Trojan. While it’s been around for some time, targeting Sweden, Switzerland and Japan, it is now targeting UK banking customers. Using fake certificates, the Trojan is designed to trick victims into giving up their login credentials and other sensitive information.

Lisa Baergen, director at NuData Security had the following comments;

“Like many Trojans, the Retefe Trojan is malware that requires unsophisticated users to participate in their victimhood by opening attachments. It’s still the case that many users will fall into this trap, but it’s also true that even the savviest users can still sometimes be fooled because these invitations can come across as extremely authentic. While behavioural biometrics can’t stop the data from being taken, what it can do is prevent it from being relevant and valuable to the thieves. Fraudsters buy this data and try to login to the account posing as the valid user or many other various ways the big hacker business uses stolen data.

Banks can defeat these fraudsters by understanding how good users behave. Passive biometric technology collects hundreds of behavioural signals over the lifetime of the account interaction. These signals can include, how a user holds their device, how they interact with it, how they type their user name and password, among many other data points.  These tools use machine learning and data analytics to build a non-PII profile of the individual so they can tell if the user is behaving as they usually do, or some anomaly is present that warrants a closer look. These tools also aggregate data from the biometric network of billions of events to determine if this user is behaving like other humans do, and can even predict bad behaviour.

With Risk Based Authentication (RBA), behavioural biometrics identifies suspicious activity in real-time during authentication. For example, with a potential MITB attack such as what would occur with Retefe, the online bank could dynamically launch an Out Of Band (OOB) authentication method, something not transmitted via the Internet such as a phone call or SMS. There are other interdictions that could take place, providing the bank further options to investigate and validate.

In this way, banks use behavioural biometrics to defeat fraudsters who are unable to faithfully reproduce the real user behavior making it impossible to use the relatively few credentials they may have bought or stolen. Eventually, the credentials and data the fraudsters have will become useless as more and more banks come to understand that knowing their users is the best way to make fraudsters irrelevant, and they deploy technology that can do just that.”