Security experts have linked the recent attack which cost Tesco Bank £2.5 million to the Retefe trojan and warned that countless other banks are also at risk around the world.
The cyber-attack against the British lender affected 9000 customers in the end, with Tesco forced to pay out millions to compensate them this week.
Although the bank temporarily stopped online transactions from debit accounts, other services such as cash withdrawals were allowed to continue, hinting that the problem hasn’t affected the bank’s core IT systems, Eset security evangelist Peter Stancik claimed in a blog post.
“Our active malware monitoring and Eset Threat Intelligence services show that Tesco Bank has recently been on the target list of Retefe trojan horse,” he continued.
“Disturbingly, our analysis shows that there is quite a lengthy list of other banks located in many other countries in this malware’s crosshairs. It must also be said that this campaign began at least as far back as February 2016.”
Retefe typically infects users in the form of a malicious email attachment masquerading as an invoice or similar, and is equipped with several sophisticated components to guarantee success.
For one, it uses Tor to configure a proxy server designed to mimic the targeted bank’s site, which effectively carries out a man in the middle attack on the traffic flowing from the customer to their online banking account.
To avoid suspicion, it installs a fake root certificate designed to prevent any warning notices that the site they’re interacting with isn’t the genuine bank’s site.
There’s even a mobile component designed to help bypass two-factor authentication by intercepting one-time passcodes.
Lieberman Software vice-president of product strategy, Jonathan Sander, explained why Retefe and malware like it is so dangerous.
“If the bad guy owns your machine, you can put all the security you want on the server and it won't matter. When you have the user change their password, the bad guy sees it. When you switch up the website process, the bad guy sees that too and can emulate it,” he said.
“The only thing that can be truly effective is a very diligent end user who knows what to look for. That means all the banks can do is offer tips on how to spot the fake sites collecting user data that the malware creates and hope the user is diligent enough to learn and watch for signs of the bad guys at work."
Retefe has been active this year in various countries, and was flagged by Palo Alto after striking in Sweden, Switzerland and Japan.
Other UK banks on the hit list include Halifax, HSBC, Natwest, Barclays and Sainsbury’s Bank, according to Eset.
Eset researcher Robert Lipovsky told Infosecurity that monitoring of the banking Trojan botnet configuration files had led his team to deduce the malware is actively targeting users of these banks.
Any users suspecting they’ve been infected are advised to monitor their accounts carefully, change log-ins, delete the fake Comodo certificate and use reputable anti-malware on PC and mobile device.