Retefe Trojan Could Give Criminals Control of Your Bank Account
People stash their money in Swiss bank accounts because those banks have a reputation for security and privacy. Unfortunately, cyber criminals, using a new banking Trojan named Retefe, started raiding Swiss banks in the summer of 2014. By August, the Retefe Trojan had spread to computers in other European countries and Japan. Specifically, the malware targets banks that use session tokens as part of their two-factor authentication (2FA) strategy.
Security researchers suspect that Russian-speaking hackers in Romania created Retefe. They distributed the Trojan by sending emails appearing to come from large, trusted online retailers. When recipients clicked a link in the email or downloaded a file, they inadvertently downloaded the Retefe Trojan. Once downloaded, Retefe changed the machine’s Domain Name System (DNS) settings, dropped a rogue root SSL certificate, and then deleted itself. Its swiftness made it tough for all but the most advanced virus protection programs to detect.
To understand how Retefe works, you need to understand how DNS works. DNS translates domain names into numeric IP addresses so that your browser can find the website that you want to see. In a way, the title of the Web page is like a street address, and the website’s domain is like its zip code. All of a site’s pages live on the same domain much like all residents of a neighborhood live in the same zip code. In turn, every domain is hosted on a specific server or server cluster, much like a zip code is located in a particular state. To access the domain on its server, your Web browser has to find the server’s IP address, and DNS helps it to translate.
By changing a machine’s DNS settings, Retefe’s creators can point the machine to the wrong IP address. In other words, instead of accessing the server that hosts your bank’s website, your computer or mobile device now accesses the server that hosts a fake version of your bank’s website. In addition, that spoofed SSL certificate causes your computer to trust the phony website. When the website asks you to log in, you have no idea that you’re giving your bank login information to cyber criminals.
The minds behind Retefe aren’t satisfied with just getting your login information. Their fake website prompts you to download an Android security app disguised to look like a bank’s session token generator. When you use 2FA to increase your bank account security (which means that after you login, your bank sends you a text message containing a one-time additional login code), the thieves can now intercept text messages from your bank. 2FA no longer provides you with an extra layer of protection.
When you sign into what looks like your real bank account and enter your one-time login code, cyber criminals can then transfer your money into outside bank accounts. Researchers haven’t provided a dollar amount for the thefts, and although they haven’t provided the names of affected banks, they have disclosed that at least 34 different banks in Austria, Sweden, Switzerland, and Japan have been targeted. One security firm disclosed that it had found Retefe on 20,641 computers in Japan alone.
To protect your own computers and mobile devices, take the following precautions:
- Use antivirus: Many desktop and laptop computer users install virus protection on their machines. However, many fail to download antivirus for their smartphones and tablets. Android attacks like the one associated with Retefe are increasing exponentially, so antivirus for Android has become a must-have, not a nice-to-have.
- Change bank passwords often: Set a reminder in your phone or on your calendar to change your bank password at least once per week.
- Never click an email link: Instead of clicking on links that you receive in email messages, always point your cursor at the link or the button. Your computer will display a small window that contains the URL. Before you type the URL, look for inconsistencies with the Web address. For example, if the email claims to come from Amazon.com, but the domain name in the URL is amazon2.com, you should avoid entering the URL into your browser.
Don’t end up with an empty wallet. Take smart precautions to avoid downloading Retefe on your computer or mobile device.