The malware that has been targeting Tesco Bank, has several other banks and service providers on its target list, ESET researchers have found. Uncovered by ESET’s research team, the Retefe Trojan, active in its current form since at least February, 2016, is capable of redirecting its victims to modified banking pages to harvest log-in credentials. In some cases, it has also tried to trick the user into installing a mobile component of the malware (detected by ESET as Android/Spy.Banker.EZ). This mobile component was then used to bypass two-factor authentication.
Detected by ESET as JS/Retefe, this malicious code is usually spread as an email attachment pretending to be an order, an invoice or a similar file. Once executed, it installs several components including an anonymizing service Tor and uses these to configure a proxy for targeted banking sites.
Retefe also adds a fake root certificate disguised as if issued and verified by a well-known certification authority, Comodo. This makes the fraud very difficult to spot from a user’s perspective.
Retefe has been on the radar of security researchers in past, and most recently when it targeted UK banking customers earlier this year. Since then, it has added the mobile component and extended its list of targets found here.
Among services targeted by the Retefe Trojan, are large banks in the UK, Switzerland (the most affected country, according to ESET LiveGrid cloud system) and Austria, as well as popular services like Facebook and PayPal. (The full list can be found below.)
ESET researchers have determined the indicators of compromise for the Retefe malware and urge users of the below mentioned services to check if their computers are infected. They can do this manually, or use ESET’s Retefe Checker website, where they can find a free downloadable tool that checks the computer for the mentioned indicators automatically.
For a more detailed report on the recent findings, visit http://www.welivesecurity.com/2016/11/10/tesco-bank-not-alone-targeted-retefe-malware/
As a reminder, for proactive protection use a reliable security solution with dedicated banking and payment protection, and don’t forget to protect your Android device as well.
About ESET:
Since 1987, ESET® has been developing award-winning security software that now helps over 100 million users to Enjoy Safer Technology. Its broad security product portfolio covers all popular platforms and provides businesses and consumers around the world with the perfect balance of performance and proactive protection. The company has a global sales network covering 180 countries, and regional offices in Bratislava, San Diego, Singapore and Buenos Aires. For more information visit www.eset.com or follow us on LinkedIn, Facebook and Twitter.
ESET press contact:
Kiley Nichols
(781) 684-6513