'Eurograbber' online banking scam netted $47 million

Over the past year, about 30,000 European banking customers were robbed of about 36 million euros -- that's about $47 million -- in an online banking scam that worked by exploiting mobile devices, according to security firms that stumbled into the operation.

The scam has been dubbed Eurograbber by Check Point Software Technologies and Versafe, which say they found out about the operation through financial institutions they know after their online banking customers were hit. Eurograbber typically worked by tricking victims into downloading a customized variant of the Zeus Trojan, which then took control of their computers and intercepted online banking sessions. Getting infected with the Eurograbber Trojan could occur during Internet browsing or falling for a phishing email, said Darrell Burkey, director of IPS products at Check Point Software Technologies, which worked with Israeli-based Versafe to help investigate Eurograbber. 

TECH ARGUMENT: Apple iOS vs. Google Android

"It's basically a man-in-the-middle attack against a bank site," said Burkey, adding that the scam is believed to be a crime operation out of the Ukraine, whose command-and-control servers were recently disrupted by European law enforcement with ISP cooperation.

Eurograbber was first detected in Italy, then spread in Germany, Holland and Spain, and hit both commercial accounts as well as those of individual consumers at about 30 banks, according to Check Point and Versafe, which today published a report about how Eurograbber worked.

Eurograbber was able to illegally transfer funds out of customers' accounts in amounts that ranged from 500 to 250,000 euros. And though there has been much bank-related fraud in the past few years, Eurograbber struck the security firms as notable in how it overcame bank security measures based on sending a so-called transaction authentication number (TAN) via SMS to the customer's mobile device. The TAN is a security measure via SMS intended to allow the bank customer to verify the online banking transaction is one they indeed have authorized -- but Eurograbber compromises that, too.

During the customer's first banking session after their computer is infected, the Eurograbber malware injects instructions into the session that prompts the customer to enter their mobile phone number. At that point, the victim is told to complete a fake "banking software security upgrade" by following instructions sent to their mobile device via SMS. The attacker's SMS instructions tell the victim to click on a link to complete a "security upgrade" on their mobile phone. However, "clicking on the link actually downloads a variant of 'ZeuS in the mobile" (ZITMO ) Trojan," the report says. "The ZITMO variant is specifically designed to intercept the bank's SMS containing the all-important 'transaction authorization number.'"

This TAM is the key element in the bank's two-factor authorization process for an online banking transaction and once the Eurograbber Trojan on the victim's mobile device intercepts it, it works silently in the background to complete the transaction under control of the crime organization to silently transfer money out of the victim's bank account to where the criminals want.

Burkey said Eurograbber mobile Trojans for the mobile devices Android, BlackBerry and Symbian were identified, as well as for jailbroken iPhones in which the Apple iOS security controls have been disabled. Although so far Eurograbber appears not to have been used as an online banking attack outside of Europe, "there's no reason it couldn't happen here," said Burkey.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email: emessmer@nww.com.

Read more about wide area network in Network World's Wide Area Network section.

Tags: Android, banking Trojan, Apple iOS, cybercrime, check point, Check Point Software Technologies, Apple, Google, Eurograbber, consumer electronics, security, legal, smartphones

Forget BYOD – it's now BYOC

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Endpoint Management Solutions

Endpoint Security Management

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.