'Eurograbber' online banking scam netted $47 million

Over the past year, about 30,000 European banking customers were robbed of about 36 million euros -- that's about $47 million -- in an online banking scam that worked by exploiting mobile devices, according to security firms that stumbled into the operation.

The scam has been dubbed Eurograbber by Check Point Software Technologies and Versafe, which say they found out about the operation through financial institutions they know after their online banking customers were hit. Eurograbber typically worked by tricking victims into downloading a customized variant of the Zeus Trojan, which then took control of their computers and intercepted online banking sessions. Getting infected with the Eurograbber Trojan could occur during Internet browsing or falling for a phishing email, said Darrell Burkey, director of IPS products at Check Point Software Technologies, which worked with Israeli-based Versafe to help investigate Eurograbber. 

TECH ARGUMENT: Apple iOS vs. Google Android

"It's basically a man-in-the-middle attack against a bank site," said Burkey, adding that the scam is believed to be a crime operation out of the Ukraine, whose command-and-control servers were recently disrupted by European law enforcement with ISP cooperation.

Eurograbber was first detected in Italy, then spread in Germany, Holland and Spain, and hit both commercial accounts as well as those of individual consumers at about 30 banks, according to Check Point and Versafe, which today published a report about how Eurograbber worked.

Eurograbber was able to illegally transfer funds out of customers' accounts in amounts that ranged from 500 to 250,000 euros. And though there has been much bank-related fraud in the past few years, Eurograbber struck the security firms as notable in how it overcame bank security measures based on sending a so-called transaction authentication number (TAN) via SMS to the customer's mobile device. The TAN is a security measure via SMS intended to allow the bank customer to verify the online banking transaction is one they indeed have authorized -- but Eurograbber compromises that, too.

During the customer's first banking session after their computer is infected, the Eurograbber malware injects instructions into the session that prompts the customer to enter their mobile phone number. At that point, the victim is told to complete a fake "banking software security upgrade" by following instructions sent to their mobile device via SMS. The attacker's SMS instructions tell the victim to click on a link to complete a "security upgrade" on their mobile phone. However, "clicking on the link actually downloads a variant of 'ZeuS in the mobile" (ZITMO ) Trojan," the report says. "The ZITMO variant is specifically designed to intercept the bank's SMS containing the all-important 'transaction authorization number.'"

This TAM is the key element in the bank's two-factor authorization process for an online banking transaction and once the Eurograbber Trojan on the victim's mobile device intercepts it, it works silently in the background to complete the transaction under control of the crime organization to silently transfer money out of the victim's bank account to where the criminals want.

Burkey said Eurograbber mobile Trojans for the mobile devices Android, BlackBerry and Symbian were identified, as well as for jailbroken iPhones in which the Apple iOS security controls have been disabled. Although so far Eurograbber appears not to have been used as an online banking attack outside of Europe, "there's no reason it couldn't happen here," said Burkey.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email: emessmer@nww.com.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags banking TrojanAndroidApple iOScybercrimeCheck Point Software Technologiescheck pointAppleconsumer electronicsEurograbberGooglesecuritysmartphoneslegal

More about AppleBlackBerryCheck Point Software TechnologiesCheck Point Software TechnologiesCheck Point Software TechnologiesGoogleIDGIPSPoint Software TechnologiesSoftware TechnologiesSymbian

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place