Eurograbber SMS Trojan steals €36 million from online banks

Huge attack hits 30,000 accounts in Germany, Italy and Spain

A devastating Zeus Trojan attack was able to break the supposedly impregnable SMS authentication used by a clutch of European banks, stealing 36 million (£30 million) from tens of thousands of customers, security firm Check Point has revealed.

Dubbed 'Eurograbber', the attack on 30 unidentified banks across Italy, Spain, Germany, and The Netherlands happened over a period between August and mid-October of this year, eventually affecting 30,000 consumer and business accounts.

During the attack, the gang was able to initiate transfers ranging from 500 to 250,000 using mule accounts, the company said.

Apart from its staggering financial success, what marks this attack out from a clutch of previous online bank attacks using earlier variants of the same Zeus malware is simply that is took on and beat a common two-factor security technology using a clever but fundamentally simple design.

Bank customers would have been infected by clicking on links or attachments that initiated the infection on their PC, but that was the straightforward part of the story; the attack still needed to get hold of the Transaction Authentication Number (TAN) sent by banks via SMS to allow login to proceed.

Easy. When a target next logged on to their online account, the Trojan fire up and asked them to confirm their mobile number, feeding them a bogus 'banking software security upgrade'.

That 'upgrade turned out ot be a link to the second part of the attack, which loaded a "Zeus in the mobile" (ZITMO) Trojan on any customers using Android or BlackBerry handsets. This intercept the real TAN when it was sent by the bank.

That money was being transferred behind the scenes would not have been apparent to the customer until they checked their monthly statements.

"Once a bank customer is infected, they are owned," was the stark assessment of Check Point's director of Intrusion Prevention Products, Darrell Burkey.

"The transaction appears to be completely normal to the bank."

Disturbingly, the appalling scale of the attack only became apparent once security specialist and partner Versafe was called in and joined up some dots.

"Each one [a bank] looked at it in isolation," said Burkey.

Could the attacks have been stopped? It's not clear whether antivirus - or the lack of it - was an issue in this incident so let's move on to the mobile question.

The attack would not have worked against customers using the iPhone or a Windows Phone, which is not entirely a coincidence. Unless jailbroken, apps (including Trojans) can't reach the iPhone except through the official channel controlled and monitored by Apple itself. The relative openness of Android was in this case a major weakness.

No software vulnerabilities were needed to initiate the malware on either the PC or mobile; Eurograbber succeeded thanks to old-fashioned engineering of the user to click on links and to go along with the installation of the malware on their mobile.

"As seen with Eurograbber, attackers are focusing on the weakest link, the people behind the devices, and using very sophisticated techniques to launch and automate their attacks and avoid traceability," concluded Versafe's head of Security Operation Center, Eran Kalige.

Last June, security company Kaspersky Lab reported on what could in hindsight have been one component of the Eurograbber attack, a mobile app designed to intercept SMS messages, uploading them to a remote server. Around the same time, a separate but almost identical attack was noticed by Trusteer.

Even earlier, in 2011, news emerged of a similar attackin Poland that targeted the same layer of authentication. Perhaps banks and their customers had more warning than they realised.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal Techsecurity

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts