Eurograbber SMS Trojan steals €36 million from online banks

Huge attack hits 30,000 accounts in Germany, Italy and Spain

A devastating Zeus Trojan attack was able to break the supposedly impregnable SMS authentication used by a clutch of European banks, stealing 36 million (£30 million) from tens of thousands of customers, security firm Check Point has revealed.

Dubbed 'Eurograbber', the attack on 30 unidentified banks across Italy, Spain, Germany, and The Netherlands happened over a period between August and mid-October of this year, eventually affecting 30,000 consumer and business accounts.

During the attack, the gang was able to initiate transfers ranging from 500 to 250,000 using mule accounts, the company said.

Apart from its staggering financial success, what marks this attack out from a clutch of previous online bank attacks using earlier variants of the same Zeus malware is simply that is took on and beat a common two-factor security technology using a clever but fundamentally simple design.

Bank customers would have been infected by clicking on links or attachments that initiated the infection on their PC, but that was the straightforward part of the story; the attack still needed to get hold of the Transaction Authentication Number (TAN) sent by banks via SMS to allow login to proceed.

Easy. When a target next logged on to their online account, the Trojan fire up and asked them to confirm their mobile number, feeding them a bogus 'banking software security upgrade'.

That 'upgrade turned out ot be a link to the second part of the attack, which loaded a "Zeus in the mobile" (ZITMO) Trojan on any customers using Android or BlackBerry handsets. This intercept the real TAN when it was sent by the bank.

That money was being transferred behind the scenes would not have been apparent to the customer until they checked their monthly statements.

"Once a bank customer is infected, they are owned," was the stark assessment of Check Point's director of Intrusion Prevention Products, Darrell Burkey.

"The transaction appears to be completely normal to the bank."

Disturbingly, the appalling scale of the attack only became apparent once security specialist and partner Versafe was called in and joined up some dots.

"Each one [a bank] looked at it in isolation," said Burkey.

Could the attacks have been stopped? It's not clear whether antivirus - or the lack of it - was an issue in this incident so let's move on to the mobile question.

The attack would not have worked against customers using the iPhone or a Windows Phone, which is not entirely a coincidence. Unless jailbroken, apps (including Trojans) can't reach the iPhone except through the official channel controlled and monitored by Apple itself. The relative openness of Android was in this case a major weakness.

No software vulnerabilities were needed to initiate the malware on either the PC or mobile; Eurograbber succeeded thanks to old-fashioned engineering of the user to click on links and to go along with the installation of the malware on their mobile.

"As seen with Eurograbber, attackers are focusing on the weakest link, the people behind the devices, and using very sophisticated techniques to launch and automate their attacks and avoid traceability," concluded Versafe's head of Security Operation Center, Eran Kalige.

Last June, security company Kaspersky Lab reported on what could in hindsight have been one component of the Eurograbber attack, a mobile app designed to intercept SMS messages, uploading them to a remote server. Around the same time, a separate but almost identical attack was noticed by Trusteer.

Even earlier, in 2011, news emerged of a similar attackin Poland that targeted the same layer of authentication. Perhaps banks and their customers had more warning than they realised.

Tags Personal Techsecurity


Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

AVG Internet Security 2011 Business Edition

Ultimate protection for your small or medium-sized business

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.