Cybercrime wave whacks European banks

Banks across Europe are now coping with a wave of cybercrime in which crooks are transferring funds out of customer accounts through a scam involving bypassing some two-factor authentication systems to steal large sums, according to a security firm assisting in the investigation.

The funds transfers are affecting 34 institutions, says Tom Kellermann, chief cybersecurity officer at Trend Micro, which is assisting law enforcement in Europe with combatting this crime wave seen first in Germany during the spring, and now across several countries, including Austria, Switzerland and Sweden. So far, the crimes are being traced to Romania and Russia. The amount of money that's been fraudulently whisked out of both consumer and commercial bank accounts appears to be running in the millions.

+ Also on Network World:Worst Security SNAFUs this year (so far!)+

Trend Micro isn't naming the affected banks, but today issued a report "Finding Holes: Operation Emmental," describing the attacks on them. It says the attack typically works by first sending an e-mail to the intended victims in their local language, pretending to be a retailer in Germany or Switzerland, for example.

For those who fall for opening an attachment associated with it, the resulting malware infection can change the Domain Name System server settings to point to one that is under the attacker's control. That lets the attacker gain control over how the infected system resolves Internet domains. The malware then installs a new root Secure Sockets Layer certificate in the infected system, which allows the attackers to display content from secure phishing sites without the user receiving a warning, and the malware then deletes itself without leaving a trace.

"That means if the infection attempt was not immediately detected, any anti-malware check that follows will not detect anything since that file will no longer be there," the report notes. There's just the impact of the attacker's configuration change.

The result for the victims is that when users of infected machines try to access bank domains, they are directed to a malicious server instead. These phishing sites ask them to log in, reveal their usernames, bank account numbers and other information that might be part of a typical online banking process. The users are asked to give away their personal identification numbers, the first authentication factor to access their accounts.

This complicated cyber-fraud also involves tricking the user into installing a fake Android app that works to subvert the multi-factor one-password system that may be in use, according to Trend Micro.

Typically, users are asked to provide a one-time password generated by the bank's mobile app. "The regular procedure is to wait for an SMS from the bank but instead of that, the phishing page instructs the user to install a special mobile app in order to receive a number presumably via SMS that they should then type into a website form," the Trend Micro report notes.

It's all part of the scam. The SMS that the bank should supposedly have sent never arrives so the targeted victim is forced to click the "I didn't receive the SMS" link. Victims are fooled into installing the fake mobile app, which lets the attackers "gain full control of users' online banking sessions because in reality, it intercepts session tokens sent via SMS to user phones, which are then forwarded to the cybercriminals." At the end, the attackers have everything they need to fake the users' online banking transactions.

The whole operation, which Trend has dubbed "Emmental," requires the attackers deploy a Windows malware binary, a malicious Android app sporting various banks' logos, a rogue DNS resolver server, a phishing Web server and several fake bank site pages, and a command-and-control server.

Investigators suspect attackers may possibly be Russian -- some traces of Russian language have been found in the attack code. There are also some connection logs from underground sources tying this back to Romania. "A Russian speaker based in Romania could be responsible for the whole operation," Trend Micro surmises in its report. "Or the brains behind the operation could be based in Russia and the Romanian connection only plays a small part in the attack. We cannot say for sure."

One worry in all this is that the attackers are exploiting a weakness in single-session token protection strategies. There may be a need to consider adopting other strategies, such as "use of multiple transaction authentication numbers (TANs), photo TANs, and card readers," the report points out. This "Emmental" bank fraud operation appears to mainly be occurring in Europe, but there's concern something like it could spread elsewhere, including the U.S., in the future.

Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Join the CSO newsletter!

Error: Please check your email address.

Tags consumer electronicstrend microsecuritysmartphoneslegalAndroidbanksmalwarecybercrime

More about IDGSwitzerlandTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts