Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Eurograbber SMS Trojan steals €36 million from online banks

Huge attack hits 30,000 accounts in Germany, Italy and Spain

Article comments

A devastating Zeus Trojan attack was able to break the supposedly impregnable SMS authentication used by a clutch of European banks, stealing €36 million (£30 million) from tens of thousands of customers, security firm Check Point has revealed.

Dubbed ‘Eurograbber’, the attack on 30 unidentified banks across Italy, Spain, Germany, and The Netherlands happened over a period between August and mid-October of this year, eventually affecting 30,000 consumer and business accounts.

During the attack, the gang was able to initiate transfers ranging from €500 to €250,000 using mule accounts, the company said.

Apart from its staggering financial success, what marks this attack out from a clutch of previous online bank attacks using earlier variants of the same  Zeus malware is simply that it took on and beat a common two-factor security technology using a clever but fundamentally simple design.

Bank customers would have been infected by clicking on links or attachments that initiated the infection on their PC, but that was the straightforward part of the story; the attack still needed to get hold of the Transaction Authentication Number (TAN) sent by banks via SMS to allow login to proceed.

Easy. When a target next logged on to their online account, the Trojan fired up and asked them to confirm their mobile number, feeding them a bogus ‘banking software security upgrade’.

That upgrade turned out to be a link to the second part of the attack, which loaded a “Zeus in the mobile” (ZITMO) Trojan on any customers using Android or BlackBerry handsets. This intercept the real TAN when it was sent by the bank.

That money was being transferred behind the scenes would not have been apparent to the customer until they checked their monthly statements.

“Once a bank customer is infected, they are owned,” was the stark assessment of Check Point’s director of Intrusion Prevention Products, Darrell Burkey.

“The transaction appears to be completely normal to the bank.”

Disturbingly, the appalling scale of the attack only became apparent once security specialist and partner Versafe was called in and joined up some dots.

“Each one [a bank] looked at it in isolation,” said Burkey.

Could the attacks have been stopped? It’s not clear whether antivirus – or the lack of it – was an issue in this incident so let’s move on to the mobile question.

The attack would not have worked against customers using the iPhone or a Windows Phone, which is not entirely a coincidence. Unless jailbroken, apps (including Trojans) can’t reach the iPhone except through the official channel controlled and monitored by Apple itself. The relative openness of Android was in this case a major weakness.

No software vulnerabilities were needed to initiate the malware on either the PC or mobile; Eurograbber succeeded thanks to old-fashioned engineering of the user to click on links and to go along with the installation of the malware on their mobile.

“As seen with Eurograbber, attackers are focusing on the weakest link, the people behind the devices, and using very sophisticated techniques to launch and automate their attacks and avoid traceability,” concluded Versafe’s  head of Security Operation Center, Eran Kalige.

Last June, security company Kaspersky Lab reported on what could in hindsight have been one component of the Eurograbber attack, a mobile app designed to intercept SMS messages, uploading them to a remote server. Around the same time, a separate but almost identical attack was noticed by Trusteer.

Even earlier, in 2011, news emerged of a similar attackin Poland that targeted the same layer of authentication. Perhaps banks and their customers had more warning than they realised.



Share:

More from Techworld

More relevant IT news

Comments

John Zurawski, Authentify said: The real challenge is that authenticating the end user and signing transactions all happen on the front end A secure SMS text with an OTP that the MITM cant read is fine - the MITM doesnt need it He wants you logged on - hes going to change your transaction details in flightThe front end is unsafe to the point that secure out-of-band or out-of-channel communication from the backend is required Not transaction signing but transaction review and approval A phone-based voice call that speaks your transaction details to you and permits approval or cancellation is one example provided you can can defend against call forwarding and exploits against the phone A smart app on a smart phone or tablet with an encrypted communication layer and a top of the stack application level encryption to protect it from ZITMO is another example The app would let you review and approve or cancel the transaction if itisnt correct Dont trust using an app on the same phone the banking app is on - mix and match Bank on a tablet validate the transaction on the smart phone The BYOD trend should offer more ways to secure transactions not fewer The situation today is similar to the initial rush to online banking back in the 90s Identity theft and account takeover were rampant because in the rush to get there - not a lot of thought was given to the vulnerabilities The mobile rush is on and similar and similar pitfalls are happening Now BEFORE anyone starts poking holes in the use of out-of-band andphone-based authentication or smart app as an out-of-band end point as I said- you need a vendor that knows how to defend those channels against theexploits Call forward SIM swap phone account takeover - and there are ways to defend the voice and 3G 4G channels The sky is not falling FIs just need to catch up



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *