Attacks/Breaches

12/5/2012
10:13 AM
50%
50%

Zeus Botnet Eurograbber Steals $47 Million

Sophisticated, targeted attack campaign enabled criminals to steal an estimated $47 million from more than 30,000 corporate and private banking customers.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
A criminal gang wielding a new version of Zeus malware that's designed for mobile devices has stolen an estimated 36 million euros, or $47 million, from more than 30,000 corporate and private banking customers.

That finding comes from a new report published by security vendors Versafe and Check Point Software Technologies. They've dubbed the related attack campaign as "Eurograbber," and notified banks and law enforcement agencies in the affected countries.

Attackers have configured the malware to target customers of 16 specific banks in Italy, as well as seven in Spain, six in Germany and three in the Netherlands. "To date, this exploit has only been detected in euro zone countries, but a variation of this attack could potentially affect banks in countries outside of the European Union as well," according to the report. Individual transfer amounts made by Eurograbber malware have ranged from 500 euros ($656) to 250,000 euros ($328,000).

The malware used by attackers is a customized version of the Zitmo Trojan spyware application. Zitmo is short for "Zeus in the mobile," and the malware is designed to defeat the two-factor authentication systems employed by some banks. To do that, a companion, smartphone version of the malware intercepts the one-time transaction authentication number (TAN) that banks send to a customer's mobile device, via SMS, which the customer must then enter into a banking website prompt to authorize a money transfer.

[ Here is a good question: Can Banks Prevent The Next Cyber Attack? ]

The Zitmo Trojan can infect a PC if a user clicks on a malicious link in a spam or phishing email, or on a link on a website that's been compromised by attackers. The malicious Trojan application then remains dormant until a user logs into a targeted financial firm's website. "The next time the bank customer logs in to their bank account, the Eurograbber Trojan intercepts their banking session and injects a JavaScript into the customer's banking page," according to the report. "This malicious JavaScript informs the customer of the 'security upgrade' and instructs them on how to proceed."

The security upgrade page requests that the user indicated which mobile operating system their smartphone uses -- Android, BlackBerry, iOS (iPhone), Symbian (Nokia) or other -- as well as their mobile phone number. This information is then relayed to a drop zone, which is a publicly writable folder on a Web server -- which attackers may have previously hijacked -- where they store information about every infected bank customer's PC, including account numbers, log-in credentials, and one-time passwords.

A bogus confirmation SMS is then sent to the user's smartphone. "The SMS directs the customer to complete the security upgrade by clicking on the attached link. Doing so downloads a file onto the customer's mobile device with the appropriate mobile version of the Eurograbber Trojan," according to the report.

From then on, anytime that PC is used to log onto the targeted financial website, automatic attacks may take place, with the malware on the PC initiating transfers, and the malware on the smartphone intercepting any TAN sent by the bank, and automatically approving the transaction, which transfers money to mule accounts. "Victims' bank accounts will have lost money without their knowledge," according to the report. "This entire process occurs every time the bank customer logs into his or her bank account."

News of the Eurograbber Zitmo attack campaign follows the recent discovery of a cybercrime campaign waged using the Gameover Zeus Trojan, which steals banking credentials using phony but real-looking emails. Millions of those emails have been circulating in recent weeks, and are being distributed via the Cutwail spamming botnet.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
12/6/2012 | 12:35:15 PM
re: Zeus Botnet Eurograbber Steals $47 Million
the problem is un-authorized programming, aka "malware" or "virus" not authentication.

AS USUAL
Authentify_JohnZurawski
50%
50%
Authentify_JohnZurawski,
User Rank: Apprentice
12/10/2012 | 8:03:20 PM
re: Zeus Botnet Eurograbber Steals $47 Million
The real challenge is that authenticating the end user and signing transactions all happen on the front end. A secure SMS text with an OTP that the MITM can't read is fine - the MITM doesn't need it. He wants you logged on - he's going to change your transaction details "in flight"
The front end is unsafe to the point that secure out-of-band, or out-of-channel communication from the backend is required. Not transaction signing, but transaction review and approval. A phone-based voice call that speaks your transaction details to you and permits approval or cancellation is one example, provided you can can defend against call forwarding and exploits against the phone. That takes a vendor with experience.

A smart app on a smart phone or tablet with an encrypted communication layer and a top of the stack application level encryption to protect it from ZITMO is another example. The app would let you review and approve or cancel the transaction if it isn't correct. Don't trust using an app on the same phone the banking app is on - mix and match. Bank on a tablet, validate the transaction on the smart phone. The BYOD trend should offer more ways to secure transactions, not fewer. The situation today is similar to the initial rush to online banking back in the 90's. Identity theft and account takeover were rampant because in the rush to get "there" - not a lot of thought was given to the vulnerabilities. The mobile rush is on and similar and similar pitfalls are happening. Now BEFORE anyone starts poking holes in the use of out-of-band, and phone-based authentication, or smart app as an out-of-band end point, as I said - you need a vendor that knows how to defend those channels against the exploits. Call forward, SIM swap, phone account takeover - and there are ways to defend the voice and 3G 4G channels. The sky is not falling, FI's just need to catch up.
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Darn - typed UNICORN instead of UNICODE.  
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.