'Eurograbber' Lets Attackers Steal 36 Million Euros From Banks, Customers
Cybercriminals combine new Trojan with SMS malware to crack online banking systems
Researchers say they have identified and thwarted a malware attack that enabled attackers to steal more than 36 million euros from more than 30,000 online banking customers in Europe.
The attack, dubbed "Eurograbber," infected users' PCs with a new version of the Zeus Trojan, and then convinced them to download malware to their cell phones, defeating the second factor of authentication and exposing online banking accounts to slow data theft, according to researchers at security vendor Check Point Software and Versafe, an online fraud prevention vendor.
More Security Insights
- A Smarter Approach: Inside IBM Business Analytics Solutions for Mid-Size Businesses
- Collective intelligence: Capitalizing on the crowd
- Informed CIO: SDN and Server Virtualization on a Collision Course
- Strategy: Building and Maintaining Database Access Control Permissions
- Mobile DevOps: Achieving continuous delivery with multiple front ends and complex backends in Banking, Financial Services, and Insurance
- How Cloud Facilitates an Agile Contact Center
"It was a targeted, multistage, sophisticated attack that used two different Trojans to infect both the online banking system and the user's phone," says Darrell Burkey, director of IPS at Check Point. "It broke through both the first factor of authentication on the banking system and the second factor of authentication, which in Europe is often an SMS-based cell phone."
The attack affected more than 30,000 accounts at more than 30 banks throughout Europe, the researchers say. The criminals stole money in small amounts from both personal and corporate accounts so as not to be immediately detected.
The researchers shared their discovery with the affected banks and law enforcement agencies, and the infrastructure that was used to crack the online banking systems has been taken down, Check Point and Versafe say. The perpetrators of the crime have not been identified.
"We're not saying that it couldn't come back," says Eyal Gruner, security engineer at Versafe. "When the infrastructure under High Roller [another malware attack] was taken down, it reappeared again later. It's still out there, but the initial command-and-control infrastructure has been taken down."
Check Point has registered a signature for the attack and its software would block it if it reappeared, Burkey says.
The attack was sophisticated in that it infected the banking system first and then sent a phishing message to customers, telling them to update the online banking software on their cell phones. The update messages appeared to come directly from the affected bank, and a significant percentage of customers fell for the ruse and downloaded the Zitmo-based malicious software to their phones, the researchers say.
"It's definitely one of the most sophisticated banking attacks we've seen," Burkey says.
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.