Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


'Eurograbber' Lets Attackers Steal 36 Million Euros From Banks, Customers

Cybercriminals combine new Trojan with SMS malware to crack online banking systems

Researchers say they have identified and thwarted a malware attack that enabled attackers to steal more than 36 million euros from more than 30,000 online banking customers in Europe.

The attack, dubbed "Eurograbber," infected users' PCs with a new version of the Zeus Trojan, and then convinced them to download malware to their cell phones, defeating the second factor of authentication and exposing online banking accounts to slow data theft, according to researchers at security vendor Check Point Software and Versafe, an online fraud prevention vendor.

"It was a targeted, multistage, sophisticated attack that used two different Trojans to infect both the online banking system and the user's phone," says Darrell Burkey, director of IPS at Check Point. "It broke through both the first factor of authentication on the banking system and the second factor of authentication, which in Europe is often an SMS-based cell phone."

The attack affected more than 30,000 accounts at more than 30 banks throughout Europe, the researchers say. The criminals stole money in small amounts from both personal and corporate accounts so as not to be immediately detected.

The researchers shared their discovery with the affected banks and law enforcement agencies, and the infrastructure that was used to crack the online banking systems has been taken down, Check Point and Versafe say. The perpetrators of the crime have not been identified.

"We're not saying that it couldn't come back," says Eyal Gruner, security engineer at Versafe. "When the infrastructure under High Roller [another malware attack] was taken down, it reappeared again later. It's still out there, but the initial command-and-control infrastructure has been taken down."

Check Point has registered a signature for the attack and its software would block it if it reappeared, Burkey says.

The attack was sophisticated in that it infected the banking system first and then sent a phishing message to customers, telling them to update the online banking software on their cell phones. The update messages appeared to come directly from the affected bank, and a significant percentage of customers fell for the ruse and downloaded the Zitmo-based malicious software to their phones, the researchers say.

"It's definitely one of the most sophisticated banking attacks we've seen," Burkey says.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/10/2012 | 7:58:52 PM
re: 'Eurograbber' Lets Attackers Steal 36 Million Euros From Banks, Customers
The real challenge is that authenticating the end user and
signing transactions all happen on the front end.- A secure SMS text with an OTP that the MITM can't read is fine - the MITM doesn't need it.-He wants you logged on - he's going to change your transaction details "in flight"

The front end is unsafe to the point that secure out-of-band, or out-of-channel communication from the backend is required.- Not transaction signing, but transaction review and approval. A phone-based voice call that speaks your transaction details to you and permits approval or cancellation is one example, provided you can can defend against call forwarding and exploits against the phone.- That takes a vendor with experience.

A smart app on a smart phone or tablet with an encrypted communication layer and a top of the stack application level
encryption to protect it from ZITMO is another example.- The app would let you review and approve or cancel the transaction if it isn't correct.-

Don't trust using an app on the same phone the banking app is on - mix and match.- Bank on a tablet, validate
the transaction on the smart phone.- The BYOD trend should offer more ways to secure transactions, not fewer.- The situation today is similar to the initial rush to online banking back in the 90's.-Identity theft and account takeover were rampant because in the rush to get "there" - not a lot of thought was given to the vulnerabilities.- The mobile rush is on
and similar and similar pitfalls are happening.-

Now BEFORE anyone starts poking holes in the use of out-of-band, and phone-based authentication, or smart app as an out-of-band end point, as I said - you need a vendor that knows how to defend those channels against the exploits.- Call forward, SIM swap, phone account takeover - and there are ways to defend the voice and 3G 4G channels.-

The sky is not falling, FI's just need to catch up.
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We need more votes, check the obituaries.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-26
KLog Server through 2.4.1 allows authenticated command injection. async.php calls shell_exec() on the original value of the source parameter.
PUBLISHED: 2021-01-26
The ftpd gem 0.2.1 for Ruby allows remote attackers to execute arbitrary OS commands via shell metacharacters in a LIST or NLST command argument within FTP protocol traffic.
PUBLISHED: 2021-01-26
SmartAgent 3.1.0 allows a ViewOnly attacker to create a SuperUser account via the /#/CampaignManager/users URI.
PUBLISHED: 2021-01-26
NVIDIA Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, L4T versions prior to 32.5, contains a vulnerability in the apply_binaries.sh script used to install NVIDIA components into the root file system image, in which improper access control is applied, which may lead to an un...
PUBLISHED: 2021-01-26
NVIDIA Tegra kernel in Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, all L4T versions prior to r32.5, contains a vulnerability in the INA3221 driver in which improper access control may lead to unauthorized users gaining access to system power usage data, which may lead to...