How did European bank malware steal $47 million?

How did European bank malware steal $47 million?

Summary: Perhaps online banking two-step verification isn't as secure as we think.


Just how is 36 million euros ($47 million) stolen through mobile malware?

A paper released by Checkpoint suggests that hackers working in Eastern Europe have systematically been able to swipe approximately $47 million through the use of a trojan that infiltrates smartphones. The infestation, dubbed "Eurograbber", is a trojan variant based on the Zeus and Zitmo banking malware.

According to the firm, by intercepting two-step authentication text messages sent to mobile phone users -- with a particular bend towards BlackBerry and Android models -- amounts ranging between 500 and 250,000 euros have been stolen from over 30,000 banking customers.

Eurograbber hits in multiple stages. After unknowingly clicking on a phishing email -- and possibly through visiting a malicious website -- the trojan is downloaded on to the victim's computer. Once a banking customer logs into their bank account, the banking session is intercepted and malicious javascript code is injected into the banking page. The customer is then notified of a "security upgrade" and instructed to click on an attached link via an SMS message sent to their submitted mobile phone number.

This stage triggers a file download to the customer's mobile with a variant of the Zitmo trojan customised for different operating systems, namely Android, BlackBerry and Windows, and the customer receives a "verification code" which they must input through their desktop on the now-malicious banking page.

eurograbber trojan zeus variant banking customers 36 million euro 47 million dollar mobile

Once input, the javascript informs the banking customer the security upgrade is complete, and the trojan's work can begin.

Banks in Europe often use "transaction authorization numbers" (TAN) to prevent fraudulent online transactions, in the same way that PayPal now offer a service which requires you to input an SMS-sent key before accessing your account online. The Eurograbber trojan's sophisticated attack circumvents this two-factor authentication by monitoring banking activity once installed, and intercepts the SMS to silently transfer money out of a bank account.

eurograbber trojan zeus variant banking customers 36 million euro 47 million dollar mobile

Interestingly, Checkpoint says that there is no evidence of these transactions on web statements -- as the trojan also intercepts the confirmation text sent by the bank -- making the trojan a silent background menace that operates until it's too late. To prevent exposure, only a small percentage of the bank balance is transferred at a time.

In order to execute these kinds of attacks, Eurograbber relays banking activity back to a team of attackers, who silently complete any transactions they wish. A Command & Control (C&C) server infrastructure was created through SQL databases which were linked to different domain names, and in addition, a layer of proxy servers were used to keep detection at a minimum.

The Eurograbber trojan, although targeted at Android and BlackBerry smartphones, has also been found to include variants designed for Windows models. According to the research firm, both corporate and private banking users have been affected.

Attacks began in Italy, and soon the exploit hit the shores of Germany, Spain and Holland. Cases have only been documented in Europe so far, but it is possible that countries outside of the European Union may also eventually become targets of the Eurograbber trojan.

Image credit: Checkpoint

Topics: Security, EU, United Kingdom

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • iPhone not a target?

    Due to iPhone's popularity, I am surprise it's not on the target list. Does it mean iPhone is less vulnerable than Blackberry with this type of attacks?
    • iPhone Users Are More Sophisticated

      The user must first fall for a phishing email, and possibly visiting a malicious website for the scam to work. iPhone users aren't that gullible.
      • Oh you ARE funny....

        I support both iPHone and Android far the least sophisticated are the IOS users as a rule. But they certainly don't mind paying money for the simplification.
      • apparently...

        ...iPhone users have big egos.
        Just kidding! ;)
    • Trojans can't get on iPhones because

      the iPhone, unless a jail broken does not allow the installation of such Trojans, because programs on iPhones can only come from Apple. Microsoft and Google allow the installation of programs from unknown sources.
      • Exactly; with power comes great responsibility should not open up your phone to unknown sources unless you are savvy enough to do so...but that is not the default behavior of these devices, you have to purposefully allow unknown software on the phone.

        So, while locked up iPhones are safer (unless jail broken) for the masses, they often have to wait and pay double for the app to make it through the IOS guantlet. Techies can get more from Android ...non-techies should avoid such complexities.
        • I don't you meant to...

          ...but you just told the vast majority of Android users that they should have purchased an iPhone instead of the one the carrier pushed them to.
        • How's that cognitive dissonance worjking out for you vindog?

          ios users get the apps first and don't pay any more than the Roid prices... Roid is and has always been a festering cesspool of malware. Developers always develop for ios first and any of the other platforms only as an after thought...

          Roid is and has always been a device that is like a super high maintenance girlfriend/boyfriend. If you want your Roid to be secure and working properly, you really need to be a uber-geek/nerd and you have to spend a ton of time and energy tweaking with the device... Those devices can be a lot of fun providing you have mad skills, but less than 1% of nerds have mad skills, the other 99% thinks they have mad skills and use apps coded by those who actually do have the skills.

          Less than .002% of the Roid user base has the skills to run those Roids with any semblance of security. The rest are all sitting ducks waiting for the holocaust of malware to rain down on their ignorant little heads. This is the reason that Government and Enterprise are all going IOS and not with Roid, Crackberry, or Windows Teletubby.

          Uber-dorks can get more from Android ...everyone else, including most of the techies should avoid such complexities.
          • Hmmm...

            ... maybe I shouldn't have said "just kidding" about iPhoners being egotists and arrogant.
        • So let me get this right...

          You are saying that Android users are more "sophisticated" users, yet dumb enough to fall for a phising scam and not techie enough to use the phone. But iPhone users are dumber yet safer... are you not slamming in a round about way Android users. And where is SJVN - "...and Android models...". Isn't that some kind of slander statement?
      • Actually it does

        What protects Iphone users is Apple checking each application before allowing to be distributed by there on-line, once that security layer has been beaten iOS devices are just as vulerable.

        This security layer has been beaten in the last couple of years , an Apple have acted quite aggressively against white hackers checking and testing this route of attacks looking for flaws in Apple systems, meaning there could yet undetected flaws in Apple systems that are being use by hackers and not yet detected by Apple team.

        I suspect if someone get past Apple security team and get their app onto the Store, they would make a lot more money, especially if the hackers were to somehow design a way to prevent Apple from remotely removing the app from infected Iphones.
      • Android users do not have to allow programs unknown sources.

        This is a user setting.
  • Not the bank's fault!

    The fault is with the customers smartphone/computer security. As the customer's identity is stolen any additional security the bank required would also be stolen.

    If people use their devices insecurely then everything they do electronically will naturally be insecure.

    Actually bank security is excessively secure, it is the customer who opens the door to having their accounts hacked.
    • It actually is the banks fault.. partially...

      By allowing insecure platforms to perform banking transactions, the banks are indeed partially responsible. When I heard that banks were letting Roid phones do banking I laughed my @ss off... I knew this is exactly what was going to happen.
  • I just don't understand

    I just don't understand why the old Watergate adage "follow the money" doesn't apply. It seems to me that it would be rather simple to track the funds and to claw back any illegal gains. If it isn't so easy to do that now, it should be and certainly can be if bankers are willing to set up such a system (which I thought was already in place).
    • Actually it not that simple

      There are many countries which acts pretty aggressively in protecting the accounts holder identities, an you could easily route the money through several of these countries, even using entities run by nominee directors further anonymous who actually own the company and the money.

      Given enough time and resources, you may eventually track down where the money is but it would probably cost you more than the amount of money stolen in the first place.

      It may be easier to catch the criminals behind the operation than to trace the money, which is actually pretty common outcome of many of many these cases.
  • Crumbs are hard to put together

    The article said that only a small percentage of a victim's bank balance is stolen at one time; and the malware may even monitor deposits to know when it is safe to steal "a few dollars more" (Sorry, Clint, couldn't resist the pun). Like the early batch processing insider thieves who only stole "rounding error" amounts when interest was calculated, they keep their thefts small. And unlike the programmers in the 1950's who were caught, they do NOT transfer the funds into one account; they probably have shell companies set up with many accounts and "launder" the money that way. Then they pay off their personal accounts with regular "paychecks", or "dividends" if you will. Only an automated trace could put together all the "crumbs" of cash and find out where the "loaf" is being reassembled. And it would be necessary to PROVE that the small thefts were actually illegal, ONE AT A TIME, to recover them (except in countries that have the equivalent of the RICO statute in the US).
  • Simple solution - don't do internet banking!

    I have an account with First Direct, the telephone banking arm of HSBC. I can phone any time any day - even Christmas Day, and check my accounts, pay bills etc. Security is via multiple authentication and I am never asked for my password, only 2 letters from it. I fail to see how internet banking can offer more than that. I am not willing to take the chance of a malware infection stealing my bank details and telephone banking is so much simpler - I don't need a computer or even a smart phone.