'Eurograbber' Lets Attackers Steal 36 Million Euros From Banks, Customers

Cybercriminals combine new Trojan with SMS malware to crack online banking systems

Dark Reading Staff, Dark Reading

December 6, 2012

2 Min Read
Dark Reading logo in a gray background | Dark Reading

Researchers say they have identified and thwarted a malware attack that enabled attackers to steal more than 36 million euros from more than 30,000 online banking customers in Europe.

The attack, dubbed "Eurograbber," infected users' PCs with a new version of the Zeus Trojan, and then convinced them to download malware to their cell phones, defeating the second factor of authentication and exposing online banking accounts to slow data theft, according to researchers at security vendor Check Point Software and Versafe, an online fraud prevention vendor.

"It was a targeted, multistage, sophisticated attack that used two different Trojans to infect both the online banking system and the user's phone," says Darrell Burkey, director of IPS at Check Point. "It broke through both the first factor of authentication on the banking system and the second factor of authentication, which in Europe is often an SMS-based cell phone."

The attack affected more than 30,000 accounts at more than 30 banks throughout Europe, the researchers say. The criminals stole money in small amounts from both personal and corporate accounts so as not to be immediately detected.

The researchers shared their discovery with the affected banks and law enforcement agencies, and the infrastructure that was used to crack the online banking systems has been taken down, Check Point and Versafe say. The perpetrators of the crime have not been identified.

"We're not saying that it couldn't come back," says Eyal Gruner, security engineer at Versafe. "When the infrastructure under High Roller [another malware attack] was taken down, it reappeared again later. It's still out there, but the initial command-and-control infrastructure has been taken down."

Check Point has registered a signature for the attack and its software would block it if it reappeared, Burkey says.

The attack was sophisticated in that it infected the banking system first and then sent a phishing message to customers, telling them to update the online banking software on their cell phones. The update messages appeared to come directly from the affected bank, and a significant percentage of customers fell for the ruse and downloaded the Zitmo-based malicious software to their phones, the researchers say.

"It's definitely one of the most sophisticated banking attacks we've seen," Burkey says.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights