Over the past year, about 30,000 European banking customers were robbed of about €36m (£24.5m) in an online banking scam that worked by exploiting mobile devices, according to security firms that stumbled into the operation.
The scam has been dubbed Eurograbber by Check Point Software Technologies and Versafe, which say they found out about the operation through financial institutions they know after their online banking customers were hit. Eurograbber typically worked by tricking victims into downloading a customised variant of the Zeus Trojan, which then took control of their computers and intercepted online banking sessions. Getting infected with the Eurograbber Trojan could occur during Internet browsing or falling for a phishing email, said Darrell Burkey, director of IPS products at Check Point Software Technologies, which worked with Israeli-based Versafe to help investigate Eurograbber.
"It's basically a man-in-the-middle attack against a bank site," said Burkey, adding that the scam is believed to be a crime operation out of the Ukraine, whose command-and-control servers were recently disrupted by European law enforcement with ISP cooperation.
Eurograbber was first detected in Italy, then spread in Germany, Holland and Spain, and hit both commercial accounts as well as those of individual consumers at about 30 banks, according to Check Point and Versafe, which today published a report about how Eurograbber worked.
Eurograbber was able to illegally transfer funds out of customers' accounts in amounts that ranged from €500 to €250,000. And though there has been much bank-related fraud in the past few years, Eurograbber struck the security firms as notable in how it overcame bank security measures based on sending a so-called transaction authentication number (TAN) via SMS to the customer's mobile device. The TAN is a security measure via SMS intended to allow the bank customer to verify the online banking transaction is one they indeed have authorised – but Eurograbber compromises that, too.
During the customer's first banking session after their computer is infected, the Eurograbber malware injects instructions into the session that prompts the customer to enter their mobile phone number. At that point, the victim is told to complete a fake "banking software security upgrade" by following instructions sent to their mobile device via SMS. The attacker's SMS instructions tell the victim to click on a link to complete a "security upgrade" on their mobile phone. However, "clicking on the link actually downloads a variant of 'ZeuS in the mobile" (ZITMO) Trojan," the report says. "The ZITMO variant is specifically designed to intercept the bank's SMS containing the all-important 'transaction authorization number.'"
This TAM is the key element in the bank's two-factor authorization process for an online banking transaction and once the Eurograbber Trojan on the victim's mobile device intercepts it, it works silently in the background to complete the transaction under control of the crime organization to silently transfer money out of the victim's bank account to where the criminals want.
Burkey said Eurograbber mobile Trojans for the mobile devices Android, BlackBerry and Symbian were identified, as well as for jailbroken iPhones in which the Apple iOS security controls have been disabled. Although so far Eurograbber appears not to have been used as an online banking attack outside of Europe, "there's no reason it couldn't happen here," said Burkey.