Inside Eurograbber: the £30m mobile banking heist
In the history of bank robberies, the £30 million stolen by the Eurograbber attack in 2012 ranks as one of the all-time biggest, globally. And when you consider that this sum was stolen from more than 30,000 accounts across 30 banks in four European countries, using malware that affected both PCs and bank customers’ mobile phones, it must also rank as one of the most sophisticated thefts ever discovered, writes Terry Greer-King, UK managing director of Check Point*
But the most worrying aspect of Eurograbber was that it worked within banks’ existing two-factor authentication security, so that – from the banks’ viewpoint – the fraudulent transactions appeared perfectly legitimate. This helped Eurograbber to remain active and undetected for months. So how was it able to do this?
The key to Eurograbber’s success was that the hackers behind the attack had an in-depth understanding of how both consumer and business online banking systems work. The attack specifically targeted the two-factor authentication method using one-time passcodes sent by SMS to mobile devices, and relied on intercepting those text messages so that legitimate passcodes could be exploited.
Attacking on two fronts
What the attackers did was to develop a two-stage attack. The first involved infecting the customer’s PC, and phishing their details. This was done by transparently infecting the customer, using either a phishing e-mail with a malicious link, or by surfing to a malicious link on the web. This downloaded a customised version of the well-known Zeus Trojan onto their PC.
Then, when the bank customer accessed their bank account, the Trojan woke up and launched a fake version of the bank’s web page, containing instructions for ‘upgrading’ the user’s online banking system. As well as asking the user to re-key account numbers and other bank details, it requested their mobile phone details. The page then instructed the user that in order to complete the upgrade, instructions would be sent to their mobile by text.
This was the second stage of the attack. When the user received the text, which appeared to be from their bank, they were directed to complete the ‘banking upgrade’ by clicking on a link. However, doing this caused the Zeus in the mobile – ZITMO – Trojan to be downloaded. If the user had a BlackBerry, Android or Symbian phone – it was infected.
This completed the circle of infection for the user’s PC and mobile device. From then on, every time they accessed their bank account online, the attack initiated a transaction to transfer money out of their account. This worked by the Trojan on the PC recognising that the user was accessing their account, and sending a request to the bank to transfer an amount of money to the attacker’s ‘mule’ account.
When the bank received that request, generated the transaction authentication number and sent it via SMS to the customer’s mobile device. This was intercepted by the Trojan on the mobile. The Trojan then, extracted the TAN and sent it back to the bank to complete the illicit transaction.
The fraudulent transactions were completely invisible to customers, as they didn’t see the bank’s SMS messages on their mobile phone. And to the bank, they looked like legitimate transactions. The attackers even configured the Zeus trojans to restrict the amount transferred in each transaction to a percentage of the account’s balance, helping them to remain undetected.
So what security lessons can be drawn from the Eurograbber attack? It was certainly successful in exploiting out-of-band authentication methods, in which a one-time passcode is created and sent to a mobile device, which are quite commonly used.
While banks that use other authentication methods were not vulnerable to this specific attack, it highlights the fact that exploits can be developed to target specific authentication systems – and that attackers have the patience and resources to do so.
However, it also highlights the critical role that online banking users themselves play in security. Eurograbber targeted customers, not the banks themselves. So the best protection against possible future attacks like Eurograbber is to ensure online banking customers have up-to-date protection on the network that gives access to their bank, and on the PC they use.
It’s worth reiterating to users that banks should never send an unsolicited email, and so any they get will be phishing mails. Users should be encouraged to use up-to-date antivirus software and a firewall on their home PCs. Cost is not an issue here: there are free solutions from ZoneAlarm and others that deliver protection matching leading paid-for products. These solutions will detect variants of the Zeus Trojan before the user’s PC becomes infected. Another key preventative measure is for users to regularly install software updates on PCs.
There is no ‘silver bullet’ solution that protects against cyber-attacks like Eurograbber. It’s a matter of ongoing vigilance, and ensuring that the security protections used by banks and their customers are as comprehensive, and as up-to-date as possible.
*Check Point, together with Versafe, discovered the fraud