Check Point and independent fraud prevention vendor Versafe found that the attacks originated in Italy, but quickly spread to Germany, Holland and Spain, using a new iteration of Zeus that they have christened the “Eurograbber.” The attacks were directed at both computers and mobile devices.
Eurograbber was launched against private and corporate banking customers, first infecting the victims’ computers, and then their mobile devices in order to intercept SMS messages to bypass the banks’ two-factor authentication process. With the stolen information and the transaction authentication number (TAN), the attackers then performed automatic transfers of funds, ranging between €500 and €250,000, from the victims’ accounts to mule accounts across Europe. Android and Blackberry mobile devices were especially targeted.
“Cyberattacks have become more sophisticated, more creative, and more targeted than ever before,” said Eran Kalige, head of the security operation center at Versafe. “As seen with Eurograbber, attackers are focusing on the weakest link, the people behind the devices, and using very sophisticated techniques to launch and automate their attacks and avoid traceability.”
Specifically, getting around the two-factor authentication came down to human manipulation – showing that once again, people should be ever-vigilant against activity that seems odd or unusual.
During the customer’s first online banking session after their computer is infected, Eurograbber injects instructions into the session that prompts the customer to enter his or her mobile phone number, the researchers explained. Then, the victim is asked to complete the “banking software security upgrade,” by following the instructions sent to their mobile device via SMS. The attacker’s SMS instructs a customer to click on a link to complete a “security upgrade” on their mobile phone; however, clicking on the link actually downloads a variant of “Zeus in the mobile” (ZITMO) trojan, which is specifically designed to intercept the bank’s SMS containing the all-important “transaction authorization number” (TAN), which is the key element of the bank’s two factor-authorization. The Eurograbber then uses the TAN to complete its own transaction to silently transfer money out of the bank customer’s account.
The Eurograbber attack occurs entirely in the background. Once the “security upgrade” is completed, the bank customer is monitored and controlled by Eurograbber attackers and the customer’s online banking sessions give no evidence of the illicit activity.
“Cyberattacks are constantly evolving to take advantage of the latest trends. As online and mobile banking continue to grow, we will see more targeted attacks in this area, and Eurograbber is a prime example,” said Gabi Reish, head of product management at Check Point. “The best way to prevent these attacks is with a multi-layered security solution that spans network, data and endpoints, powered by real-time threat intelligence.”