Researchers uncover 'Eurograbber' attack

Researchers from Check Point and Versafe discover a sophisticated attack used to steal millions from corporate and private banking customers across Europe.

Researchers from Check Point and Versafe have discovered a sophisticated attack used to steal millions from corporate and private banking customers across Europe.

The vendors describe the attack in a new report called "A Case Study of Eurograbber: How 36 million was stolen via malware.” Among other things, they say:

  • An estimated €36+ million has been stolen from more than 30,000 corporate and private bank accounts.
  • The attacks originated in Italy, but quickly spread to Germany, Holland, and Spain.
  • The theft involved a sophisticated combination of malware directed at computers and mobile devices of banking customers.
  • A new and very successful iteration of a bot attack (the Zeus Trojan) was used in the widespread Eurograbber attack.
  • Android and Blackberry mobile devices were specifically targeted, showing that attacks against Android devices are a growing trend.

In a report summary, the researchers wrote:

Eurograbber was launched against banking customers, using a sophisticated combination of malware directed at computers and mobile devices. The malware, in conjunction with the attackers’ command and control server, first infected the victims’ computers, and then, infected their mobile devices in order to intercept SMS messages to bypass the banks’ two-factor authentication process.  With the stolen information and the transaction authentication number (TAN), the attackers then performed automatic transfers of funds, ranging between €500 and €250,000, from the victims’ accounts to mule accounts across Europe.

The report offers a step-by-step picture of how individual computers are infected and how the infected machines are then used to pull off the heist.

As to how users can protect themselves from becoming victims, the report suggests the following:

1. Regular Updates. Attackers consistently look to exploit known security flaws so a critical preventative measure is to regularly update all computers that are used to conduct online banking transactions. Doing so ensures the most current vendor patches and security signatures are applied thus providing the most current security available. Below are the primary elements that should be regularly updated.

--Operating System

--Antivirus software

--Java

--Adobe Flash

--Adobe Reader

--Internet Browser

--Any other tools or programs used for downloading files or web surfing

One of the most common infection methods is “drive-by-downloads” where malicious code is silently downloaded onto a web surfer’s computer while they are surfing the internet. It is very likely that some of the Eurograbber victims were initially infected by drive-by-downloads. Maintaining current software and security products on your computer will provide the most protection against current infection techniques like drive-by-downloads. Additionally, conducting regular antivirus scans can inform users of existing computer infections so they can take remediation actions to remove the malware.

2. Never respond to unsolicited emails. Social engineering is an essential part of the attack. The email directing the customer to "click on the link to improve online banking security" is the key that opens Pandora's Box and begins the attack. Known as "phishing" emails, if the banking customer recognizes the email as unsolicited and does not click on the link, their desktop will not be infected and the Eurograbber attack will not occur. It is very important to never respond to unsolicited emails from your financial institutions. If the message is concerning to you, then contact the institution directly. Use a different source rather than using a phone number provided in the email. Inform them of the email and follow their guidance.

As a user, following best practices - maintaining OS, application and security currency on your computer and exercising caution with unsolicited emails and during internet surfing - can provide some of the very best protection against becoming infected.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.