A devastating Zeus Trojan attack was able to break the supposedly impregnable SMS authentication used by a clutch of European banks, stealing €36 million (£30 million) from tens of thousands of customers, security firm Check Point has revealed.
Dubbed ‘Eurograbber’, the attack on 30 unidentified banks across Italy, Spain, Germany, and The Netherlands happened over a period between August and mid-October of this year, eventually affecting 30,000 consumer and business accounts.
During the attack, the gang was able to initiate transfers ranging from €500 to €250,000 using mule accounts, the company said.
Apart from its staggering financial success, what marks this attack out from a clutch of previous online bank attacks using earlier variants of the same Zeus malware is simply that it took on and beat a common two-factor security technology using a clever but fundamentally simple design.
Bank customers would have been infected by clicking on links or attachments that initiated the infection on their PC, but that was the straightforward part of the story; the attack still needed to get hold of the Transaction Authentication Number (TAN) sent by banks via SMS to allow login to proceed.
Easy. When a target next logged on to their online account, the Trojan fired up and asked them to confirm their mobile number, feeding them a bogus ‘banking software security upgrade’.
That upgrade turned out to be a link to the second part of the attack, which loaded a “Zeus in the mobile” (ZITMO) Trojan on any customers using Android or BlackBerry handsets. This intercept the real TAN when it was sent by the bank.
That money was being transferred behind the scenes would not have been apparent to the customer until they checked their monthly statements.
“Once a bank customer is infected, they are owned,” was the stark assessment of Check Point’s director of Intrusion Prevention Products, Darrell Burkey.
“The transaction appears to be completely normal to the bank.”
Disturbingly, the appalling scale of the attack only became apparent once security specialist and partner Versafe was called in and joined up some dots.
“Each one [a bank] looked at it in isolation,” said Burkey.
Could the attacks have been stopped? It’s not clear whether antivirus – or the lack of it – was an issue in this incident so let’s move on to the mobile question.
The attack would not have worked against customers using the iPhone or a Windows Phone, which is not entirely a coincidence. Unless jailbroken, apps (including Trojans) can’t reach the iPhone except through the official channel controlled and monitored by Apple itself. The relative openness of Android was in this case a major weakness.
No software vulnerabilities were needed to initiate the malware on either the PC or mobile; Eurograbber succeeded thanks to old-fashioned engineering of the user to click on links and to go along with the installation of the malware on their mobile.
“As seen with Eurograbber, attackers are focusing on the weakest link, the people behind the devices, and using very sophisticated techniques to launch and automate their attacks and avoid traceability,” concluded Versafe’s head of Security Operation Center, Eran Kalige.
Last June, security company Kaspersky Lab reported on what could in hindsight have been one component of the Eurograbber attack, a mobile app designed to intercept SMS messages, uploading them to a remote server. Around the same time, a separate but almost identical attack was noticed by Trusteer.
Even earlier, in 2011, news emerged of a similar attackin Poland that targeted the same layer of authentication. Perhaps banks and their customers had more warning than they realised.