How a botnet has stolen 36 million Euro from European bank customers

13.12.2012 by Martin Kuppinger

In a recently published study Versafe and Check Point Software Technologies, two software vendors, analyze the recent Eurograpper attack based on the Zeus botnet and ZitMO (Zeus in the Mobile). This attack reportedly diverted up to 36 million € by intercepting financial transactions.

The most interesting aspect of this is that the attack bypassed the out-of-band authentication of financial transactions. The banks use this approach to send TAN codes (transaction numbers) to the mobile phone of the user. It is out-of-band if (and as long) as the user uses another device like his PC for accessing the online banking application.

This approach has been considered (more or less) secure. However, in the scenario described, the attackers targeted both devices. They first attacked the PC. There they tracked and manipulated online banking sessions and asked for phone number and device type of the mobile phone used. Using that information, they send an “important security update” to the mobile phone which contained the malware for that device. Based on that they could intercept transactions and steal mobile TANs.

It is very likely that this has just been the beginning of such attacks, challenging the security of out-of-band mechanisms. As of now, the attack requires Windows on the PC and Android or Blackberry on the mobile device. However, it is just a question of time until iOS, OS X, or Windows Phone will also become “supported” by the attackers.

There is no simple solution to prevent such type of attacks. The most important security measure is good anti-malware protection on every PC and ideally on every mobile device – as long as there is such a solution for the mobile devices. Besides that, fraud detection at the backend, i.e. in banks, is mandatory to identify such issues as fast as possible and to alert customers.

But clearly this type of attack shows that out-of-band authentication, as (relatively) convenient as it might be, is not the holy grail of security in online banking. Maybe this issue will initiate the comeback of other, more expensive (procurement and logistics) and sometimes less convenient solutions like OTP hardware tokens. Maybe it is time that financial institutions start focusing on a reusable approach for such OTP hardware tokens because that always was one of the major inhibitors for acceptance of these devices.


  • Pingback: The Champion Community - David A. Kearns - Notes From a Network Junkie

  • http://www.facebook.com/steve.kirsch1 Steve Kirsch

    There are five basic attacks to 2-factor authentication: phone number porting (which can defeat both voice and SMS authentication techniques), SMS intercept (such as Eurograbber), MITM/MITB, and app spoofing of the security app.

    OneID provides a simple solution to the Eurograbber attack. It is immune to all of the five known 2-factor compromise attacks.

  • http://www.ipb.citibank.com.sg/ Eric Gridley

    This is why you have to be extra careful with keeping online financial accounts or conducting transactions. You never know when malicious software like this can strike and take all your hard-earned cash.

  • http://www.sharkysmarineelectronics.com cheap furuno gps

    There are five basic attacks to 2-factor authentication: phone number porting (which can defeat both voice and SMS authentication techniques), SMS intercept (such as Eurograbber), MITM/MITB, and app spoofing of the security app.

  • http://www.ira-reviews.com/ best ira companies

    36 million € is lot of money and I'm surprised how hackers are managed to vanished that huge amount of money from a high security full banking process. A country like Europe is under attack by such dangerous hackers this is concerning for citizens!! Because when something like this happens government silently make pressure upon citizens to maintain money by raising daily using products of peoples. Thanks.

  • http://cosuricadou.beep.com/ cosuri cadou

    Is this really something people were surprised of? I mean really, it was bound to happen someday… I say we should be glad it was this little money involved!

Services
© 2014 Martin Kuppinger, KuppingerCole