TechSpot

Trojan bypasses two-factor authentication, steals $46.5 million

By Rick
Dec 7, 2012
Post New Reply
  1. A sophisticated, multi-layered trojan dubbed "Eurograbber" is estimated to be responsible for siphoning over €36 million -- or about $46.5 million -- from the bank accounts of unsuspecting Europeans. In a case study (pdf) performed by Versafe and Check Point Software Technologies, researchers reveal...

    Read more
  2. Timonius

    Timonius TS Booster Posts: 582   +32

  3. I sure am glad I own a Windows Phone.
  4. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,159   +174

    That is only protection because Windows Phone has an insignificant portion of the market... if they had a decent marketshare, you think the hackers wouldn't have targeted windows phone as well?
    JCitron likes this.
  5. Sorry^

    WinRT (ie Windows Phones) has a different kernal and api's. No stand-alone app would be given privileges to autonomously intercept, etc.
    JCitron likes this.
  6. Yet another reason that if you do online banking to boot from a live CD (typically Linux) or at least use a VM that you only use for banking. In other words don't mix your money with daily internet activities.
    pmshah likes this.
  7. Yep, he's right. Every application inside the Windows Phone OS is executed within its own sandbox. And when they're sent to the background they don't do anything they want willy nilly. They through channels.
  8. Where does one transfer the stolen money?

    For science, of course.
  9. Symbian is the BEST.
  10. I use Firefox for all my regular surfing. But when I want to do something involving money (Paypal, my bank, eBay, Amazon, etc.) I switch to using Chrome. I am not saying this would have stopped this particular trojan scheme (wow! what a scheme!), but when it comes to my money, an ounce of prevention is worth several pounds (or dollars) of cure.
  11. JCitron

    JCitron TS Rookie

    How though can people be so naïve? Whenever I see something suspicious like this, I hover over the links and see where they go.

    These people are falling for the same traps that many people do.

    1) Never, ever, click on a link like this. Go to the website and login.
    2) Never, ever, respond to, or click on links that don't look right.

    How many Facebook and other social media website users click on fake friend requests?

    3) Never open attachments unless expecting them, and always set the antimalware to scan all attachments and delete them if they're infected.
    4) Keep the antimalware software up-to-date, and scan often in addition to real-time scanning.
    and
    5) Delete cookies and temporary internet files often.

    There are many more safe-guards that users can do, however I suspect that many of these people have never been taught the common sense laws of the internet.
     
  12. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,159   +174

    Are you saying the Windows Phone API doesn't allow applications to read and handle SMS? You don't need to compromise the sandbox if you can do that.
  13. This kind of attack was suggested by me about two years ago. I suggested that the Trojan/Mimicware monitor communications between key systems and once it gathered enough data it would the replicate the said methods and fool the user into thinking that everything is working the way it is supposed to work. It's a very simple concept and I believe that we'll see it more and more. The time for attacking the system and exploiting some weakness in the software is coming to and end and it is now time to target the weak link, humans and lack of knowledge. The security companies are going to have their hands full in the coming years.

    I designed a self installing backdoor into Windows by just using some clever tricks and playing on individual's greed. And I managed to do this by using legit code and no exploiting - this was done as test to see how easily someone could do it and to be honest it's way too easy.

    No matter how strong your security becomes, the one who's ultimately going to fudge things up is the end user.
  14. NTAPRO

    NTAPRO TS Enthusiast Posts: 810   +91

    The average banker probably doesn't even know what that is though lol, especially the older ones. They just know what needs to be done deposit, transfer, and withdraw money.
  15. Its a well thought-out plan. I must say Im impressed by the simplicity yet marvelous work of it....
  16. nAviS.

    nAviS. TS Rookie

    Im sorry sir. But Firefox is actually safer than Chrome.
  17. JohnZurawski

    JohnZurawski TS Rookie

    The real challenge is that authenticating the end user and signing transactions all happen on the front end. A secure SMS text with an OTP that the MITM can't read is fine - the MITM doesn't need it. He wants you logged on - he's going to change your transaction details "in flight"

    The front end is unsafe to the point that secure out-of-band, or out-of-channel communication from the backend is required. Not transaction signing, but transaction review and approval. A phone-based voice call that speaks your transaction details to you and permits approval or cancellation is one example, provided you can can defend against call forwarding and exploits against the phone.

    A smart app on a smart phone or tablet with an encrypted communication layer and a top of the stack application level encryption to protect it from ZITMO is another example. The app would let you review and approve or cancel the transaction if it isn't correct. Don't trust using an app on the same phone the banking app is on - mix and match. Bank on a tablet, validate the transaction on the smart phone. The BYOD trend should offer more ways to secure transactions, not fewer. The situation today is similar to the initial rush to online banking back in the 90's. Identity theft and account takeover were rampant because in the rush to get "there" - not a lot of thought was given to the vulnerabilities. The mobile rush is on and similar and similar pitfalls are happening. Now BEFORE anyone starts poking holes in the use of out-of-band, and phone-based authentication, or smart app as an out-of-band end point, as I said - you need a vendor that knows how to defend those channels against the exploits. Call forward, SIM swap, phone account takeover - and there are ways to defend the voice and 3G 4G channels. The sky is not falling, FI's just need to catch up.
  18. pmshah

    pmshah TS Rookie Posts: 81

    Nowadays almost all PCs have a USB interface. Almost none have any floppy drives and quite a few like all 3 PCs of mine, have NO DVD drives. So a live CD may not be useful every where and all PCs. Unless you are using a mini CD/DVD, it may not be convenient to carry. Unfortunately write protected flash drives or write protection tab respecting SDHC card readers are non existent.

    This is one reason why I am hanging on to a 10 year old SD card reader and a few 2 gb standard SD cards for dear life. I use these when I am traveling to access internet, email and banking accounts or occasionally run TeamViwer to sort out problems on my wife's Netbook.

    Of course I could easily boot an ISO image on a PC from a flash drive but this is not always possible as the PC might be configured to disallow that.

    SanDislk does have the U3 system which makes its flash drive appear as a write protected CD rom + a read/write removable drive. What is really needed is for someone to write a software that would make the entire flash drive appear as a non-writable CD rom or for the flash drive makers to add a write protecting sliding tab.

    Is any one listening?


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.