Trojan bypasses two-factor authentication, steals $46.5 million

By on December 7, 2012, 6:00 PM

A sophisticated, multi-layered trojan dubbed "Eurograbber" is estimated to be responsible for siphoning over €36 million -- or about $46.5 million -- from the bank accounts of unsuspecting Europeans. In a case study (pdf) performed by Versafe and Check Point Software Technologies, researchers reveal how the trojan works.

Eurograbber was the latest take on the infamous ZeuS trojan horse, a malware capable of monitoring online bank sessions and besting two-factor authentication through what amounts to clever programming and social engineering.

For a user to fall prey to Eurograbber, he or she must first be using a computer infected with the trojan. This was typically done by luring the user onto a malicious web page via a round of unfortunate web surfing or email phishing attempts. Once infected, the trojan would monitor that computer's web browser for banking sessions. When a user visited a banking site, Eurograbber would inject JavaScript and HTML markup into their browser, prompting the user for their phone number under the guise of a "banking software security upgrade". This is also the key to Eurograbber's ability to bypass two-factor authentication.

Since the source of the request would appear to be the banking website, unsuspecting users would unwittingly enter their phone number. Next, smartphone users would receive a bogus SMS text asking them to install what was supposedly a "free encryption software" app. Unfortunately, the .apk (Android) or .jad (BlackBerry) files the texts would link to were apps capable of intercepting texts from banks containing transaction authorization numbers. TANs are one-time authorization codes used by some banks to authorize financial transactions and, ironically, increase security.

Next, the user would be presented with instructions to complete the process, ensuring both their PC and mobile device were compromised. Once complete, the next time that user logged on to their bank's website, the trojan would automatically initiate a money transfer into a shell account under their banking session. These transactions would usually range anywhere from 500 to 250,000 Euros. Normally, the user would receive a SMS alert containing a one-time use TAN in order to authorize the transfer, but the smartphone's trojan would silently intercept the SMS, collect its TAN and authorize the transaction itself -- the owner wouldn't have a clue until they noticed money missing from their account.

Readers interested in learning more about Eurograbber should check out this detailed report. (pdf). 




User Comments: 17

Got something to say? Post a comment
Guest said:

I sure am glad I own a Windows Phone.

1 person liked this | Darth Shiv Darth Shiv said:

I sure am glad I own a Windows Phone.

That is only protection because Windows Phone has an insignificant portion of the market... if they had a decent marketshare, you think the hackers wouldn't have targeted windows phone as well?

1 person liked this | Guest said:

Sorry^

WinRT (ie Windows Phones) has a different kernal and api's. No stand-alone app would be given privileges to autonomously intercept, etc.

1 person liked this | Guest said:

Yet another reason that if you do online banking to boot from a live CD (typically Linux) or at least use a VM that you only use for banking. In other words don't mix your money with daily internet activities.

Guest said:

Yep, he's right. Every application inside the Windows Phone OS is executed within its own sandbox. And when they're sent to the background they don't do anything they want willy nilly. They through channels.

Guest said:

Where does one transfer the stolen money?

For science, of course.

Guest said:

Symbian is the BEST.

Guest said:

I use Firefox for all my regular surfing. But when I want to do something involving money (Paypal, my bank, eBay, Amazon, etc.) I switch to using Chrome. I am not saying this would have stopped this particular trojan scheme (wow! what a scheme!), but when it comes to my money, an ounce of prevention is worth several pounds (or dollars) of cure.

JCitron JCitron said:

How though can people be so na´ve? Whenever I see something suspicious like this, I hover over the links and see where they go.

These people are falling for the same traps that many people do.

1) Never, ever, click on a link like this. Go to the website and login.

2) Never, ever, respond to, or click on links that don't look right.

How many Facebook and other social media website users click on fake friend requests?

3) Never open attachments unless expecting them, and always set the antimalware to scan all attachments and delete them if they're infected.

4) Keep the antimalware software up-to-date, and scan often in addition to real-time scanning.

and

5) Delete cookies and temporary internet files often.

There are many more safe-guards that users can do, however I suspect that many of these people have never been taught the common sense laws of the internet.

Darth Shiv Darth Shiv said:

Yep, he's right. Every application inside the Windows Phone OS is executed within its own sandbox. And when they're sent to the background they don't do anything they want willy nilly. They through channels.

Are you saying the Windows Phone API doesn't allow applications to read and handle SMS? You don't need to compromise the sandbox if you can do that.

Guest said:

This kind of attack was suggested by me about two years ago. I suggested that the Trojan/Mimicware monitor communications between key systems and once it gathered enough data it would the replicate the said methods and fool the user into thinking that everything is working the way it is supposed to work. It's a very simple concept and I believe that we'll see it more and more. The time for attacking the system and exploiting some weakness in the software is coming to and end and it is now time to target the weak link, humans and lack of knowledge. The security companies are going to have their hands full in the coming years.

I designed a self installing backdoor into Windows by just using some clever tricks and playing on individual's greed. And I managed to do this by using legit code and no exploiting - this was done as test to see how easily someone could do it and to be honest it's way too easy.

No matter how strong your security becomes, the one who's ultimately going to fudge things up is the end user.

NTAPRO NTAPRO said:

Yet another reason that if you do online banking to boot from a live CD (typically Linux) or at least use a VM that you only use for banking. In other words don't mix your money with daily internet activities.

The average banker probably doesn't even know what that is though lol, especially the older ones. They just know what needs to be done deposit, transfer, and withdraw money.

Guest said:

Its a well thought-out plan. I must say Im impressed by the simplicity yet marvelous work of it....

nAviS. nAviS. said:

I use Firefox for all my regular surfing. But when I want to do something involving money (Paypal, my bank, eBay, Amazon, etc.) I switch to using Chrome. I am not saying this would have stopped this particular trojan scheme (wow! what a scheme!), but when it comes to my money, an ounce of prevention is worth several pounds (or dollars) of cure.

Im sorry sir. But Firefox is actually safer than Chrome.

JohnZurawski said:

The real challenge is that authenticating the end user and signing transactions all happen on the front end. A secure SMS text with an OTP that the MITM can't read is fine - the MITM doesn't need it. He wants you logged on - he's going to change your transaction details "in flight"

The front end is unsafe to the point that secure out-of-band, or out-of-channel communication from the backend is required. Not transaction signing, but transaction review and approval. A phone-based voice call that speaks your transaction details to you and permits approval or cancellation is one example, provided you can can defend against call forwarding and exploits against the phone.

A smart app on a smart phone or tablet with an encrypted communication layer and a top of the stack application level encryption to protect it from ZITMO is another example. The app would let you review and approve or cancel the transaction if it isn't correct. Don't trust using an app on the same phone the banking app is on - mix and match. Bank on a tablet, validate the transaction on the smart phone. The BYOD trend should offer more ways to secure transactions, not fewer. The situation today is similar to the initial rush to online banking back in the 90's. Identity theft and account takeover were rampant because in the rush to get "there" - not a lot of thought was given to the vulnerabilities. The mobile rush is on and similar and similar pitfalls are happening. Now BEFORE anyone starts poking holes in the use of out-of-band, and phone-based authentication, or smart app as an out-of-band end point, as I said - you need a vendor that knows how to defend those channels against the exploits. Call forward, SIM swap, phone account takeover - and there are ways to defend the voice and 3G 4G channels. The sky is not falling, FI's just need to catch up.

pmshah said:

Yet another reason that if you do online banking to boot from a live CD (typically Linux) or at least use a VM that you only use for banking. In other words don't mix your money with daily internet activities.

Nowadays almost all PCs have a USB interface. Almost none have any floppy drives and quite a few like all 3 PCs of mine, have NO DVD drives. So a live CD may not be useful every where and all PCs. Unless you are using a mini CD/DVD, it may not be convenient to carry. Unfortunately write protected flash drives or write protection tab respecting SDHC card readers are non existent.

This is one reason why I am hanging on to a 10 year old SD card reader and a few 2 gb standard SD cards for dear life. I use these when I am traveling to access internet, email and banking accounts or occasionally run TeamViwer to sort out problems on my wife's Netbook.

Of course I could easily boot an ISO image on a PC from a flash drive but this is not always possible as the PC might be configured to disallow that.

SanDislk does have the U3 system which makes its flash drive appear as a write protected CD rom + a read/write removable drive. What is really needed is for someone to write a software that would make the entire flash drive appear as a non-writable CD rom or for the flash drive makers to add a write protecting sliding tab.

Is any one listening?

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.