© The Financial Times Ltd 2015 FT and 'Financial Times' are trademarks of The Financial Times Ltd.
December 5, 2012 1:01 pm
Hackers have stolen more than €36m from 30 banks across Europe using a new two-stage Trojan virus that spreads from a victim’s PC to their mobile phone.
More than 30,000 online banking customers in Germany, Italy, Spain and the Netherlands were affected by the attack, which security companies have called Eurograbber.
It is the second significant online banking breach this year. The first, Operation High Roller, involved an estimated $60m in fraudulent money transfers at 60 financial institutions, according to Guardian Analytics, an online banking security company.
Like High Roller, Eurograbber started in Italy before spreading to other countries in mainland Europe. Both attacks used a variant of the Zitmo, or Zeus in the Mobile, Trojan, a type of virus that has no visible effect and lies dormant until an opportune moment.
However, Eurograbber marks the first case of a Trojan transferring itself from the user’s PC to their mobile phone, and was targeted specifically at online banking. With both devices infected, verification codes sent by text to customers could be recorded and used to create a second banking session in real time. Money was then transferred out of the accounts in amounts ranging from €500 to €250,000.
“Not to give kudos to the attackers, but it was a good piece of engineering,” said Darrell Burkey, director of intrusion prevention products at Check Point, which sells protection for PCs and networks.
“The mobiles they targeted were very common mobiles, and they targeted very successful banks.”
Two-step authentication, whereby a customer enters a second code generated by the bank in addition to a regular password, is common in online banking. It is also used by companies such as Google to make cloud computing services more secure.
Eyal Gruner, a security engineer who tracked the virus at Versafe, an online security company, said: “More than 30 per cent of the EU and US banks use something similar to this mechanism.”
The attack was detected in August when customers of Check Point and Versafe became infected. Both companies said there was evidence to suggest it had been operating in some form since early 2012.
The companies would not say which banks and customers were affected, but said those involved had been informed. The Trojan targeted Android and BlackBerry phones.
Eurograbber is the latest example of a socially engineered attack, where information from websites and social networks is used to tailor an email enticing a person to click on a link or document that installs the first virus.
During the victim’s next banking session, Eurograbber – which ironically preys on the security conscious – invites the user to upgrade their banking security, a process that includes entering their phone number.
A text message including a link is then sent to the phone, inviting the user to complete the upgrade process. When the victim clicks on the link, a second Trojan is installed on the phone, giving the hackers access to both sides of the banking authentication.
Mr Burkey and Mr Gruner said people could prevent attacks like Eurograbber by keeping their computer and phone software up to date and never clicking links from unsolicited emails or posts on social networks.
Please don't cut articles from FT.com and redistribute by email or post to the web.
Sign up for email briefings to stay up to date on topics you are interested in