$47 Million Online Bank Hack Uses Smartphone Trojans, Botnet


Cybercrime against banking has officially embraced mobility. That’s the takeaway from an innovative fraud scheme emerging from Europe that involves dual infections of PC and smartphones. Reports have discovered a sophisticated malware and botnet system known as “Eurograbber” that has been used to steal over $47 million dollars from European victims to date. Similar to the story posted yesterday, the operation relies on Trojan infections to perform its mission.  What makes this hack so slick is that it also infects user’s smartphones with a second Trojan.  This design is set so that when banks send SMS messages regarding account transactions, they are intercepted. To date 30,000 European electronic banking customers have been attacked.


It all starts with one of the most favored hacker tools available today– social engineering, in this case a malicious link sent in a phishing attack. That’s the vector for the initial Trojans. The Trojans then work in the background recording web activity and injects HTML and JavaScript into the victim’s browser. Sooner or later, the user goes to the banking webpage, and the Trojan captures the user credentials. This is where it gets even more interesting –a spoofed request for a ‘security upgrade’ is presented to the user while presumably on the online banking website. From there the user’s phone number is intercepted along with the mobile operating system information. The stage is now set for the next level of attack.

The victim next gets a text ostensibly from the bank as part of this upgrade, while the transmission is really the hacker. That text contains a link to the supposed upgrade, but is actually a mobile malware payload, specifically a separate Trojan known as “Zeus in the mobile” (ZITMO). This malware bears the behavior of injecting itself in between the mobile browser and SMS messaging – ZITMO is a designed Trojan for Android and BlackBerry mobile operating systems.


As covered in Arstechnica, with all the pieces in place, the stealing is ready to begin. As soon as the victim accesses one of the bank accounts, a percentage of their bank balance is transferred to a criminal bank account.

The malware then intercepts the confirmation text message sent by the bank, forwarding it to the trojan’s command and control server via a relay phone number. The server uses the message to confirm the transaction and withdraw the money. The same process happens every time the victim logs into their bank account, gradually withdrawing money without alerting the user.

So day by day, little by little, the victim is actually conceivably setting the account drain in motion, particularly when they log in again and again to see what is going on with their accounts.

Checkpoint along with Versafe have put together a detailed report on the scheme, it concludes:

Eurograbber is an excellent example of a successful targeted, sophisticated and stealthy attack. The threat from custom designed, targeted attacks like Eurograbber is real and is not going away. The threat community is alive and motivated to create ever more sophisticated attacks because the spoils are rich and many. Enterprises as well as individuals need to exercise due care and ensure they conduct important online business, especially financial transactions in the most secure environments possible. Further, individual users must be steadfast in ensuring all of their desktops, laptops and tablets have all possible security layers enabled and that they are kept current with software and security updates to ensure the best protection possible.
Online banking customers should make efforts to ensure their computer is current and to also conduct their online banking transactions from the most secure environment possible. A computer that is current in OS and application updates and security protections combined with an office network that is protected with multiple layers of security will provide the most protection against attacks like Eurograbber.

It’s hard to argue against maintaining the security on your devices, but let me add to that a little bit.  As we’ve brought up in the past – In light of these increasingly sophisticated attacks, it makes incredible sense to protect your systems and mobile devices with multiple levels of security tools, and security-minded behavior, particularly if you are doing any kind of sensitive work, or accessing your accounts.