Eurograbber: A Smart Trojan Attack

Hackers' Methods Reveal Banking Know-How

By , December 17, 2012.
Eurograbber: A Smart Trojan Attack

The Eurograbber banking Trojan is an all-in-one hit, researchers say. It successfully compromises desktops and mobile devices, and has gotten around commonly used two-factor authentication practices in Europe.

See Also: How Cybercriminals Use Phone Scams To Take Over Accounts and Commit Fraud

How can banking institutions defend themselves and their customers against this super-Trojan attack? It may seem cliché, but Darrell Burkey, who oversees intrusion prevention products at Internet-threat-protection provider Check Point Software Technologies, says defense hinges on consumer behavior.

"The bank consumer needs to think about where they access their bank account, to ensure they have the most security available over the network," Burkey says during an interview with BankInfoSecurity's Tracy Kitten (transcript below). "They need to make sure that they're current on their computing equipment, in terms of all the latest operating system updates and application updates."

Banking institutions also play a role in prevention. "The more security layers that are deployed, the more chance there is of detecting an attack like this," Burkey says.

Eurograbber is a Zeus variant blamed for hits that stole more than 36 million euro (U.S. $47 million) from some 30,000 retail and corporate accounts in Europe. In August, online identity theft protections provider Versafe identified the multistaged attack and pulled CheckPoint in to assist with its analysis of the Trojan.

The sophistication of the attack, rather than the Trojan itself, is what's most concerning, Burkey says. The attack, which specifically targeted dual-factor authentication that relies on the texting of one-time passcodes to mobile devices, proves hackers behind the attack had an in-depth understanding of how online-banking systems work, he explains.

Eurograbber attacks first infect a user's desktop PC. The attack then quickly compromises the mobile device, when the connection between the online account and the mobile number is established via the entry of the texted one-time passcode.

During this interview, Burkey discusses:

  • How the attacks work;
  • How hackers are proving they understand how banking platforms and systems work and can be compromised; and
  • Additional steps institutions can take to mitigate their risks.

Burkey has more than 15 years of senior management experience in enterprise security and systems management product companies. Before joining Check Point, he served as vice president of product management and marketing at NFR Security, later acquired by Check Point, and was senior director of research and development for SAGA Software, later acquired by Software AG.

Eurograbber Trojan

TRACY KITTEN: How does Eurograbber work?

DARRELL BURKEY: When a customer accesses their bank account online and they conduct a banking transaction, the bank sends to that customer's mobile device a transaction authentication number, also known as a one-time password. That bank customer receives that number or password via an SMS to their mobile device and then enters that number into their banking session to verify that the person requesting the bank transaction is the owner of the account. That's the background of the attack.

It's designed to work within this banking infrastructure. The bank customer is initially and transparently infected, either when they succumb to a phishing e-mail and click on a malicious link in that e-mail, or possibly just by surfing the Internet and clicking on a malicious link. Unbeknownst to the user, once infected, the Eurograbber version of the Zeus Trojan is downloaded onto their desktop computer.

At a later point, when that bank customer accesses their bank account, the Trojan wakes up and the customer, since they've accessed their bank account, believes what appears on their screen. That Trojan ... injects into the banking session instructions for upgrading the user's online-banking system. It asks the user to follow the instructions to improve security. It starts off by asking some questions, and some of the information it asks for is information about their mobile phone, including their mobile number, saying that in order to complete the upgrade, they need to proceed to their mobile phone and follow the instructions that the bank will send.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE CIA Creates Digital Innovation Directorate

As part of its biggest reorganization in its nearly seven-decade history, the Central Intelligence...

Latest Tweets and Mentions

ARTICLE CIA Creates Digital Innovation Directorate

As part of its biggest reorganization in its nearly seven-decade history, the Central Intelligence...

The ISMG Network