New Trojan Exploits Mobile Channel Eurograbber Defeats Two-Factor Authentication

The Eurograbber banking Trojan is an all-in-one hit, researchers say. It successfully compromises desktops and mobile devices, and has gotten around commonly used two-factor authentication practices in Europe.

How can banking institutions defend themselves and their customers against this super-Trojan attack? It may seem cliché, but Darrell Burkey, who oversees intrusion prevention products at Internet-threat-protection provider Check Point Software Technologies, says defense hinges on consumer behavior.

"The bank consumer needs to think about where they access their bank account, to ensure they have the most security available over the network," Burkey says during an interview with BankInfoSecurity's Tracy Kitten (transcript below). "They need to make sure that they're current on their computing equipment, in terms of all the latest operating system updates and application updates."

Banking institutions also play a role in prevention. "The more security layers that are deployed, the more chance there is of detecting an attack like this," Burkey says.

Eurograbber is a Zeus variant blamed for hits that stole more than 36 million euro (U.S. $47 million) from some 30,000 retail and corporate accounts in Europe. In August, online identity theft protections provider Versafe identified the multistaged attack and pulled CheckPoint in to assist with its analysis of the Trojan.

The sophistication of the attack, rather than the Trojan itself, is what's most concerning, Burkey says. The attack, which specifically targeted dual-factor authentication that relies on the texting of one-time passcodes to mobile devices, proves hackers behind the attack had an in-depth understanding of how online-banking systems work, he explains.

Eurograbber attacks first infect a user's desktop PC. The attack then quickly compromises the mobile device, when the connection between the online account and the mobile number is established via the entry of the texted one-time passcode.

During this interview, Burkey discusses:

  • How the attacks work;
  • How hackers are proving they understand how banking platforms and systems work and can be compromised; and
  • Additional steps institutions can take to mitigate their risks.

Burkey has more than 15 years of senior management experience in enterprise security and systems management product companies. Before joining Check Point, he served as vice president of product management and marketing at NFR Security, later acquired by Check Point, and was senior director of research and development for SAGA Software, later acquired by Software AG.

Eurograbber Trojan

TRACY KITTEN: How does Eurograbber work?

DARRELL BURKEY: When a customer accesses their bank account online and they conduct a banking transaction, the bank sends to that customer's mobile device a transaction authentication number, also known as a one-time password. That bank customer receives that number or password via an SMS to their mobile device and then enters that number into their banking session to verify that the person requesting the bank transaction is the owner of the account. That's the background of the attack.

It's designed to work within this banking infrastructure. The bank customer is initially and transparently infected, either when they succumb to a phishing e-mail and click on a malicious link in that e-mail, or possibly just by surfing the Internet and clicking on a malicious link. Unbeknownst to the user, once infected, the Eurograbber version of the Zeus Trojan is downloaded onto their desktop computer.

At a later point, when that bank customer accesses their bank account, the Trojan wakes up and the customer, since they've accessed their bank account, believes what appears on their screen. That Trojan ... injects into the banking session instructions for upgrading the user's online-banking system. It asks the user to follow the instructions to improve security. It starts off by asking some questions, and some of the information it asks for is information about their mobile phone, including their mobile number, saying that in order to complete the upgrade, they need to proceed to their mobile phone and follow the instructions that the bank will send.

When the users pick up their mobile phone, they have received an SMS, presumably from the bank, directing them to complete the upgrade. They're directed to click on a link, and when they click on that link, instead of actually completing the upgrade, they download Zeus and the mobile Trojan onto their mobile device.

The infection on their computer and mobile device is complete, and every time they access their bank account online thereafter, the attack initiates a transaction to transfer money out of their account.

The way that works: They access their bank account, the Trojan on the computer recognizes this and transparently sends a request to the bank to transfer an amount of money from this account to the attacker's mule account. When the bank receives that request, the bank then generates the transaction authentication number and sends it via SMS to the bank customer's mobile device, but it's intercepted by the Trojan on the mobile device. The Trojan then uses that SMS, extracts the transaction authentication number and sends it back to the bank to complete the banking transaction to illicitly transfer money out of the customer's account.

This is completely transparent to the customer. They don't see any of the SMSes on their mobile phone. And to the bank, it looks like a legitimate transaction.

KITTEN: Are all mobile devices vulnerable?

BURKEY: Not as far as we can tell. The mobile devices targeted in this attack were Blackberry, Android and Symbian devices.

KITTEN: When did Check Point and Versafe discover Eurograbber?

BURKEY: It was in early August when we first noticed the attack and began researching it. As we are both in the security business, we sometimes work together on research, and we were able to work with Versafe on researching this attack.

KITTEN: How many banks have been affected so far?

BURKEY: Customers from over 30 banks in Europe were affected in this campaign.

Getting the Word Out

KITTEN: What's your motivation for coming forward with this information now?

BURKEY: There are multiple reasons. There's a good bit of this going on today, and I think it's important for the public to be informed. And, as I learn more about this, it is interesting to me. It made me want to make sure that my own online banking transactions were safe and successful, and it's also useful in helping combat the attackers, by informing the public. If they know that there could be public fallout, as well as law enforcement investigating, it makes their attacks harder to pull off.

KITTEN: How do organizations such as Check Point and Versafe benefit from getting this information out?

BURKEY: One, I think it's informative for our customers. It's informative for us to understand how the attackers are working and how they're advancing their attack techniques and designing attacks. We see some of this through the sharing of information, both between government or governmental companies and customers. But in order to provide the best security, companies, banks and vendors all need to work together to provide the best security possible.

KITTEN: Have these attacks been stopped?

BURKEY: Yes, they have. In working with the banks, we also contacted law enforcement and also the ISPs [Internet service providers] from which the attack infrastructure was set up. Those have since been taken down. We've not seen any of the attacks since then.

Vendor Role

KITTEN: What role did Check Point and Versafe play in keeping some of these attacks at bay?

BURKEY: That's a good question. For Check Point, Versafe and other security companies, it's what we do every day. It's our mission to provide our customers the best security possible to protect them against these and any other types of cyberattacks. In looking at it, a fundamental rule of good security is to deploy security in layers, and it applies here. The more security layers that are deployed, the more chance there is of detecting an attack like this.

Attack Went Undetected

KITTEN: How did the attack go undetected for so long?

BURKEY: If this were to happen to me, I might not notice it immediately. But, I also might not notice it until I got my bank statement; or maybe I skip a month of paying attention to my bank statement and balancing my checkbook. There's time that can pass before it's detected. Again, that's why it's really important for multiple layers of security to be deployed. And also, in my opinion, it's important to conduct online banking from the most secure location available. First off, bank consumer needs to think about where they access their bank account from to ensure they have the most security available over the network. Then also, they need to make sure that they're current on their computing equipment, in terms of all the latest operating system updates and application updates.

Trojan Sophistication

KITTEN: How sophisticated or unique was this attack?

BURKEY: In my opinion, as I learned about this, it meets all the key buzzwords we hear about attacks today. It's multistaged, in that it focuses on the computer and the mobile device. It's sophisticated in the way it goes about taking advantage of the two-factor authentication. It's targeted. It's stealthy. And, unfortunately, it's successful. It's indeed a sophisticated attack, and it's more the type of an attack that's being seen today over three and four years ago, for sure.

Bank Awareness

KITTEN: How educated would you say banks are about this type of attack?

BURKEY: The banks and the financial vertical, in general, are very educated and aware. One of the things to understand in cybersecurity is that it's truly an arms race, and there's no silver bullet against all cyberattacks. These days, the attackers are, indeed, more organized. They're taking an engineering approach to designing these sophisticated and targeted attacks. Eurograbber is a prime example.

Who's Vulnerable?

KITTEN: In Europe, out-of-band authentication, which involves the automated creation of a one-time passcode that's sent to a mobile device, is a common practice. The practice, however, is not so common in the U.S. Are U.S. banking institution customers vulnerable?

BURKEY: For this specific attack, it would be effective against banks that use this form of two-factor authentication. Banks that use different forms of it wouldn't be susceptible to it. But the thing I think you take away from it is that this attack involved engineering designed to specifically target a certain type of authentication system. Certainly, additional attacks could be designed to take advantage of other types of systems, via banking or authentication.

Security Precautions

KITTEN: What steps or precautions are now being taken?

BURKEY: For the most part, financial institutions do employ a multilayered security approach and are always working to upgrade their security in order to protect their business, their transactions, their customers and their customer accounts. I don't see that approach being any different here.

KITTEN: Would you say this attack is more of a mobile-user issue than a financial-institution issue?

BURKEY: Frankly, it's both. Clearly, both are affected by the attack and both are involved in the transaction, as a customer on one side and a business on the other. It's not necessarily just a mobile issue. I think the reason mobile is part of this attack is because of the authentication system that's used. Mobile devices are going to be involved in attacks in which the device is a key in accessing whatever it is that the attackers are going after.

KITTEN: How can banking institutions get more information?

BURKEY: Versafe and Check Point have published a white paper that gives an overview of the attack. Certainly, if anyone wanted any more information, they can contact Check Point and Versafe directly, too.

Around the Network