How the Eurograbber Attack Stole 36M Euros

Orome1 writes "Check Point has revealed how a sophisticated malware attack was used to steal an estimated €36 million from over 30,000 customers of over 30 banks in Italy, Spain, Germany and Holland over summer this year. The theft used malware to target the PCs and mobile devices of banking customers (PDF). The attack also took advantage of SMS messages used by banks as part of customers' secure login and authentication process. The attack infected both corporate and private banking users, performing automatic transfers that varied from €500 to €250,000 each to accounts spread across Europe."

SMS for Security

whoever thought that was a good idea deserves a special hell.

sure, lets rely on the most stolen personal object as a security measure, what could possibly go wrong?

Re:SMS for Security

[Donwulff]

Unless the thief gets both the phone and online-banking user-id, password and single-use key-lists the phone won't help them any. Unless the implementation in question is severely broken, the phone/SMS acts only as an extra factor in authentication. How it works for me for example is I log on the online banking site, authenticate with extra-long user-id (which in itself acts as a password), a pin I've memorized, and check a number from a key-list just to log on. If I try to transfer money, they will send an SMS to my phone telling to enter n:th number on my keylist on the online banking site.

Now I'm no fan of the SMS-authentication, mostly because it makes things too slow, but one has to admit it increases security. Only way I am screwed is if I keep my user-id, password, key-list and phone at the same place, and then I would be screwed whether there were SMS authetication or not.

Of course, it's already possible to buy all kinds of services and rake up phone-bills with a mobile phone, so it's a bad idea to lose one either way. Not too long some thief stole a mobile phone, used it to buy every bottle in a soft-drink vending machine, poured the bottles empty and returned the empty bottles for bottle recycling fee. He sure didn't make a lot by hour, but the point is there already exist actual security issues with SMS that have nothing to do with banks.

Is the compromised PC necessary?

[140Mandak262Jamuna]

From what I could understand from the article, it starts with a compromised PC. The virus, sits there, biding its time, not taking any other malicious actions. May be a key stroke logger but does not phone home yet.

When the user visits a banking website, it probably has the username, password, bank url from the key logging. It adds javascript to the web page dished out by the bank asking for the mobile device number. But this javascript phones home dumping the info to the attacker.

Then the attacker sends in a trojan to the mobile device. User installs a trojan in the mobile device. Technically mobile device is not hacked. User is tricked into installing a software. At this point there is no security left. The attacker can do anything.

Now, the attacker can just the trojan to the mobile device directly, but it would be difficult to persuade the user to install it. All the compromised PC is doing is, giving account numbers, and details about last few transactions etc to make it look authentic. But if such info is available from other sources, or if not all that much is needed to persuade the user to install that trojan, it is game over. The key to the whole thing is sneaking the trojan past without arousing suspicion of the user into the mobile device.