Slashdot Mirror

← Back to Stories (view on slashdot.org)

How the Eurograbber Attack Stole 36M Euros

Posted by samzenpus on from the now-you-see-it-now-you-don't dept.

Orome1 writes "Check Point has revealed how a sophisticated malware attack was used to steal an estimated €36 million from over 30,000 customers of over 30 banks in Italy, Spain, Germany and Holland over summer this year. The theft used malware to target the PCs and mobile devices of banking customers (PDF). The attack also took advantage of SMS messages used by banks as part of customers' secure login and authentication process. The attack infected both corporate and private banking users, performing automatic transfers that varied from €500 to €250,000 each to accounts spread across Europe."

47 of 57 comments (clear)

  1. SMS for Security by Anonymous Coward · · Score: 5, Interesting

    whoever thought that was a good idea deserves a special hell.

    sure, lets rely on the most stolen personal object as a security measure, what could possibly go wrong?

    1. Re:SMS for Security by gagol · · Score: 2

      I definitely work in the wrong field...

      --
      Tomorrow is another day...
    2. Re:SMS for Security by ByOhTek · · Score: 2

      You've obviously never dealt with banks.

      They have some pretty shitty concepts of digital security. Try all your personal details (everything needed to steal your identity) sent in the clear (or on PDF) over email as practice.

      --
      Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
    3. Re:SMS for Security by AleX122 · · Score: 2

      The theft was not possible due to most stolen personal object. Ordinary thief will not benefit anything for having your phone, unless you keep your bank password in the phone. In this scenario the phones were not stolen but compromised.

    4. Re:SMS for Security by gagol · · Score: 1

      We are talking about an industry too big to fail... it does not matter if, and how badly, they screw up and mismanage. Even worse, you practically cannot exist if you are not a customer of banks...

      --
      Tomorrow is another day...
    5. Re:SMS for Security by Anonymous Coward · · Score: 1

      Someone stealign your phone would still need login and password info to the bank.

      The sms security is actually quite a good idea which is both secure and convenient, and things usually don't go wrong.

      If you read the article maybe you'd know that the problem was users getting duped into both installing a trojan on their phone and computer.

    6. Re:SMS for Security by Donwulff · · Score: 4, Interesting

      Unless the thief gets both the phone and online-banking user-id, password and single-use key-lists the phone won't help them any. Unless the implementation in question is severely broken, the phone/SMS acts only as an extra factor in authentication. How it works for me for example is I log on the online banking site, authenticate with extra-long user-id (which in itself acts as a password), a pin I've memorized, and check a number from a key-list just to log on. If I try to transfer money, they will send an SMS to my phone telling to enter n:th number on my keylist on the online banking site.

      Now I'm no fan of the SMS-authentication, mostly because it makes things too slow, but one has to admit it increases security. Only way I am screwed is if I keep my user-id, password, key-list and phone at the same place, and then I would be screwed whether there were SMS authetication or not.

      Of course, it's already possible to buy all kinds of services and rake up phone-bills with a mobile phone, so it's a bad idea to lose one either way. Not too long some thief stole a mobile phone, used it to buy every bottle in a soft-drink vending machine, poured the bottles empty and returned the empty bottles for bottle recycling fee. He sure didn't make a lot by hour, but the point is there already exist actual security issues with SMS that have nothing to do with banks.

    7. Re:SMS for Security by Dr.+Hok · · Score: 2

      You've obviously never dealt with banks.

      They have some pretty shitty concepts of digital security. Try all your personal details (everything needed to steal your identity) sent in the clear (or on PDF) over email as practice.

      You're overgeneralizing. This never ever happened to me. There are obviously different banks out there. Whenever any bank sends me an email, they mention my name, nothing else. Not even the account number. They don't even send me the URL of their secure web site. It would look suspicious (to me, at least) if they did.

      Any sensitive stuff comes either by snail mail (like TANs; this is apparently where other banks save money), or I download it actively from their site.

      --
      Say out loud: I'm an Aspie and I'm somewhat proud, I guess. Uh. Can I write an email in all caps instead? Hm...
    8. Re:SMS for Security by ByOhTek · · Score: 1

      Try getting a mortgage.

      I dealt with several major banks here in the US, and ALL of them figured that this was a "good idea".

      --
      Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
    9. Re:SMS for Security by 1s44c · · Score: 1

      whoever thought that was a good idea deserves a special hell.

      It's not a good idea, but it's still an improvement over letting users choose their own passwords.

      Giving the users something better like a OTP dongle or a challenge response system that uses their bank cards is expensive and users won't understand it.

    10. Re:SMS for Security by ccguy · · Score: 1

      whoever thought that was a good idea deserves a special hell.

      sure, lets rely on the most stolen personal object as a security measure, what could possibly go wrong?

      Well, the problem here is not that it's stolen, it's that the phones are being compromised.

      SMS for security was a great idea when the phones where dumb.

      And to reply to your point, while it's true that phones are often stolen the fact is also immediately noticed so the SIM cards are cancelled and replaced. Compare that to for example one of those cards with a grids of number (please enter number E4...). If I took one from your wallet (and nothing else) you probably wouldn't notice until it was too late.

    11. Re:SMS for Security by RaceProUK · · Score: 1

      in the US

      <jamiewyneman>There's yer problem!</jamiewyneman>

      Most UK banks tend to have halfway-sane privacy procedures.

      --
      No colour or religion ever stopped the bullet from a gun
    12. Re:SMS for Security by AtomicJake · · Score: 1

      How it works for me for example is I log on the online banking site, authenticate with extra-long user-id (which in itself acts as a password), a pin I've memorized, and check a number from a key-list just to log on. If I try to transfer money, they will send an SMS to my phone telling to enter n:th number on my keylist on the online banking site.

      This is indeed secure - but a static predistributed key-list is a major pain. You always need to have access to it, before you can do anything. So, you can do Internet banking, but only from home (or where you store your key-list).

    13. Re:SMS for Security by Specter · · Score: 2

      Boy is this the truth. My mortgage banker (and her company) were so ignorant of the risks of what they were doing that they couldn't comprehend why I was being such a difficult customer. I offered to come in and do some 'pro bono' security consulting for them after the deal closed but they had no interest.

      Don't hold your breath expecting changes anytime soon either. After talking to quite a few people in the industry I'm learning that 99.999% of their customers just don't care. They (sign and) send whatever they're asked, however they're asked, to wherever they're asked with nary a protest or a hesitation. Often they do it without even reading the documents.

      Our brokers were shocked when I told them I wanted to read all the documents. "No one does that!" and "It would take hours!" (Thankfully our title companies were a lot more clue-ful.) I found the entire experience a useful insight into the origins of the US financial crisis.

    14. Re:SMS for Security by shipofgold · · Score: 1

      Actually this is a pretty good way to do two factor authentication. In theory, you need possession of the login credentials as well as possession of the phone to do the transaction.

      RSA SecureID with the "number that changes once a minute" is another two factor authentication system that is in wide use, and if I understand the attack vector would be just as easy to compromise with a trojan in the PC. Just have the Banks WWW site ask for the securID token for some innocuous thing (sync the securID for example), and trojan takes care of the rest.

      The fact that they were able to infect two devices for a single user testifies to the ingenuity of this attack. If I am honest with myself, I can't say I would be immune to it either...even though I am probably more sensitive than the average computer user. I still find myself being the lemming when accessing some site and wanting to get the transaction done. Click here, put in code there, who knows whether it is legit or not. Especially since this trojan did some sort of greasemonkey type injection directly into the banks real WWW page.

    15. Re:SMS for Security by rioki · · Score: 1

      I like my TAN list. The reason why I like it, is that it is a physical token that gets snail-mailed to me, in a tear up envelope, in a standard issue mail envelope. Sure someone could duplicate that before I get it, but that puts it into the realm of spy agencies and not petty internet criminals. Now if I can be reasonably sure that the system I am working on is safe, the TAN method works fine. The TANs are numbered and so at best they can steal one TAN with a trojan and divert one transaction in a man in the middle attack. Something that I will see on the account overview that is snail mailed to me regularly. Sometimes throwing more IT systems at a problem does not make it more secure.

    16. Re:SMS for Security by rioki · · Score: 1

      Having a non IT device in the securing process makes it more secure, since they need physical access. Even if you grab my TAN pad, you need the other bits of information. It also makes the attack way more difficult, with IT systems someone can rob a bunch of people from his comfy chair in basmentistan, with a physical token, he needs to actually go where the people live and rip them off. But if he is doing that, it is easier to take all my cash (mug on the street) or my PC and flat screen TV (rob my house).

    17. Re:SMS for Security by gagol · · Score: 1

      Yes, i forgot the sarcasm tags... Please repeat those words to your congressman.

      --
      Tomorrow is another day...
    18. Re:SMS for Security by Paradise+Pete · · Score: 1

      You're overgeneralizing. This never ever happened to me.

      You're undergeneralizing.

  2. SMS precautions... by benjfowler · · Score: 1

    One way that's been recommended to stop crooks hacking the phone part, is to get the cheapest shittiest dumbphone you can find, get a cheap SIM, and use _that_ for two factor authentication.

    Here, low end dumbphones are so cheap, they're virtually disposable. When I travel to cities with high petty crime (e.g. many big European cities), I just use the cheap phone and leave the expensive smartphone at home. The worst that can happen, is that your female friends get a few weird phone calls until you cancel the SIM.

    1. Re:SMS precautions... by Donwulff · · Score: 2

      I have to wonder where you're living that you consider Europe high-crime. In particular, US comes always near top on any crime rate surveys. Specifically, with the exception of Belgium and Spain the rest of the Europe is virtually safe: http://www.civitas.org.uk/crime/crime_stats_oecdjan2012.pdf Certainly it's also true a small town will be safer than a big city anywhere on this account.

      More than that I'm wondering what's your point with the cheap phone. It won't help any if your phone gets stolen. I suppose you could get one cheap dumb-phone for two-factory authentication, another for city night-life, a thir one to call your female friends, and lock the expensive smart-phone in a safe vault with the keys to the vault. Just to be safe.

    2. Re:SMS precautions... by rioki · · Score: 1

      I have never been mugged in Paris, Barcelona or Rome... can't say for the others, was never there. But I am of the conviction that people that get mugged have it coming for them. Not acting like a total tourist might also help. Not waving that expensive phone around might also help. Although getting a dumb phone might be an extreme measure, but probably by simple fact of having a dumb phone will reduce the chance of getting ripped off.

  3. Separate Channel by kirjoittaessani · · Score: 1

    Actually, using your mobile phone to authenticate a transaction used to be a good idea -- back when phones (and SMS/texting) provided a separate communication channel from the internet, so even if your computer was compromised, you had the chance notice something was amiss. With today's smartphones, there is no real separation anymore, because an attacker just needs to compromise texting and banking apps (or the web browser) on the phone; or on the desktop and the phone, but that is easy because the phone is managed from the desktop.

  4. Just look at the "paper" trail by rs1n · · Score: 2

    Even if they did manage to get the money out, it all had to go somewhere. Why is it not as simple as looking up where the money went and going from there to determine the culprit? Am I missing something obvious?

    1. Re:Just look at the "paper" trail by benjfowler · · Score: 2

      Western Union.

    2. Re:Just look at the "paper" trail by G3E9 · · Score: 1

      Could 36M in prepaid debit gift cards.

    3. Re:Just look at the "paper" trail by Anonymous Coward · · Score: 1

      You are missing the obvious "fiscal paradise" (not confuse with corporate havens, thought closely related) part of any good big moneytaking. Transfers to places like Cayman Islands means they won't get the name of the owner.

      For who doesn't know what I'm talking about, check wikipedia artcle on Offshore bank.

    4. Re:Just look at the "paper" trail by Kam+Solusar · · Score: 2

      Usually, the money is transferred to accounts in eastern Europe opened with stolen or fake identities. The thieves then just withdraw the money in cash, making it pretty hard to track them down.

      --
      The Angels have the Phone Box
  5. RSA Security tokens compromised by Anonymous Coward · · Score: 1

    Sadly the earlier second token system was compromised by some damn carelessness at RSA:

    http://www.wired.com/threatlevel/2011/06/rsa-replaces-securid-tokens/

  6. Re:SMS Token by Teun · · Score: 1
    It's not just banks with tokens that don't 'get it' regarding security.
    Some 2 months ago Danish Jyskebank had their authentication system breached by means of a Java vulnerability so for a weekend they shut down their system for updates.
    When they came back up you only noticed the log-in applet was not showing, it required a call to the bank to be told you needed to update to the latest version of Java.

    Then after log in they show links to documents explaining the changes, in Adobe pdf and Flash...

    Also noteworthy is that Denmark's largest company's IT security policy prohibits the installation of Java on their systems, so no more Jyskebank for their employees :)

    --
    "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
  7. Is the compromised PC necessary? by 140Mandak262Jamuna · · Score: 4, Interesting
    From what I could understand from the article, it starts with a compromised PC. The virus, sits there, biding its time, not taking any other malicious actions. May be a key stroke logger but does not phone home yet.

    When the user visits a banking website, it probably has the username, password, bank url from the key logging. It adds javascript to the web page dished out by the bank asking for the mobile device number. But this javascript phones home dumping the info to the attacker.

    Then the attacker sends in a trojan to the mobile device. User installs a trojan in the mobile device. Technically mobile device is not hacked. User is tricked into installing a software. At this point there is no security left. The attacker can do anything.

    Now, the attacker can just the trojan to the mobile device directly, but it would be difficult to persuade the user to install it. All the compromised PC is doing is, giving account numbers, and details about last few transactions etc to make it look authentic. But if such info is available from other sources, or if not all that much is needed to persuade the user to install that trojan, it is game over. The key to the whole thing is sneaking the trojan past without arousing suspicion of the user into the mobile device.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Is the compromised PC necessary? by fa2k · · Score: 1

      They need the user ID and password from the PC. They only need this once, though, as it doesn't change.

      There are mobile apps for banking that only require a password (sometimes limited to a numeric code, gah!), but those are often limited in their functionality, for any sane bank

  8. Re:SMS Token by GNious · · Score: 1

    I was offered 2 online-banking systems while I still lived in DK.
    Both turned out to use known-flawed Java 1.1 (or 1.2?) security routines.

    When I asked the banks, I was told "We know nothing about this computer thing, try our provider" (scary)
    When I asked one of the provider, I was told that, yes, they know it is flawed, but if they use anything more secure it will be too much work for people to log in (hint: Windows, at the time, came with the flawed version of Java).

    Since then I've flat-out refused to use onlline-banking.

    Note: I have found some credit-card issuers offer SMS-authentication (alongside regular passcodes) - not found one that actually manages to send the authentication-codes to my cellphone.

  9. Dumb users by Ecuador · · Score: 1

    I RTFA and while the whole system is quite sophisticated with keylogging trojans etc, in the end it works on the few dumb users who will press an SMS link that says "To install the free cryptographic software on your phone, use this link".
    Clicking a link on an unsolicited message and especially one that contains the words "Install" and "Free" means you should not own a smartphone, and probably neither a PC with a browser or email client.
    In the end all that hard work from fraudsters gave them access to the money of people who are just a bit smarter than those who respond to the "You won the Spanish Lottery" or "I am the son of the late King of Zembla and have eleventy billion USD to deposit to your account".
    I would be interested to find out if this scheme was more or less successful than the more common and much simpler "Click here to log on to your bank website and confirm your details" fake bank login scam. But I doubt the people who have the statistics on click-through rates etc of those methods would be interested in writing a paper...

    --
    Violence is the last refuge of the incompetent. Polar Scope Align for iOS
    1. Re:Dumb users by CBravo · · Score: 1

      It is not sophisticated, it is methodological. This stuff has been possible for ages and the smartphone part is not a necessary vector but just another one.

      The problem is that your bank-verificator does not include all transaction-critical data (all amounts, all bankaccounts) when signing a transaction. Until then a man in the middle attack is possible. Never trust your computer.

      --
      nosig today
    2. Re:Dumb users by hraponssi · · Score: 1

      I might qualify for this stupid (dumb user), although I tend to be more paranoid than the average person. My bank does not use this type of stuff but I guess that is not the point. I can see how someone might be "dumb enough".

      As far as I understood, you need to log in to your online banking through your PC. There you get the question asking for your mobile phone number etc. This is inside your standard banking application you just logged in to and have learned to trust. Now, after giving your phone number inside your trusted banking app, you get the link sent to your phone to install the mobile trojan. And this appear to come from your trusted banking app as mentioned, which told you it will send you a link for a new security software.

      So, why not, seems like a nice piece of poopoo to mess myself with. Not like the usual "There is problem with your Diablo III account, please click this chinese link even if you never played Diablo III". Of course, if the link in the SMS points to some ukrainian server, I might get a bit more suspicious. But if you already managed to get all theses pieces correct and are aiming to profit 36M, maybe you would host the trojan at least somewhere a bit more reasonable looking part of some hired botnet.

    3. Re:Dumb users by darthflo · · Score: 1

      Not that dumb, actually:

      Before even considering their cell phones, victims' computers are infected (by way of a drive-by exploit kit, e.g. Blackhole) with a variant of the ZeuS trojan. Upon their next log in at their e-banking site, ZeuS injects HTML and JavaScript into their browser. In this case, it'll inject a prompt for the victim's phone number and operating system. Since that prompt is shown within the (trusted) e-banking application, green address bar and all, it may look somewhat legitimate.

      Only after entering their cell details, users will get an SMS directing them to a ZeuS mobile package. That text was solicited (seconds before, by the user themselves), though, and the banking app actually prompts for a confirmation code that'll only be displayed if the user installs said app.

      All in all some naiveté is required, but to me, the whole setup is insidious and intricate enough not to ring any alarm bells in your average user.

  10. Hardly anyone gets security by dbIII · · Score: 1

    I had some HR idiot in an ecommerce company working with banks send me a password protected zip file with the password included in the email, and apparently he'd been doing that every day in the name of "security" for years.
    If it's not obvious, the above is actually no more secure than emailing the unencrypted document (since you effectively get that in a single message only with a bit of time to waste at both ends), and far less so if the person reuses passwords.

    1. Re:Hardly anyone gets security by CBravo · · Score: 2

      I've seen that method used so that company firewalls don't inspect and delete documents inside the zipfile. Maybe he just never understood the reasoning of it.

      --
      nosig today
    2. Re:Hardly anyone gets security by dbIII · · Score: 1

      Seems like cargo cult bullshit to me though especially since it was a few years before mail filters were scanning zipfiles. It looks like he'd seen somebody with a clue zip something up with a password some time but managed to completely avoid getting the entire point. He said it was done that way in case the email was sent to the wrong person, completely ignoring that the wrong person would have the password as well! The make things worse he'd called me to tell me that he was sending the email and he could have done the right thing and told me the password on the phone instead of with the payload.

    3. Re:Hardly anyone gets security by rioki · · Score: 1

      That is what the zop extension is used for. You want to send a colleague a file with a exe or dll and the corporate filter denies it... Well zip it and rename the zip to zop. That way the filter will not look into the file.

  11. Crypto challenge using amount and bank account by Anonymous Coward · · Score: 1

    Belgium doesn't seem to appear on the list: we're quite a small country but at least our banks seems to take security a bit more seriously.

    Here you MUST enter both the amount and the bank account number of the recipient as part of a cryptographic challenge: you need a special device (every customer gets one and they're all identical) into which you put your bank card and enter your PIN a first time.

    If you're wiring to a new account (one you never wired any money too) or if you're wiring an important sum (even if it's to one account you already wired amount to), then you MUST enter both the exact amount, press OK and then enter part of the account you're wiring to.

    You fail to do that and there's no transfer.

    There's no way around that: you have to either steal both the bank card and know the PIN and know the user identification string (e.g. "e0391829") *OR* use social-engineering to manage to steal money.

    Now the scary thing: you can wire up to about 125 000 Euros using your online bank account... So for a lot of people should they fall for social-engineering or should they have their card + PIN + user identification number stolen before they can warn the bank, it means they're lifetime savings can be stolen.

    Quite scary.

    I feel much more confident having a safe at the bank full of physical gold and leaving only what's needed to pay for normal expenses on my account ; )

    Besides that gold did quite fine since 2001 ; )

  12. No electronic access option by Myria · · Score: 1

    I wish that there were a way to tell your bank that all electronic access is to be essentially read-only. I would like to make my bank login only allow viewing account balances and transferring money among that bank's accounts, and not even allowing seeing a full account number. For anything else, I can go into a physical branch.

    Such a scheme would reduce attacks to someone annoying me by emptying my checking account into my savings account, causing overdrafts. A lot better than someone stealing my money.

    Using a bank to store your money really ought to be more secure than putting cash under your mattress. It kind of sucks that it's gotten to this.

    --
    "Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
  13. Eurograbber infects online customers? by dgharmon · · Score: 1

    How does this 'eurograbber' infect the online customers in the first place?

    --
    AccountKiller
  14. What raises a red flag... by knorthern+knight · · Score: 1

    ...is WTF the bank app would need to install *ANYTHING* on their phone. SMS is supposed to work on my "dumb" Nokia 6015i http://www.cellphones.ca/cell-phones/nokia-6015i/ I can't install stuff on it. The whole point of SMS autentication is that you use a separate device (cellphone) to authenticate a transaction entered on your PC. Of course, the people who do their banking via mobile phone apps have zilch security.

    --

    I'm not repeating myself
    I'm an X window user; I'm an ex-Windows user
  15. Why work? by PacRim+Jim · · Score: 1

    Beats working.

  16. 1999 called and said have a filter that works by dbIII · · Score: 1

    That will only work with very poorly implemented filters. Of course a well implemented filter wouldn't block a legitimate executable file in a zip anyway unless that's the policy of the people at the site. If it is, get it changed instead of fucking about trying to hide stuff from broken mail filtering software.

    I really don't understand why some software vendors think they can trust criminals to nicely use standard file extensions, and also why they are locking out one of the most useful formats for transporting a collection of files. The only reason that zop hack works is because the filtering software exhibits a dangerous level of trust and doesn't examine the file format.

    The truly depressing thing is that it's some commercial filtering software that is broken and little or none of the free stuff (much of which is on some commercial filtering appliances or hosting solutions that have put work into integrating the free stuff in a useful way). With email filtering you typically pay more for hyped up pieces of shit instead of things that just quietly work.