How the Eurograbber Attack Stole 36M Euros

Orome1 writes "Check Point has revealed how a sophisticated malware attack was used to steal an estimated €36 million from over 30,000 customers of over 30 banks in Italy, Spain, Germany and Holland over summer this year. The theft used malware to target the PCs and mobile devices of banking customers (PDF). The attack also took advantage of SMS messages used by banks as part of customers' secure login and authentication process. The attack infected both corporate and private banking users, performing automatic transfers that varied from €500 to €250,000 each to accounts spread across Europe."

SMS for Security

whoever thought that was a good idea deserves a special hell.

sure, lets rely on the most stolen personal object as a security measure, what could possibly go wrong?

Re:SMS for Security

[gagol]

I definitely work in the wrong field...

Re:SMS for Security

[ByOhTek]

You've obviously never dealt with banks.

They have some pretty shitty concepts of digital security. Try all your personal details (everything needed to steal your identity) sent in the clear (or on PDF) over email as practice.

Re:SMS for Security

[AleX122]

The theft was not possible due to most stolen personal object. Ordinary thief will not benefit anything for having your phone, unless you keep your bank password in the phone. In this scenario the phones were not stolen but compromised.

Re:SMS for Security

[Donwulff]

Unless the thief gets both the phone and online-banking user-id, password and single-use key-lists the phone won't help them any. Unless the implementation in question is severely broken, the phone/SMS acts only as an extra factor in authentication. How it works for me for example is I log on the online banking site, authenticate with extra-long user-id (which in itself acts as a password), a pin I've memorized, and check a number from a key-list just to log on. If I try to transfer money, they will send an SMS to my phone telling to enter n:th number on my keylist on the online banking site.

Now I'm no fan of the SMS-authentication, mostly because it makes things too slow, but one has to admit it increases security. Only way I am screwed is if I keep my user-id, password, key-list and phone at the same place, and then I would be screwed whether there were SMS authetication or not.

Of course, it's already possible to buy all kinds of services and rake up phone-bills with a mobile phone, so it's a bad idea to lose one either way. Not too long some thief stole a mobile phone, used it to buy every bottle in a soft-drink vending machine, poured the bottles empty and returned the empty bottles for bottle recycling fee. He sure didn't make a lot by hour, but the point is there already exist actual security issues with SMS that have nothing to do with banks.

Re:SMS for Security

[Dr.+Hok]

You've obviously never dealt with banks.

They have some pretty shitty concepts of digital security. Try all your personal details (everything needed to steal your identity) sent in the clear (or on PDF) over email as practice.

You're overgeneralizing. This never ever happened to me. There are obviously different banks out there. Whenever any bank sends me an email, they mention my name, nothing else. Not even the account number. They don't even send me the URL of their secure web site. It would look suspicious (to me, at least) if they did.

Any sensitive stuff comes either by snail mail (like TANs; this is apparently where other banks save money), or I download it actively from their site.

Re:SMS for Security

[Specter]

Boy is this the truth. My mortgage banker (and her company) were so ignorant of the risks of what they were doing that they couldn't comprehend why I was being such a difficult customer. I offered to come in and do some 'pro bono' security consulting for them after the deal closed but they had no interest.

Don't hold your breath expecting changes anytime soon either. After talking to quite a few people in the industry I'm learning that 99.999% of their customers just don't care. They (sign and) send whatever they're asked, however they're asked, to wherever they're asked with nary a protest or a hesitation. Often they do it without even reading the documents.

Our brokers were shocked when I told them I wanted to read all the documents. "No one does that!" and "It would take hours!" (Thankfully our title companies were a lot more clue-ful.) I found the entire experience a useful insight into the origins of the US financial crisis.

Just look at the "paper" trail

[rs1n]

Even if they did manage to get the money out, it all had to go somewhere. Why is it not as simple as looking up where the money went and going from there to determine the culprit? Am I missing something obvious?

Re:Just look at the "paper" trail

[benjfowler]

Western Union.

Re:Just look at the "paper" trail

[Kam+Solusar]

Usually, the money is transferred to accounts in eastern Europe opened with stolen or fake identities. The thieves then just withdraw the money in cash, making it pretty hard to track them down.

Is the compromised PC necessary?

[140Mandak262Jamuna]

From what I could understand from the article, it starts with a compromised PC. The virus, sits there, biding its time, not taking any other malicious actions. May be a key stroke logger but does not phone home yet.

When the user visits a banking website, it probably has the username, password, bank url from the key logging. It adds javascript to the web page dished out by the bank asking for the mobile device number. But this javascript phones home dumping the info to the attacker.

Then the attacker sends in a trojan to the mobile device. User installs a trojan in the mobile device. Technically mobile device is not hacked. User is tricked into installing a software. At this point there is no security left. The attacker can do anything.

Now, the attacker can just the trojan to the mobile device directly, but it would be difficult to persuade the user to install it. All the compromised PC is doing is, giving account numbers, and details about last few transactions etc to make it look authentic. But if such info is available from other sources, or if not all that much is needed to persuade the user to install that trojan, it is game over. The key to the whole thing is sneaking the trojan past without arousing suspicion of the user into the mobile device.

Re:SMS precautions...

[Donwulff]

I have to wonder where you're living that you consider Europe high-crime. In particular, US comes always near top on any crime rate surveys. Specifically, with the exception of Belgium and Spain the rest of the Europe is virtually safe: http://www.civitas.org.uk/crime/crime_stats_oecdjan2012.pdf Certainly it's also true a small town will be safer than a big city anywhere on this account.

More than that I'm wondering what's your point with the cheap phone. It won't help any if your phone gets stolen. I suppose you could get one cheap dumb-phone for two-factory authentication, another for city night-life, a thir one to call your female friends, and lock the expensive smart-phone in a safe vault with the keys to the vault. Just to be safe.

Re:Hardly anyone gets security

[CBravo]

I've seen that method used so that company firewalls don't inspect and delete documents inside the zipfile. Maybe he just never understood the reasoning of it.