Sophisticated Smartphone Hacking: 36 Million Euros Banking Theft
London, UK - 5th December 2012, 23:55 GMT
Dear ATCA Open & Philanthropia Friends
[Please note that the views presented by individual contributors are not necessarily representative of the views of ATCA, which is neutral. ATCA conducts collective Socratic dialogue on global opportunities and threats.]
A sophisticated digital attack involving smart mobile phones has been used to steal 36 million euros or 47 million dollars from corporate and private banking customers across Europe. The attack appears to have emanated from cybercrime servers in the Ukraine. Android and Blackberry mobile devices have been specifically targeted, showing that attacks against Android devices are now a growing trend. A new customised version of the Trojan spyware application "Zeus" called "ZITMO" or "Zeus-In-The-MObile" has been deployed, which security companies have called Eurograbber. This enables a two-stage Trojan virus attack to progress that spreads from a victim’s Personal Computer or PC to their mobile telephone. Eurograbber marks the first such case of PC-to-mobile Trojan malware targeted specifically at online banking. More than 30,000 online banking customers in Germany, Italy, Spain and the Netherlands have been affected by this attack.
Breaking into Smartphones
Second Major Online Banking Breach in 2012
The Eurograbber attack -- the second significant online banking breach -- follows a similar event earlier this year, known as Operation High Roller. High Roller utilised the same "ZITMO" technology to engineer 60 million dollars in fraudulent money transfers at 60 financial institutions. Like High Roller, Eurograbber also started in Italy before spreading to other countries in mainland Europe.
30+ European Banks Targeted
The criminal syndicate behind Eurograbber appears to have configured the Trojan malware to target customers of 16 specific banks in Italy, as well as seven in Spain, six in Germany and three in the Netherlands. Individual transfer amounts made by Eurograbber malware ranged from 500 euros (656 dollars) to 250,000 euros (328,000 dollars) per victim. Targeted European banks and law enforcement agencies in the affected countries have been notified.
Case Study of Eurograbber
The sophisticated digital attack is described in a new report called "A Case Study of Eurograbber: How €36 million was stolen via malware” by Check Point and Versafe. The report offers a step-by-step picture of how individual computers are infected and how the infected machines are then used to pull off the heist.
Summary of Report
Eurograbber was launched against banking customers, using a sophisticated combination of malware directed at computers and mobile devices. The malware, in conjunction with the attackers’ command and control server, first infected the victims’ computers, and then, infected their mobile devices in order to intercept SMS [text] messages to bypass the banks’ two-factor authentication process. With the stolen information and the Transaction Authentication Number (TAN), the attackers then performed automatic transfers of funds, ranging between 500 euros and 250,000 euros, from the victims’ accounts to mule accounts across Europe. To date, this exploit has only been detected in euro zone countries, but a variation of this attack could potentially affect banks in countries outside of the European Union as well.
Defeating Two Stage Authentication
The Eurograbber "ZITMO" elaborate attack is designed to defeat the two-factor authentication systems deployed by many banks. To do that, a companion, Smartphone version of the malware intercepts the one-time Transaction Authentication Number (TAN) that banks send to a customer's mobile device, via SMS or text, which the customer must then enter into a banking website prompt to authorise a money transfer. Verification codes appear to have been recorded and used to create further banking sessions in real time.
Two Stage Authentication Questioned
Two-stage authentication, whereby a customer enters a second code generated by the bank in addition to a regular password or pin number, is common in online banking and online eCommerce. It is also used by companies such as PayPal and Google to make cloud computing shopping and services more secure. More than 30 per cent of the EU and US banks appear to deploy similar security systems for online banking and eCommerce.
How Can Users Protect Themselves From Becoming Victims? Report Suggestions
1. Regular Updates
Attackers consistently look to exploit known security flaws so a critical preventative measure is to regularly update all computers that are used to conduct online banking transactions. Doing so ensures the most current vendor patches and security signatures are applied thus providing the most current security available. Below are the primary elements that should be regularly updated.
a. Operating System
b. Antivirus software
d. Adobe Flash
e. Adobe Reader
f. Internet Browser
g. Any other tools or programs used for downloading files or web surfing
One of the most common infection methods is “drive-by-downloads” where malicious code is silently downloaded onto a web surfer’s computer while they are surfing the internet. It is very likely that some of the Eurograbber victims were initially infected by drive-by-downloads. Maintaining current software and security products on your computer will provide the most protection against current infection techniques like drive-by-downloads. Additionally, conducting regular antivirus scans can inform users of existing computer infections so they can take remediation actions to remove the malware.
2. Never Respond To Unsolicited Emails
Social engineering is an essential part of the attack. The email directing the customer to "click on the link to improve online banking security" is the key that opens Pandora's Box and begins the attack. Known as "phishing" emails, if the banking customer recognizes the email as unsolicited and does not click on the link, their desktop will not be infected and the Eurograbber attack will not occur. It is very important to never respond to unsolicited emails from your financial institutions. If the message is concerning to you, then contact the institution directly. Use a different source rather than using a phone number provided in the email. Inform them of the email and follow their guidance.
As a user, following best practices -- maintaining OS, application and security currency on your computer and exercising caution with unsolicited emails and during internet surfing -- can provide some of the very best protection against becoming infected.
Conclusion of Report
Eurograbber is an excellent example of a successful targeted, sophisticated and stealthy attack. The threat from custom designed, targeted attacks like Eurograbber is real and is not going away. The threat community is alive and motivated to create ever more sophisticated attacks because the spoils are rich and many. Enterprises as well as individuals need to exercise due care and ensure they conduct important online business, especially financial transactions in the most secure environments possible. Further, individual users must be steadfast in ensuring all of their desktops, laptops and tablets have all possible security layers enabled and that they are kept current with software and security updates to ensure the best protection possible. Online banking customers should make efforts to ensure their computer is current and to also conduct their online banking transactions from the most secure environment possible. A computer that is current in OS and application updates and security protections combined with an office network that is protected with multiple layers of security will provide the most protection against attacks like Eurograbber.
What are your thoughts, observations and views? We are hosting an Expert roundtable on this issue at ATCA 24/7 on Yammer.
Expert roundtables are the newly launched ATCA 24/7 Q&A private exclusive club service. They seek to become the killer application in strategic intelligence by delivering an unprecedented competitive advantage to our distinguished members. They can only be accessed online at https://www.yammer.com/atca
Q1: How to become a privileged member of ATCA 24/7 to participate in the expert roundtables?
A1: i. If you are a distinguished member of ATCA 5000, ATCA Open, The Philanthropia or HQR affiliated groups you may be allowed to become a privileged member of this new and exclusive private club.
ii. If you are pre-invited, visit the private intelligence network -- PIN -- by going to https://www.yammer.com/atca [Note: In https:// 's' is for security and encryption]
iii. If you don't have membership of the PIN yet, email the mi2g Intelligence Unit at intelligence.unit at mi2g dot com for an exclusive invitation.
Q2: How to participate in the expert roundtables and get domain-specific strategic intelligence questions answered?
A2: Access the ATCA 24/7 Private Intelligence Network -- PIN -- online and ask or answer a strategic intelligence question, no matter how complex. Receive expert answers within 24 hours or get pointers from:
i. ATCA 5000 experts who are online;
ii. ATCA Research and Analysis Wing; and
iii. mi2g Intelligence Unit.
Q3: Why is the ATCA 24/7 Q&A Exclusive Club special?
A3: ATCA 24/7 has now created an exclusive private intelligence watering hole and expert roundtable at the highest level where interesting and sophisticated questions are being asked from around the world, and intelligent answers are being provided, almost always by experts who have deep domain-specific knowledge. Come and check out the exclusive club, take it for a strategic test drive, which sign-of-intelligent life are you waiting for?
To learn more about "The Expert Roundtable: ATCA 24/7 Q&A Club" email: intelligence.unit at mi2g.com and if you are already a member visit https://www.yammer.com/atca
We welcome your thoughts, observations and views. To reflect further on this subject and others, please respond within Twitter, Facebook and LinkedIn's ATCA Open and related discussion platform of HQR. Should you wish to connect directly with real time Twitter feeds, please click as appropriate:
. ATCA Open
. mi2g Intelligence Unit
. Open HQR
. DK Matai