UPDATED: PC and mobile malware combo grabs €30m in online banking heist


by Steve Evans| 05 December 2012

'Eurograbber' infects PCs then switches to mobile devices - and targets online banking credentials

Cyber criminals have stolen €36m from users across Europe using malware that can be installed on a PC and mobile phone, and work in harmony across both devices.

According to the Financial Times, the Eurograbber malware is thought to be the first of its kind in that it infected a desktop PC and a mobile device. It also took advantage of two-factor authentication used by online banking systems.

Around 30,000 people are thought to have been caught out by the malware across Germany, Italy, Spain and the Netherlands.

According to reports Eurograbber first works by infecting a PC, most likely due to the user visiting an infected website or opening an infected document. Once installed the malware waits for the victim to instigate an online banking session, at which point it asks them to upgrade their online banking security capabilities.

This process involves asking the user to enter their mobile phone number. If the user does this they will receive a text message on their phone, which prompts them to update the security on their mobile device as well. When the user clicks the link, a second piece of malware is installed, this time on the phone.

This second part of the Eurograbber malware is designed to intercept the authentication codes banks send out during online banking sessions.

The malware can then carry out a second transaction in real-time as it can intercept the required information on the PC and on the mobile.

Victims lost between €500 and €250,000, the Financial Times said. It targeted Android and BlackBerry phones, the report added.

The malware, which is a variant of the Zeus family, was discovered by Check Point and Versafe, when their customers became infected.

Darrell Burkey, director of intrusion prevention products at Check Point, said the malware was well designed. "Not to give kudos to the attackers, but it was a good piece of engineering. The mobiles they targeted were very common mobiles, and they targeted very successful banks," he told the FT.

Trend Micro's Rik Ferguson told CBR that the malware seems to be the same as the Zitmo malware previously detected.

"It doesn't appear to be functionally any different from the other Zitmo variants and attacks we have been seeing in the wild since September 2010," he said. "The first documented attack was in Spain, the second in Poland and since then we have seen them across several major European countries affecting the Symbian, Windows Mobile, BlackBerry and Android operating systems."

Ferguson add that online bank users in the UK are less likely to fall victim to the malware, as banks here rely less on text messages as a vehicle for authentication codes.

Post a comment

Comments may be moderated for spam, obscenities or defamation.

Join our network

792 people like this.
2217 people follow this.

Security Intelligence

Suppliers Directory

  • Webroot - Security Solutions

    Webroot provides industry leading security solutions for consumers, enterprises and small and medium businesses worldwide.

  • Neverfail Overview

    The Neverfail Group is dedicated to creating a world where business applications are continuously available. High Availability, Disaster Recovery...

  • Capscan

    Capscan is a leading supplier of international address management solutions and data integrity services. Capscan has more than 1800 customers...

  • SDL Tridion - Web Content Management Solutions

    SDL Tridion is a global leader in Web Content Management (WCM) solutions.

See more
Privcy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.