'Eurograbber' infects PCs then switches to mobile devices - and targets online banking credentials
Cyber criminals have stolen €36m from users across Europe using malware that can be installed on a PC and mobile phone, and work in harmony across both devices.
According to the Financial Times, the Eurograbber malware is thought to be the first of its kind in that it infected a desktop PC and a mobile device. It also took advantage of two-factor authentication used by online banking systems.
Around 30,000 people are thought to have been caught out by the malware across Germany, Italy, Spain and the Netherlands.
According to reports Eurograbber first works by infecting a PC, most likely due to the user visiting an infected website or opening an infected document. Once installed the malware waits for the victim to instigate an online banking session, at which point it asks them to upgrade their online banking security capabilities.
This process involves asking the user to enter their mobile phone number. If the user does this they will receive a text message on their phone, which prompts them to update the security on their mobile device as well. When the user clicks the link, a second piece of malware is installed, this time on the phone.
This second part of the Eurograbber malware is designed to intercept the authentication codes banks send out during online banking sessions.
The malware can then carry out a second transaction in real-time as it can intercept the required information on the PC and on the mobile.
Victims lost between €500 and €250,000, the Financial Times said. It targeted Android and BlackBerry phones, the report added.
The malware, which is a variant of the Zeus family, was discovered by Check Point and Versafe, when their customers became infected.
Darrell Burkey, director of intrusion prevention products at Check Point, said the malware was well designed. "Not to give kudos to the attackers, but it was a good piece of engineering. The mobiles they targeted were very common mobiles, and they targeted very successful banks," he told the FT.
Trend Micro's Rik Ferguson told CBR that the malware seems to be the same as the Zitmo malware previously detected.
"It doesn't appear to be functionally any different from the other Zitmo variants and attacks we have been seeing in the wild since September 2010," he said. "The first documented attack was in Spain, the second in Poland and since then we have seen them across several major European countries affecting the Symbian, Windows Mobile, BlackBerry and Android operating systems."
Ferguson add that online bank users in the UK are less likely to fall victim to the malware, as banks here rely less on text messages as a vehicle for authentication codes.