×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How the Eurograbber Attack Stole 36M Euros

samzenpus posted about a year ago | from the now-you-see-it-now-you-don't dept.

Security 57

Orome1 writes "Check Point has revealed how a sophisticated malware attack was used to steal an estimated €36 million from over 30,000 customers of over 30 banks in Italy, Spain, Germany and Holland over summer this year. The theft used malware to target the PCs and mobile devices of banking customers (PDF). The attack also took advantage of SMS messages used by banks as part of customers' secure login and authentication process. The attack infected both corporate and private banking users, performing automatic transfers that varied from €500 to €250,000 each to accounts spread across Europe."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

57 comments

SMS for Security (5, Interesting)

Anonymous Coward | about a year ago | (#42202747)

whoever thought that was a good idea deserves a special hell.

sure, lets rely on the most stolen personal object as a security measure, what could possibly go wrong?

Re:SMS for Security (2)

ByOhTek (1181381) | about a year ago | (#42202817)

You've obviously never dealt with banks.

They have some pretty shitty concepts of digital security. Try all your personal details (everything needed to steal your identity) sent in the clear (or on PDF) over email as practice.

Re:SMS for Security (2)

Dr. Hok (702268) | about a year ago | (#42203183)

You've obviously never dealt with banks.

They have some pretty shitty concepts of digital security. Try all your personal details (everything needed to steal your identity) sent in the clear (or on PDF) over email as practice.

You're overgeneralizing. This never ever happened to me. There are obviously different banks out there. Whenever any bank sends me an email, they mention my name, nothing else. Not even the account number. They don't even send me the URL of their secure web site. It would look suspicious (to me, at least) if they did.

Any sensitive stuff comes either by snail mail (like TANs; this is apparently where other banks save money), or I download it actively from their site.

Re:SMS for Security (1)

ByOhTek (1181381) | about a year ago | (#42203339)

Try getting a mortgage.

I dealt with several major banks here in the US, and ALL of them figured that this was a "good idea".

Re:SMS for Security (1)

RaceProUK (1137575) | about a year ago | (#42204829)

in the US

<jamiewyneman>There's yer problem!</jamiewyneman>

Most UK banks tend to have halfway-sane privacy procedures.

Re:SMS for Security (2)

Specter (11099) | about a year ago | (#42205915)

Boy is this the truth. My mortgage banker (and her company) were so ignorant of the risks of what they were doing that they couldn't comprehend why I was being such a difficult customer. I offered to come in and do some 'pro bono' security consulting for them after the deal closed but they had no interest.

Don't hold your breath expecting changes anytime soon either. After talking to quite a few people in the industry I'm learning that 99.999% of their customers just don't care. They (sign and) send whatever they're asked, however they're asked, to wherever they're asked with nary a protest or a hesitation. Often they do it without even reading the documents.

Our brokers were shocked when I told them I wanted to read all the documents. "No one does that!" and "It would take hours!" (Thankfully our title companies were a lot more clue-ful.) I found the entire experience a useful insight into the origins of the US financial crisis.

Hardly anyone gets security (1)

dbIII (701233) | about a year ago | (#42204067)

I had some HR idiot in an ecommerce company working with banks send me a password protected zip file with the password included in the email, and apparently he'd been doing that every day in the name of "security" for years.
If it's not obvious, the above is actually no more secure than emailing the unencrypted document (since you effectively get that in a single message only with a bit of time to waste at both ends), and far less so if the person reuses passwords.

Re:Hardly anyone gets security (2)

CBravo (35450) | about a year ago | (#42208487)

I've seen that method used so that company firewalls don't inspect and delete documents inside the zipfile. Maybe he just never understood the reasoning of it.

Re:Hardly anyone gets security (1)

dbIII (701233) | about a year ago | (#42212263)

Seems like cargo cult bullshit to me though especially since it was a few years before mail filters were scanning zipfiles. It looks like he'd seen somebody with a clue zip something up with a password some time but managed to completely avoid getting the entire point. He said it was done that way in case the email was sent to the wrong person, completely ignoring that the wrong person would have the password as well! The make things worse he'd called me to tell me that he was sending the email and he could have done the right thing and told me the password on the phone instead of with the payload.

Re:Hardly anyone gets security (1)

rioki (1328185) | about a year ago | (#42213405)

That is what the zop extension is used for. You want to send a colleague a file with a exe or dll and the corporate filter denies it... Well zip it and rename the zip to zop. That way the filter will not look into the file.

1999 called and said have a filter that works (1)

dbIII (701233) | about a year ago | (#42213527)

That will only work with very poorly implemented filters. Of course a well implemented filter wouldn't block a legitimate executable file in a zip anyway unless that's the policy of the people at the site. If it is, get it changed instead of fucking about trying to hide stuff from broken mail filtering software.

I really don't understand why some software vendors think they can trust criminals to nicely use standard file extensions, and also why they are locking out one of the most useful formats for transporting a collection of files. The only reason that zop hack works is because the filtering software exhibits a dangerous level of trust and doesn't examine the file format.

The truly depressing thing is that it's some commercial filtering software that is broken and little or none of the free stuff (much of which is on some commercial filtering appliances or hosting solutions that have put work into integrating the free stuff in a useful way). With email filtering you typically pay more for hyped up pieces of shit instead of things that just quietly work.

Re:SMS for Security (2)

AleX122 (1657367) | about a year ago | (#42202843)

The theft was not possible due to most stolen personal object. Ordinary thief will not benefit anything for having your phone, unless you keep your bank password in the phone. In this scenario the phones were not stolen but compromised.

Re:SMS for Security (1)

gagol (583737) | about a year ago | (#42202857)

We are talking about an industry too big to fail... it does not matter if, and how badly, they screw up and mismanage. Even worse, you practically cannot exist if you are not a customer of banks...

Re:SMS for Security (0)

Anonymous Coward | about a year ago | (#42212285)

You are being sarcastic right : no industry is to big to fail.
However, there will always be a need for (sane) banks, so after they fail , better ones will arise.

Re:SMS for Security (1)

gagol (583737) | about a year ago | (#42213607)

Yes, i forgot the sarcasm tags... Please repeat those words to your congressman.

Re:SMS for Security (1)

Anonymous Coward | about a year ago | (#42203067)

Someone stealign your phone would still need login and password info to the bank.

The sms security is actually quite a good idea which is both secure and convenient, and things usually don't go wrong.

If you read the article maybe you'd know that the problem was users getting duped into both installing a trojan on their phone and computer.

Re:SMS for Security (4, Interesting)

Donwulff (27374) | about a year ago | (#42203113)

Unless the thief gets both the phone and online-banking user-id, password and single-use key-lists the phone won't help them any. Unless the implementation in question is severely broken, the phone/SMS acts only as an extra factor in authentication. How it works for me for example is I log on the online banking site, authenticate with extra-long user-id (which in itself acts as a password), a pin I've memorized, and check a number from a key-list just to log on. If I try to transfer money, they will send an SMS to my phone telling to enter n:th number on my keylist on the online banking site.

Now I'm no fan of the SMS-authentication, mostly because it makes things too slow, but one has to admit it increases security. Only way I am screwed is if I keep my user-id, password, key-list and phone at the same place, and then I would be screwed whether there were SMS authetication or not.

Of course, it's already possible to buy all kinds of services and rake up phone-bills with a mobile phone, so it's a bad idea to lose one either way. Not too long some thief stole a mobile phone, used it to buy every bottle in a soft-drink vending machine, poured the bottles empty and returned the empty bottles for bottle recycling fee. He sure didn't make a lot by hour, but the point is there already exist actual security issues with SMS that have nothing to do with banks.

Re:SMS for Security (1)

AtomicJake (795218) | about a year ago | (#42205467)

How it works for me for example is I log on the online banking site, authenticate with extra-long user-id (which in itself acts as a password), a pin I've memorized, and check a number from a key-list just to log on. If I try to transfer money, they will send an SMS to my phone telling to enter n:th number on my keylist on the online banking site.

This is indeed secure - but a static predistributed key-list is a major pain. You always need to have access to it, before you can do anything. So, you can do Internet banking, but only from home (or where you store your key-list).

Re:SMS for Security (1)

rioki (1328185) | about a year ago | (#42213427)

I like my TAN list. The reason why I like it, is that it is a physical token that gets snail-mailed to me, in a tear up envelope, in a standard issue mail envelope. Sure someone could duplicate that before I get it, but that puts it into the realm of spy agencies and not petty internet criminals. Now if I can be reasonably sure that the system I am working on is safe, the TAN method works fine. The TANs are numbered and so at best they can steal one TAN with a trojan and divert one transaction in a man in the middle attack. Something that I will see on the account overview that is snail mailed to me regularly. Sometimes throwing more IT systems at a problem does not make it more secure.

Re:SMS for Security (1)

1s44c (552956) | about a year ago | (#42203607)

whoever thought that was a good idea deserves a special hell.

It's not a good idea, but it's still an improvement over letting users choose their own passwords.

Giving the users something better like a OTP dongle or a challenge response system that uses their bank cards is expensive and users won't understand it.

Re:SMS for Security (1)

ccguy (1116865) | about a year ago | (#42204579)

whoever thought that was a good idea deserves a special hell.

sure, lets rely on the most stolen personal object as a security measure, what could possibly go wrong?

Well, the problem here is not that it's stolen, it's that the phones are being compromised.

SMS for security was a great idea when the phones where dumb.

And to reply to your point, while it's true that phones are often stolen the fact is also immediately noticed so the SIM cards are cancelled and replaced. Compare that to for example one of those cards with a grids of number (please enter number E4...). If I took one from your wallet (and nothing else) you probably wouldn't notice until it was too late.

Re:SMS for Security (1)

rioki (1328185) | about a year ago | (#42213449)

Having a non IT device in the securing process makes it more secure, since they need physical access. Even if you grab my TAN pad, you need the other bits of information. It also makes the attack way more difficult, with IT systems someone can rob a bunch of people from his comfy chair in basmentistan, with a physical token, he needs to actually go where the people live and rip them off. But if he is doing that, it is easier to take all my cash (mug on the street) or my PC and flat screen TV (rob my house).

Re:SMS for Security (1)

shipofgold (911683) | about a year ago | (#42209339)

Actually this is a pretty good way to do two factor authentication. In theory, you need possession of the login credentials as well as possession of the phone to do the transaction.

RSA SecureID with the "number that changes once a minute" is another two factor authentication system that is in wide use, and if I understand the attack vector would be just as easy to compromise with a trojan in the PC. Just have the Banks WWW site ask for the securID token for some innocuous thing (sync the securID for example), and trojan takes care of the rest.

The fact that they were able to infect two devices for a single user testifies to the ingenuity of this attack. If I am honest with myself, I can't say I would be immune to it either...even though I am probably more sensitive than the average computer user. I still find myself being the lemming when accessing some site and wanting to get the transaction done. Click here, put in code there, who knows whether it is legit or not. Especially since this trojan did some sort of greasemonkey type injection directly into the banks real WWW page.

SMS precautions... (1)

benjfowler (239527) | about a year ago | (#42202865)

One way that's been recommended to stop crooks hacking the phone part, is to get the cheapest shittiest dumbphone you can find, get a cheap SIM, and use _that_ for two factor authentication.

Here, low end dumbphones are so cheap, they're virtually disposable. When I travel to cities with high petty crime (e.g. many big European cities), I just use the cheap phone and leave the expensive smartphone at home. The worst that can happen, is that your female friends get a few weird phone calls until you cancel the SIM.

Re:SMS precautions... (2)

Donwulff (27374) | about a year ago | (#42203361)

I have to wonder where you're living that you consider Europe high-crime. In particular, US comes always near top on any crime rate surveys. Specifically, with the exception of Belgium and Spain the rest of the Europe is virtually safe: http://www.civitas.org.uk/crime/crime_stats_oecdjan2012.pdf Certainly it's also true a small town will be safer than a big city anywhere on this account.

More than that I'm wondering what's your point with the cheap phone. It won't help any if your phone gets stolen. I suppose you could get one cheap dumb-phone for two-factory authentication, another for city night-life, a thir one to call your female friends, and lock the expensive smart-phone in a safe vault with the keys to the vault. Just to be safe.

Re:SMS precautions... (0)

Anonymous Coward | about a year ago | (#42204347)

Yes it is well known that in all of Europe zero cellphones were stolen because there is zero crime in Europe. Not a single crime has ever been committed in this modern Utopia.

The hilarious thing is that I have been on holiday in many US cities without having a problem, but I have had things stolen from me while in Italy and England. Looks like your generalization doesn't match my reality.

Re:SMS precautions... (0)

benjfowler (239527) | about a year ago | (#42204421)

Paris, Madrid, Barcelona, Paris, Rome, Prague are rife with petty crime. Much of the crime is done by Romanian gypsies and north Africans.

The problem isn't necessarily the abovementioned pondlife; it's the local authorities' ineffectual approach to law and order. Compare and contrast with NYPD and their dedicated robbery squad, who cleared out the professional pickpockets in the Nineties when it got to be a problem.

Re:SMS precautions... (1)

rioki (1328185) | about a year ago | (#42213477)

I have never been mugged in Paris, Barcelona or Rome... can't say for the others, was never there. But I am of the conviction that people that get mugged have it coming for them. Not acting like a total tourist might also help. Not waving that expensive phone around might also help. Although getting a dumb phone might be an extreme measure, but probably by simple fact of having a dumb phone will reduce the chance of getting ripped off.

Re:SMS precautions... (0)

Anonymous Coward | about a year ago | (#42203677)

When I travel to cities with high petty crime (e.g. many big European cities), I just use the cheap phone and leave the expensive smartphone at home.

I don't know what cities you are talking about but most of Europe is safer than most of the US. Stop hanging out in dodgy neighborhoods in the middle of the night.

The worst that can happen, is that your female friends get a few weird phone calls until you cancel the SIM.

And stop making those phone calls. Your female friends know it's you.

Separate Channel (1)

kirjoittaessani (2109350) | about a year ago | (#42202885)

Actually, using your mobile phone to authenticate a transaction used to be a good idea -- back when phones (and SMS/texting) provided a separate communication channel from the internet, so even if your computer was compromised, you had the chance notice something was amiss. With today's smartphones, there is no real separation anymore, because an attacker just needs to compromise texting and banking apps (or the web browser) on the phone; or on the desktop and the phone, but that is easy because the phone is managed from the desktop.

RSA Security tokens compromised (1)

Anonymous Coward | about a year ago | (#42202995)

Sadly the earlier second token system was compromised by some damn carelessness at RSA:

http://www.wired.com/threatlevel/2011/06/rsa-replaces-securid-tokens/

SMS Token (0)

Anonymous Coward | about a year ago | (#42202897)

What is ironic about this is that my bank in Portugal just recently introduced the SMS token for more security and I had to buy a stupid cell phone just for being able to do online banking.

Re:SMS Token (1)

Teun (17872) | about a year ago | (#42203117)

It's not just banks with tokens that don't 'get it' regarding security.
Some 2 months ago Danish Jyskebank had their authentication system breached by means of a Java vulnerability so for a weekend they shut down their system for updates.
When they came back up you only noticed the log-in applet was not showing, it required a call to the bank to be told you needed to update to the latest version of Java.

Then after log in they show links to documents explaining the changes, in Adobe pdf and Flash...

Also noteworthy is that Denmark's largest company's IT security policy prohibits the installation of Java on their systems, so no more Jyskebank for their employees :)

Re:SMS Token (1)

GNious (953874) | about a year ago | (#42203423)

I was offered 2 online-banking systems while I still lived in DK.
Both turned out to use known-flawed Java 1.1 (or 1.2?) security routines.

When I asked the banks, I was told "We know nothing about this computer thing, try our provider" (scary)
When I asked one of the provider, I was told that, yes, they know it is flawed, but if they use anything more secure it will be too much work for people to log in (hint: Windows, at the time, came with the flawed version of Java).

Since then I've flat-out refused to use onlline-banking.

Note: I have found some credit-card issuers offer SMS-authentication (alongside regular passcodes) - not found one that actually manages to send the authentication-codes to my cellphone.

Just look at the "paper" trail (2)

rs1n (1867908) | about a year ago | (#42202923)

Even if they did manage to get the money out, it all had to go somewhere. Why is it not as simple as looking up where the money went and going from there to determine the culprit? Am I missing something obvious?

Re:Just look at the "paper" trail (1)

Anonymous Coward | about a year ago | (#42203675)

You are missing the obvious "fiscal paradise" (not confuse with corporate havens, thought closely related) part of any good big moneytaking. Transfers to places like Cayman Islands means they won't get the name of the owner.

For who doesn't know what I'm talking about, check wikipedia artcle on Offshore bank.

Re:Just look at the "paper" trail (2)

Kam Solusar (974711) | about a year ago | (#42206187)

Usually, the money is transferred to accounts in eastern Europe opened with stolen or fake identities. The thieves then just withdraw the money in cash, making it pretty hard to track them down.

Is the compromised PC necessary? (4, Interesting)

140Mandak262Jamuna (970587) | about a year ago | (#42203123)

From what I could understand from the article, it starts with a compromised PC. The virus, sits there, biding its time, not taking any other malicious actions. May be a key stroke logger but does not phone home yet.

When the user visits a banking website, it probably has the username, password, bank url from the key logging. It adds javascript to the web page dished out by the bank asking for the mobile device number. But this javascript phones home dumping the info to the attacker.

Then the attacker sends in a trojan to the mobile device. User installs a trojan in the mobile device. Technically mobile device is not hacked. User is tricked into installing a software. At this point there is no security left. The attacker can do anything.

Now, the attacker can just the trojan to the mobile device directly, but it would be difficult to persuade the user to install it. All the compromised PC is doing is, giving account numbers, and details about last few transactions etc to make it look authentic. But if such info is available from other sources, or if not all that much is needed to persuade the user to install that trojan, it is game over. The key to the whole thing is sneaking the trojan past without arousing suspicion of the user into the mobile device.

Re:Is the compromised PC necessary? (1)

fa2k (881632) | about a year ago | (#42203919)

They need the user ID and password from the PC. They only need this once, though, as it doesn't change.

There are mobile apps for banking that only require a password (sometimes limited to a numeric code, gah!), but those are often limited in their functionality, for any sane bank

Dumb users (1)

Ecuador (740021) | about a year ago | (#42204021)

I RTFA and while the whole system is quite sophisticated with keylogging trojans etc, in the end it works on the few dumb users who will press an SMS link that says "To install the free cryptographic software on your phone, use this link".
Clicking a link on an unsolicited message and especially one that contains the words "Install" and "Free" means you should not own a smartphone, and probably neither a PC with a browser or email client.
In the end all that hard work from fraudsters gave them access to the money of people who are just a bit smarter than those who respond to the "You won the Spanish Lottery" or "I am the son of the late King of Zembla and have eleventy billion USD to deposit to your account".
I would be interested to find out if this scheme was more or less successful than the more common and much simpler "Click here to log on to your bank website and confirm your details" fake bank login scam. But I doubt the people who have the statistics on click-through rates etc of those methods would be interested in writing a paper...

Re:Dumb users (1)

CBravo (35450) | about a year ago | (#42208591)

It is not sophisticated, it is methodological. This stuff has been possible for ages and the smartphone part is not a necessary vector but just another one.

The problem is that your bank-verificator does not include all transaction-critical data (all amounts, all bankaccounts) when signing a transaction. Until then a man in the middle attack is possible. Never trust your computer.

Re:Dumb users (1)

hraponssi (1939850) | about a year ago | (#42211109)

I might qualify for this stupid (dumb user), although I tend to be more paranoid than the average person. My bank does not use this type of stuff but I guess that is not the point. I can see how someone might be "dumb enough".

As far as I understood, you need to log in to your online banking through your PC. There you get the question asking for your mobile phone number etc. This is inside your standard banking application you just logged in to and have learned to trust. Now, after giving your phone number inside your trusted banking app, you get the link sent to your phone to install the mobile trojan. And this appear to come from your trusted banking app as mentioned, which told you it will send you a link for a new security software.

So, why not, seems like a nice piece of poopoo to mess myself with. Not like the usual "There is problem with your Diablo III account, please click this chinese link even if you never played Diablo III". Of course, if the link in the SMS points to some ukrainian server, I might get a bit more suspicious. But if you already managed to get all theses pieces correct and are aiming to profit 36M, maybe you would host the trojan at least somewhere a bit more reasonable looking part of some hired botnet.

Re:Dumb users (1)

darthflo (1095225) | about a year ago | (#42214417)

Not that dumb, actually:

Before even considering their cell phones, victims' computers are infected (by way of a drive-by exploit kit, e.g. Blackhole) with a variant of the ZeuS trojan. Upon their next log in at their e-banking site, ZeuS injects HTML and JavaScript into their browser. In this case, it'll inject a prompt for the victim's phone number and operating system. Since that prompt is shown within the (trusted) e-banking application, green address bar and all, it may look somewhat legitimate.

Only after entering their cell details, users will get an SMS directing them to a ZeuS mobile package. That text was solicited (seconds before, by the user themselves), though, and the banking app actually prompts for a confirmation code that'll only be displayed if the user installs said app.

All in all some naiveté is required, but to me, the whole setup is insidious and intricate enough not to ring any alarm bells in your average user.

Check Points (0)

Anonymous Coward | about a year ago | (#42204461)

Although its nice of Checkpoint to point this grand theft of collossal proportions out, did they catch the bastards? Its irrelavent to point out the details of how increasingly null banking security is and not post the really juicy details of how the governments of citizens who were duped tied these thieves up to a pole and got down and very funky. Where's the rest of the story?

Crypto challenge using amount and bank account (1)

Anonymous Coward | about a year ago | (#42205045)

Belgium doesn't seem to appear on the list: we're quite a small country but at least our banks seems to take security a bit more seriously.

Here you MUST enter both the amount and the bank account number of the recipient as part of a cryptographic challenge: you need a special device (every customer gets one and they're all identical) into which you put your bank card and enter your PIN a first time.

If you're wiring to a new account (one you never wired any money too) or if you're wiring an important sum (even if it's to one account you already wired amount to), then you MUST enter both the exact amount, press OK and then enter part of the account you're wiring to.

You fail to do that and there's no transfer.

There's no way around that: you have to either steal both the bank card and know the PIN and know the user identification string (e.g. "e0391829") *OR* use social-engineering to manage to steal money.

Now the scary thing: you can wire up to about 125 000 Euros using your online bank account... So for a lot of people should they fall for social-engineering or should they have their card + PIN + user identification number stolen before they can warn the bank, it means they're lifetime savings can be stolen.

Quite scary.

I feel much more confident having a safe at the bank full of physical gold and leaving only what's needed to pay for normal expenses on my account ; )

Besides that gold did quite fine since 2001 ; )

Holland? (0)

Anonymous Coward | about a year ago | (#42205301)

People still use Holland to refer to the Netherlands (Nederland)? Just asking.

To me, Holland refers to the provinces of North and South Holland (Noord-Holland and Zuid-Holland) in the Netherlands. ok, bye

so will someone please tell me (1)

ozduo (2043408) | about a year ago | (#42208607)

where I can put my money that's completely safe. Oh and before you bum fetishes tell me where to stick it my roll is too big to fit in there.

No electronic access option (1)

Myria (562655) | about a year ago | (#42210455)

I wish that there were a way to tell your bank that all electronic access is to be essentially read-only. I would like to make my bank login only allow viewing account balances and transferring money among that bank's accounts, and not even allowing seeing a full account number. For anything else, I can go into a physical branch.

Such a scheme would reduce attacks to someone annoying me by emptying my checking account into my savings account, causing overdrafts. A lot better than someone stealing my money.

Using a bank to store your money really ought to be more secure than putting cash under your mattress. It kind of sucks that it's gotten to this.

Eurograbber infects online customers? (1)

dgharmon (2564621) | about a year ago | (#42212029)

How does this 'eurograbber' infect the online customers in the first place?

Insert free advert for Check Point and Versafe .. (0)

Anonymous Coward | about a year ago | (#42212167)

"The multi-staged attack infected the computers and mobile devices of online banking customers and once the Eurograbber Trojans were installed on both devices, the bank customers' online banking sessions were completely monitored and manipulated by the attackers. Even the two-factor authentication mechanism used by the banks to ensure the security of online banking transactions was circumvented in the attack and actually used by the attackers to authenticate their illicit financial transfer. Further, the Trojan used to attack mobile devices was developed for both the Blackberry and Android platforms in order to facilitate a wide "target market" and as such was able to infect both corporate and private banking users and illicitly transfer funds out of customers' accounts in amounts ranging from 500 to 250,00 Euros each.

This case study dissects the attack and provides a step-by-step walkthrough of how the full attack transpired from the initial infection through to the illicit financial transfer. The case study closes with an overview of how individuals can protect themselves against the Eurograbber attack, including specific insight to how Check Point products and Versafe products protect against this attack
. link [checkpoint.com]

Re:Eurograbber infects online customers? (0)

Anonymous Coward | about a year ago | (#42214363)

> How does this 'eurograbber' infect the online customers in the first place?

On the Windows PC side: either drive-by downloads from infected webservers or malicious web links / file attachments in phising e-mails. (Probably spear-phishing targeted at the private banking customers with big bucks in their account, since the littlest the hackers stole was 500 euros and the largest was 250k euros).

Maybe they bribed people at banks to give them a list of e-mails for big bucks private banking customers.

What raises a red flag... (1)

knorthern knight (513660) | about a year ago | (#42213095)

...is WTF the bank app would need to install *ANYTHING* on their phone. SMS is supposed to work on my "dumb" Nokia 6015i http://www.cellphones.ca/cell-phones/nokia-6015i/ [cellphones.ca] I can't install stuff on it. The whole point of SMS autentication is that you use a separate device (cellphone) to authenticate a transaction entered on your PC. Of course, the people who do their banking via mobile phone apps have zilch security.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...