"The attack involved 10 stages, starting with an initial infection by a modified version of Zeus:

• Users’ PCs become infected by a modified Zeus trojan by accidentally visiting an infected web page, or following a link from a phishing email. This opened the door for the attack.
• Users visit their bank’s webpage and log in to their account to make a transaction.
• The modified Zeus trojan injects malicious code into the bank webpage, including a request for users to enter their mobile information, including its number and operating system.
• This information is sent over the Internet to the attacker's “drop zone” system where it is stored.
• The attacker's server sends an SMS message to the user's mobile device that includes a link to the mobile device-targeting trojan, a version of Zitmo (Zeus in the mobile).
• Users are directed to click on a link in the SMS to ‘upgrade the security of the online banking system’. This installs the mobile Trojan on the mobile device and completes the system.
• Now, every time the user logs into their bank account, the Trojan initiates an automatic transaction to transfer money out of the victim’s account using their real credentials.
• To complete the transaction, an SMS message containing the TAN is sent to the victim's mobile device, and the mobile Trojan delivers the TAN to the attacker's server.
• The customized Zeus Trojan Javascript running on the victim's computer receives the TAN.
• The Eurograbber attack is complete and the attackers transfer money out of a victim’s account."