root@dafthack:~#‎ > ‎

Eurograbber Attack

posted Dec 6, 2012, 7:53 AM by Beau Bullock   [ updated Dec 6, 2012, 7:55 AM ]
An interesting attack method called Eurograbber stole 30 million Euros from 30,000 customers of 30 banks from Italy, Spain, Germany, and Holland.
"The attack involved 10 stages, starting with an initial infection by a modified version of Zeus:
  • Users’ PCs become infected by a modified Zeus trojan by accidentally visiting an infected web page, or following a link from a phishing email. This opened the door for the attack.
  • Users visit their bank’s webpage and log in to their account to make a transaction.
  • The modified Zeus trojan injects malicious code into the bank webpage, including a request for users to enter their mobile information, including its number and operating system.
  • This information is sent over the Internet to the attacker's “drop zone” system where it is stored.
  • The attacker's server sends an SMS message to the user's mobile device that includes a link to the mobile device-targeting trojan, a version of Zitmo (Zeus in the mobile).
  • Users are directed to click on a link in the SMS to ‘upgrade the security of the online banking system’. This installs the mobile Trojan on the mobile device and completes the system.
  • Now, every time the user logs into their bank account, the Trojan initiates an automatic transaction to transfer money out of the victim’s account using their real credentials.
  • To complete the transaction, an SMS message containing the TAN is sent to the victim's mobile device, and the mobile Trojan delivers the TAN to the attacker's server.
  • The customized Zeus Trojan Javascript running on the victim's computer receives the TAN.
  • The Eurograbber attack is complete and the attackers transfer money out of a victim’s account."