Forgot your password?
typodupeerror
Security The Almighty Buck News IT

How the Eurograbber Attack Stole 36M Euros 57

Posted by samzenpus
from the now-you-see-it-now-you-don't dept.
Orome1 writes "Check Point has revealed how a sophisticated malware attack was used to steal an estimated €36 million from over 30,000 customers of over 30 banks in Italy, Spain, Germany and Holland over summer this year. The theft used malware to target the PCs and mobile devices of banking customers (PDF). The attack also took advantage of SMS messages used by banks as part of customers' secure login and authentication process. The attack infected both corporate and private banking users, performing automatic transfers that varied from €500 to €250,000 each to accounts spread across Europe."
This discussion has been archived. No new comments can be posted.

How the Eurograbber Attack Stole 36M Euros

Comments Filter:
  • SMS for Security (Score:5, Interesting)

    by Anonymous Coward on Thursday December 06, 2012 @09:17AM (#42202747)

    whoever thought that was a good idea deserves a special hell.

    sure, lets rely on the most stolen personal object as a security measure, what could possibly go wrong?

    • by gagol (583737)
      I definitely work in the wrong field...
    • by ByOhTek (1181381)

      You've obviously never dealt with banks.

      They have some pretty shitty concepts of digital security. Try all your personal details (everything needed to steal your identity) sent in the clear (or on PDF) over email as practice.

      • by Dr. Hok (702268)

        You've obviously never dealt with banks.

        They have some pretty shitty concepts of digital security. Try all your personal details (everything needed to steal your identity) sent in the clear (or on PDF) over email as practice.

        You're overgeneralizing. This never ever happened to me. There are obviously different banks out there. Whenever any bank sends me an email, they mention my name, nothing else. Not even the account number. They don't even send me the URL of their secure web site. It would look suspicious (to me, at least) if they did.

        Any sensitive stuff comes either by snail mail (like TANs; this is apparently where other banks save money), or I download it actively from their site.

        • by ByOhTek (1181381)

          Try getting a mortgage.

          I dealt with several major banks here in the US, and ALL of them figured that this was a "good idea".

          • in the US

            <jamiewyneman>There's yer problem!</jamiewyneman>

            Most UK banks tend to have halfway-sane privacy procedures.

          • by Specter (11099)

            Boy is this the truth. My mortgage banker (and her company) were so ignorant of the risks of what they were doing that they couldn't comprehend why I was being such a difficult customer. I offered to come in and do some 'pro bono' security consulting for them after the deal closed but they had no interest.

            Don't hold your breath expecting changes anytime soon either. After talking to quite a few people in the industry I'm learning that 99.999% of their customers just don't care. They (sign and) send what

        • You're overgeneralizing. This never ever happened to me.

          You're undergeneralizing.

      • I had some HR idiot in an ecommerce company working with banks send me a password protected zip file with the password included in the email, and apparently he'd been doing that every day in the name of "security" for years.
        If it's not obvious, the above is actually no more secure than emailing the unencrypted document (since you effectively get that in a single message only with a bit of time to waste at both ends), and far less so if the person reuses passwords.
        • by CBravo (35450)
          I've seen that method used so that company firewalls don't inspect and delete documents inside the zipfile. Maybe he just never understood the reasoning of it.
          • by dbIII (701233)
            Seems like cargo cult bullshit to me though especially since it was a few years before mail filters were scanning zipfiles. It looks like he'd seen somebody with a clue zip something up with a password some time but managed to completely avoid getting the entire point. He said it was done that way in case the email was sent to the wrong person, completely ignoring that the wrong person would have the password as well! The make things worse he'd called me to tell me that he was sending the email and he co
            • by rioki (1328185)
              That is what the zop extension is used for. You want to send a colleague a file with a exe or dll and the corporate filter denies it... Well zip it and rename the zip to zop. That way the filter will not look into the file.
              • That will only work with very poorly implemented filters. Of course a well implemented filter wouldn't block a legitimate executable file in a zip anyway unless that's the policy of the people at the site. If it is, get it changed instead of fucking about trying to hide stuff from broken mail filtering software.

                I really don't understand why some software vendors think they can trust criminals to nicely use standard file extensions, and also why they are locking out one of the most useful formats for tran
    • by AleX122 (1657367)
      The theft was not possible due to most stolen personal object. Ordinary thief will not benefit anything for having your phone, unless you keep your bank password in the phone. In this scenario the phones were not stolen but compromised.
    • by gagol (583737)
      We are talking about an industry too big to fail... it does not matter if, and how badly, they screw up and mismanage. Even worse, you practically cannot exist if you are not a customer of banks...
    • by Anonymous Coward

      Someone stealign your phone would still need login and password info to the bank.

      The sms security is actually quite a good idea which is both secure and convenient, and things usually don't go wrong.

      If you read the article maybe you'd know that the problem was users getting duped into both installing a trojan on their phone and computer.

    • Re:SMS for Security (Score:5, Interesting)

      by Donwulff (27374) on Thursday December 06, 2012 @10:10AM (#42203113)

      Unless the thief gets both the phone and online-banking user-id, password and single-use key-lists the phone won't help them any. Unless the implementation in question is severely broken, the phone/SMS acts only as an extra factor in authentication. How it works for me for example is I log on the online banking site, authenticate with extra-long user-id (which in itself acts as a password), a pin I've memorized, and check a number from a key-list just to log on. If I try to transfer money, they will send an SMS to my phone telling to enter n:th number on my keylist on the online banking site.

      Now I'm no fan of the SMS-authentication, mostly because it makes things too slow, but one has to admit it increases security. Only way I am screwed is if I keep my user-id, password, key-list and phone at the same place, and then I would be screwed whether there were SMS authetication or not.

      Of course, it's already possible to buy all kinds of services and rake up phone-bills with a mobile phone, so it's a bad idea to lose one either way. Not too long some thief stole a mobile phone, used it to buy every bottle in a soft-drink vending machine, poured the bottles empty and returned the empty bottles for bottle recycling fee. He sure didn't make a lot by hour, but the point is there already exist actual security issues with SMS that have nothing to do with banks.

      • How it works for me for example is I log on the online banking site, authenticate with extra-long user-id (which in itself acts as a password), a pin I've memorized, and check a number from a key-list just to log on. If I try to transfer money, they will send an SMS to my phone telling to enter n:th number on my keylist on the online banking site.

        This is indeed secure - but a static predistributed key-list is a major pain. You always need to have access to it, before you can do anything. So, you can do Internet banking, but only from home (or where you store your key-list).

        • by rioki (1328185)
          I like my TAN list. The reason why I like it, is that it is a physical token that gets snail-mailed to me, in a tear up envelope, in a standard issue mail envelope. Sure someone could duplicate that before I get it, but that puts it into the realm of spy agencies and not petty internet criminals. Now if I can be reasonably sure that the system I am working on is safe, the TAN method works fine. The TANs are numbered and so at best they can steal one TAN with a trojan and divert one transaction in a man in t
    • by 1s44c (552956)

      whoever thought that was a good idea deserves a special hell.

      It's not a good idea, but it's still an improvement over letting users choose their own passwords.

      Giving the users something better like a OTP dongle or a challenge response system that uses their bank cards is expensive and users won't understand it.

    • by ccguy (1116865)

      whoever thought that was a good idea deserves a special hell.

      sure, lets rely on the most stolen personal object as a security measure, what could possibly go wrong?

      Well, the problem here is not that it's stolen, it's that the phones are being compromised.

      SMS for security was a great idea when the phones where dumb.

      And to reply to your point, while it's true that phones are often stolen the fact is also immediately noticed so the SIM cards are cancelled and replaced. Compare that to for example one of those cards with a grids of number (please enter number E4...). If I took one from your wallet (and nothing else) you probably wouldn't notice until it was too late.

      • by rioki (1328185)
        Having a non IT device in the securing process makes it more secure, since they need physical access. Even if you grab my TAN pad, you need the other bits of information. It also makes the attack way more difficult, with IT systems someone can rob a bunch of people from his comfy chair in basmentistan, with a physical token, he needs to actually go where the people live and rip them off. But if he is doing that, it is easier to take all my cash (mug on the street) or my PC and flat screen TV (rob my house).
    • Actually this is a pretty good way to do two factor authentication. In theory, you need possession of the login credentials as well as possession of the phone to do the transaction.

      RSA SecureID with the "number that changes once a minute" is another two factor authentication system that is in wide use, and if I understand the attack vector would be just as easy to compromise with a trojan in the PC. Just have the Banks WWW site ask for the securID token for some innocuous thing (sync the securID for examp

  • One way that's been recommended to stop crooks hacking the phone part, is to get the cheapest shittiest dumbphone you can find, get a cheap SIM, and use _that_ for two factor authentication.

    Here, low end dumbphones are so cheap, they're virtually disposable. When I travel to cities with high petty crime (e.g. many big European cities), I just use the cheap phone and leave the expensive smartphone at home. The worst that can happen, is that your female friends get a few weird phone calls until you cancel th

    • by Donwulff (27374)

      I have to wonder where you're living that you consider Europe high-crime. In particular, US comes always near top on any crime rate surveys. Specifically, with the exception of Belgium and Spain the rest of the Europe is virtually safe: http://www.civitas.org.uk/crime/crime_stats_oecdjan2012.pdf Certainly it's also true a small town will be safer than a big city anywhere on this account.

      More than that I'm wondering what's your point with the cheap phone. It won't help any if your phone gets stolen. I suppos

  • Actually, using your mobile phone to authenticate a transaction used to be a good idea -- back when phones (and SMS/texting) provided a separate communication channel from the internet, so even if your computer was compromised, you had the chance notice something was amiss. With today's smartphones, there is no real separation anymore, because an attacker just needs to compromise texting and banking apps (or the web browser) on the phone; or on the desktop and the phone, but that is easy because the phone i
    • by Anonymous Coward

      Sadly the earlier second token system was compromised by some damn carelessness at RSA:

      http://www.wired.com/threatlevel/2011/06/rsa-replaces-securid-tokens/

  • by rs1n (1867908) on Thursday December 06, 2012 @09:46AM (#42202923)
    Even if they did manage to get the money out, it all had to go somewhere. Why is it not as simple as looking up where the money went and going from there to determine the culprit? Am I missing something obvious?
    • Western Union.

    • by G3E9 (2740699)
      Could 36M in prepaid debit gift cards.
    • by Anonymous Coward

      You are missing the obvious "fiscal paradise" (not confuse with corporate havens, thought closely related) part of any good big moneytaking. Transfers to places like Cayman Islands means they won't get the name of the owner.

      For who doesn't know what I'm talking about, check wikipedia artcle on Offshore bank.

    • Usually, the money is transferred to accounts in eastern Europe opened with stolen or fake identities. The thieves then just withdraw the money in cash, making it pretty hard to track them down.
  • by 140Mandak262Jamuna (970587) on Thursday December 06, 2012 @10:12AM (#42203123) Journal
    From what I could understand from the article, it starts with a compromised PC. The virus, sits there, biding its time, not taking any other malicious actions. May be a key stroke logger but does not phone home yet.

    When the user visits a banking website, it probably has the username, password, bank url from the key logging. It adds javascript to the web page dished out by the bank asking for the mobile device number. But this javascript phones home dumping the info to the attacker.

    Then the attacker sends in a trojan to the mobile device. User installs a trojan in the mobile device. Technically mobile device is not hacked. User is tricked into installing a software. At this point there is no security left. The attacker can do anything.

    Now, the attacker can just the trojan to the mobile device directly, but it would be difficult to persuade the user to install it. All the compromised PC is doing is, giving account numbers, and details about last few transactions etc to make it look authentic. But if such info is available from other sources, or if not all that much is needed to persuade the user to install that trojan, it is game over. The key to the whole thing is sneaking the trojan past without arousing suspicion of the user into the mobile device.

    • by fa2k (881632)

      They need the user ID and password from the PC. They only need this once, though, as it doesn't change.

      There are mobile apps for banking that only require a password (sometimes limited to a numeric code, gah!), but those are often limited in their functionality, for any sane bank

  • I RTFA and while the whole system is quite sophisticated with keylogging trojans etc, in the end it works on the few dumb users who will press an SMS link that says "To install the free cryptographic software on your phone, use this link".
    Clicking a link on an unsolicited message and especially one that contains the words "Install" and "Free" means you should not own a smartphone, and probably neither a PC with a browser or email client.
    In the end all that hard work from fraudsters gave them access to the m

    • by CBravo (35450)
      It is not sophisticated, it is methodological. This stuff has been possible for ages and the smartphone part is not a necessary vector but just another one.

      The problem is that your bank-verificator does not include all transaction-critical data (all amounts, all bankaccounts) when signing a transaction. Until then a man in the middle attack is possible. Never trust your computer.
    • I might qualify for this stupid (dumb user), although I tend to be more paranoid than the average person. My bank does not use this type of stuff but I guess that is not the point. I can see how someone might be "dumb enough".

      As far as I understood, you need to log in to your online banking through your PC. There you get the question asking for your mobile phone number etc. This is inside your standard banking application you just logged in to and have learned to trust. Now, after giving your phone number i

    • by darthflo (1095225)

      Not that dumb, actually:

      Before even considering their cell phones, victims' computers are infected (by way of a drive-by exploit kit, e.g. Blackhole) with a variant of the ZeuS trojan. Upon their next log in at their e-banking site, ZeuS injects HTML and JavaScript into their browser. In this case, it'll inject a prompt for the victim's phone number and operating system. Since that prompt is shown within the (trusted) e-banking application, green address bar and all, it may look somewhat legitimate.

      Only aft

  • Belgium doesn't seem to appear on the list: we're quite a small country but at least our banks seems to take security a bit more seriously.

    Here you MUST enter both the amount and the bank account number of the recipient as part of a cryptographic challenge: you need a special device (every customer gets one and they're all identical) into which you put your bank card and enter your PIN a first time.

    If you're wiring to a new account (one you never wired any money too) or if you're wiring an important sum (ev

  • I wish that there were a way to tell your bank that all electronic access is to be essentially read-only. I would like to make my bank login only allow viewing account balances and transferring money among that bank's accounts, and not even allowing seeing a full account number. For anything else, I can go into a physical branch.

    Such a scheme would reduce attacks to someone annoying me by emptying my checking account into my savings account, causing overdrafts. A lot better than someone stealing my money

  • How does this 'eurograbber' infect the online customers in the first place?
  • ...is WTF the bank app would need to install *ANYTHING* on their phone. SMS is supposed to work on my "dumb" Nokia 6015i http://www.cellphones.ca/cell-phones/nokia-6015i/ [cellphones.ca] I can't install stuff on it. The whole point of SMS autentication is that you use a separate device (cellphone) to authenticate a transaction entered on your PC. Of course, the people who do their banking via mobile phone apps have zilch security.

  • Beats working.

Life. Don't talk to me about life. - Marvin the Paranoid Anroid

Working...