How the Eurograbber Attack Stole 36M Euros

Orome1 writes "Check Point has revealed how a sophisticated malware attack was used to steal an estimated €36 million from over 30,000 customers of over 30 banks in Italy, Spain, Germany and Holland over summer this year. The theft used malware to target the PCs and mobile devices of banking customers (PDF). The attack also took advantage of SMS messages used by banks as part of customers' secure login and authentication process. The attack infected both corporate and private banking users, performing automatic transfers that varied from €500 to €250,000 each to accounts spread across Europe."

SMS for Security

[Anonymous Coward]

whoever thought that was a good idea deserves a special hell.

sure, lets rely on the most stolen personal object as a security measure, what could possibly go wrong?

Re:

[gagol]

I definitely work in the wrong field...

Re:

[ByOhTek]

You've obviously never dealt with banks.

They have some pretty shitty concepts of digital security. Try all your personal details (everything needed to steal your identity) sent in the clear (or on PDF) over email as practice.

Re:

[Dr. Hok]

You've obviously never dealt with banks.

They have some pretty shitty concepts of digital security. Try all your personal details (everything needed to steal your identity) sent in the clear (or on PDF) over email as practice.

You're overgeneralizing. This never ever happened to me. There are obviously different banks out there. Whenever any bank sends me an email, they mention my name, nothing else. Not even the account number. They don't even send me the URL of their secure web site. It would look suspicious (to me, at least) if they did.

Any sensitive stuff comes either by snail mail (like TANs; this is apparently where other banks save money), or I download it actively from their site.

Re:

[ByOhTek]

Try getting a mortgage.

I dealt with several major banks here in the US, and ALL of them figured that this was a "good idea".

Re:

[RaceProUK]

in the US

<jamiewyneman>There's yer problem!</jamiewyneman>

Most UK banks tend to have halfway-sane privacy procedures.

Re:

[Specter]

Boy is this the truth. My mortgage banker (and her company) were so ignorant of the risks of what they were doing that they couldn't comprehend why I was being such a difficult customer. I offered to come in and do some 'pro bono' security consulting for them after the deal closed but they had no interest.

Don't hold your breath expecting changes anytime soon either. After talking to quite a few people in the industry I'm learning that 99.999% of their customers just don't care. They (sign and) send what

Re:

[Paradise Pete]

You're overgeneralizing. This never ever happened to me.

You're undergeneralizing.

Hardly anyone gets security

[dbIII]

I had some HR idiot in an ecommerce company working with banks send me a password protected zip file with the password included in the email, and apparently he'd been doing that every day in the name of "security" for years.
If it's not obvious, the above is actually no more secure than emailing the unencrypted document (since you effectively get that in a single message only with a bit of time to waste at both ends), and far less so if the person reuses passwords.

Re:

[CBravo]

I've seen that method used so that company firewalls don't inspect and delete documents inside the zipfile. Maybe he just never understood the reasoning of it.

Re:

[dbIII]

Seems like cargo cult bullshit to me though especially since it was a few years before mail filters were scanning zipfiles. It looks like he'd seen somebody with a clue zip something up with a password some time but managed to completely avoid getting the entire point. He said it was done that way in case the email was sent to the wrong person, completely ignoring that the wrong person would have the password as well! The make things worse he'd called me to tell me that he was sending the email and he co

Re:

[rioki]

That is what the zop extension is used for. You want to send a colleague a file with a exe or dll and the corporate filter denies it... Well zip it and rename the zip to zop. That way the filter will not look into the file.

1999 called and said have a filter that works

[dbIII]

That will only work with very poorly implemented filters. Of course a well implemented filter wouldn't block a legitimate executable file in a zip anyway unless that's the policy of the people at the site. If it is, get it changed instead of fucking about trying to hide stuff from broken mail filtering software.

I really don't understand why some software vendors think they can trust criminals to nicely use standard file extensions, and also why they are locking out one of the most useful formats for tran

Re:

[AleX122]

The theft was not possible due to most stolen personal object. Ordinary thief will not benefit anything for having your phone, unless you keep your bank password in the phone. In this scenario the phones were not stolen but compromised.

Re:

[gagol]

We are talking about an industry too big to fail... it does not matter if, and how badly, they screw up and mismanage. Even worse, you practically cannot exist if you are not a customer of banks...

Re:

[gagol]

Yes, i forgot the sarcasm tags... Please repeat those words to your congressman.

Re:

[Anonymous Coward]

Someone stealign your phone would still need login and password info to the bank.

The sms security is actually quite a good idea which is both secure and convenient, and things usually don't go wrong.

If you read the article maybe you'd know that the problem was users getting duped into both installing a trojan on their phone and computer.

Re:SMS for Security

[Donwulff]

Unless the thief gets both the phone and online-banking user-id, password and single-use key-lists the phone won't help them any. Unless the implementation in question is severely broken, the phone/SMS acts only as an extra factor in authentication. How it works for me for example is I log on the online banking site, authenticate with extra-long user-id (which in itself acts as a password), a pin I've memorized, and check a number from a key-list just to log on. If I try to transfer money, they will send an SMS to my phone telling to enter n:th number on my keylist on the online banking site.

Now I'm no fan of the SMS-authentication, mostly because it makes things too slow, but one has to admit it increases security. Only way I am screwed is if I keep my user-id, password, key-list and phone at the same place, and then I would be screwed whether there were SMS authetication or not.

Of course, it's already possible to buy all kinds of services and rake up phone-bills with a mobile phone, so it's a bad idea to lose one either way. Not too long some thief stole a mobile phone, used it to buy every bottle in a soft-drink vending machine, poured the bottles empty and returned the empty bottles for bottle recycling fee. He sure didn't make a lot by hour, but the point is there already exist actual security issues with SMS that have nothing to do with banks.

Re:

[AtomicJake]

How it works for me for example is I log on the online banking site, authenticate with extra-long user-id (which in itself acts as a password), a pin I've memorized, and check a number from a key-list just to log on. If I try to transfer money, they will send an SMS to my phone telling to enter n:th number on my keylist on the online banking site.

This is indeed secure - but a static predistributed key-list is a major pain. You always need to have access to it, before you can do anything. So, you can do Internet banking, but only from home (or where you store your key-list).

Re:

[rioki]

I like my TAN list. The reason why I like it, is that it is a physical token that gets snail-mailed to me, in a tear up envelope, in a standard issue mail envelope. Sure someone could duplicate that before I get it, but that puts it into the realm of spy agencies and not petty internet criminals. Now if I can be reasonably sure that the system I am working on is safe, the TAN method works fine. The TANs are numbered and so at best they can steal one TAN with a trojan and divert one transaction in a man in t

Re:

[1s44c]

whoever thought that was a good idea deserves a special hell.

It's not a good idea, but it's still an improvement over letting users choose their own passwords.

Giving the users something better like a OTP dongle or a challenge response system that uses their bank cards is expensive and users won't understand it.

Re:

[ccguy]

whoever thought that was a good idea deserves a special hell.

sure, lets rely on the most stolen personal object as a security measure, what could possibly go wrong?

Well, the problem here is not that it's stolen, it's that the phones are being compromised.

SMS for security was a great idea when the phones where dumb.

And to reply to your point, while it's true that phones are often stolen the fact is also immediately noticed so the SIM cards are cancelled and replaced. Compare that to for example one of those cards with a grids of number (please enter number E4...). If I took one from your wallet (and nothing else) you probably wouldn't notice until it was too late.

Re:

[rioki]

Having a non IT device in the securing process makes it more secure, since they need physical access. Even if you grab my TAN pad, you need the other bits of information. It also makes the attack way more difficult, with IT systems someone can rob a bunch of people from his comfy chair in basmentistan, with a physical token, he needs to actually go where the people live and rip them off. But if he is doing that, it is easier to take all my cash (mug on the street) or my PC and flat screen TV (rob my house).

Re:

[shipofgold]

Actually this is a pretty good way to do two factor authentication. In theory, you need possession of the login credentials as well as possession of the phone to do the transaction.

RSA SecureID with the "number that changes once a minute" is another two factor authentication system that is in wide use, and if I understand the attack vector would be just as easy to compromise with a trojan in the PC. Just have the Banks WWW site ask for the securID token for some innocuous thing (sync the securID for examp

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Donwulff]

I have to wonder where you're living that you consider Europe high-crime. In particular, US comes always near top on any crime rate surveys. Specifically, with the exception of Belgium and Spain the rest of the Europe is virtually safe: http://www.civitas.org.uk/crime/crime_stats_oecdjan2012.pdf Certainly it's also true a small town will be safer than a big city anywhere on this account.

More than that I'm wondering what's your point with the cheap phone. It won't help any if your phone gets stolen. I suppos

Re:

[rioki]

I have never been mugged in Paris, Barcelona or Rome... can't say for the others, was never there. But I am of the conviction that people that get mugged have it coming for them. Not acting like a total tourist might also help. Not waving that expensive phone around might also help. Although getting a dumb phone might be an extreme measure, but probably by simple fact of having a dumb phone will reduce the chance of getting ripped off.

Separate Channel

[kirjoittaessani]

Actually, using your mobile phone to authenticate a transaction used to be a good idea -- back when phones (and SMS/texting) provided a separate communication channel from the internet, so even if your computer was compromised, you had the chance notice something was amiss. With today's smartphones, there is no real separation anymore, because an attacker just needs to compromise texting and banking apps (or the web browser) on the phone; or on the desktop and the phone, but that is easy because the phone i

RSA Security tokens compromised

[Anonymous Coward]

Sadly the earlier second token system was compromised by some damn carelessness at RSA:

http://www.wired.com/threatlevel/2011/06/rsa-replaces-securid-tokens/

Re:

[Teun]

It's not just banks with tokens that don't 'get it' regarding security.
Some 2 months ago Danish Jyskebank had their authentication system breached by means of a Java vulnerability so for a weekend they shut down their system for updates.
When they came back up you only noticed the log-in applet was not showing, it required a call to the bank to be told you needed to update to the latest version of Java.

Then after log in they show links to documents explaining the changes, in Adobe pdf and Flash...

Also no

Re:

[GNious]

I was offered 2 online-banking systems while I still lived in DK.
Both turned out to use known-flawed Java 1.1 (or 1.2?) security routines.

When I asked the banks, I was told "We know nothing about this computer thing, try our provider" (scary)
When I asked one of the provider, I was told that, yes, they know it is flawed, but if they use anything more secure it will be too much work for people to log in (hint: Windows, at the time, came with the flawed version of Java).

Since then I've flat-out refused to use

Just look at the "paper" trail

[rs1n]

Even if they did manage to get the money out, it all had to go somewhere. Why is it not as simple as looking up where the money went and going from there to determine the culprit? Am I missing something obvious?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[G3E9]

Could 36M in prepaid debit gift cards.

Re:

[Anonymous Coward]

You are missing the obvious "fiscal paradise" (not confuse with corporate havens, thought closely related) part of any good big moneytaking. Transfers to places like Cayman Islands means they won't get the name of the owner.

For who doesn't know what I'm talking about, check wikipedia artcle on Offshore bank.

Re:

[Kam Solusar]

Usually, the money is transferred to accounts in eastern Europe opened with stolen or fake identities. The thieves then just withdraw the money in cash, making it pretty hard to track them down.

Is the compromised PC necessary?

[140Mandak262Jamuna]

From what I could understand from the article, it starts with a compromised PC. The virus, sits there, biding its time, not taking any other malicious actions. May be a key stroke logger but does not phone home yet.

When the user visits a banking website, it probably has the username, password, bank url from the key logging. It adds javascript to the web page dished out by the bank asking for the mobile device number. But this javascript phones home dumping the info to the attacker.

Then the attacker sends in a trojan to the mobile device. User installs a trojan in the mobile device. Technically mobile device is not hacked. User is tricked into installing a software. At this point there is no security left. The attacker can do anything.

Now, the attacker can just the trojan to the mobile device directly, but it would be difficult to persuade the user to install it. All the compromised PC is doing is, giving account numbers, and details about last few transactions etc to make it look authentic. But if such info is available from other sources, or if not all that much is needed to persuade the user to install that trojan, it is game over. The key to the whole thing is sneaking the trojan past without arousing suspicion of the user into the mobile device.

Re:

[fa2k]

They need the user ID and password from the PC. They only need this once, though, as it doesn't change.

There are mobile apps for banking that only require a password (sometimes limited to a numeric code, gah!), but those are often limited in their functionality, for any sane bank

Dumb users

[Ecuador]

I RTFA and while the whole system is quite sophisticated with keylogging trojans etc, in the end it works on the few dumb users who will press an SMS link that says "To install the free cryptographic software on your phone, use this link".
Clicking a link on an unsolicited message and especially one that contains the words "Install" and "Free" means you should not own a smartphone, and probably neither a PC with a browser or email client.
In the end all that hard work from fraudsters gave them access to the m

Re:

[CBravo]

It is not sophisticated, it is methodological. This stuff has been possible for ages and the smartphone part is not a necessary vector but just another one.

The problem is that your bank-verificator does not include all transaction-critical data (all amounts, all bankaccounts) when signing a transaction. Until then a man in the middle attack is possible. Never trust your computer.

Re:

[hraponssi]

I might qualify for this stupid (dumb user), although I tend to be more paranoid than the average person. My bank does not use this type of stuff but I guess that is not the point. I can see how someone might be "dumb enough".

As far as I understood, you need to log in to your online banking through your PC. There you get the question asking for your mobile phone number etc. This is inside your standard banking application you just logged in to and have learned to trust. Now, after giving your phone number i

Re:

[darthflo]

Not that dumb, actually:

Before even considering their cell phones, victims' computers are infected (by way of a drive-by exploit kit, e.g. Blackhole) with a variant of the ZeuS trojan. Upon their next log in at their e-banking site, ZeuS injects HTML and JavaScript into their browser. In this case, it'll inject a prompt for the victim's phone number and operating system. Since that prompt is shown within the (trusted) e-banking application, green address bar and all, it may look somewhat legitimate.

Only aft

Crypto challenge using amount and bank account

[Anonymous Coward]

Belgium doesn't seem to appear on the list: we're quite a small country but at least our banks seems to take security a bit more seriously.

Here you MUST enter both the amount and the bank account number of the recipient as part of a cryptographic challenge: you need a special device (every customer gets one and they're all identical) into which you put your bank card and enter your PIN a first time.

If you're wiring to a new account (one you never wired any money too) or if you're wiring an important sum (ev

No electronic access option

[Myria]

I wish that there were a way to tell your bank that all electronic access is to be essentially read-only. I would like to make my bank login only allow viewing account balances and transferring money among that bank's accounts, and not even allowing seeing a full account number. For anything else, I can go into a physical branch.

Such a scheme would reduce attacks to someone annoying me by emptying my checking account into my savings account, causing overdrafts. A lot better than someone stealing my money

Eurograbber infects online customers?

[dgharmon]

How does this 'eurograbber' infect the online customers in the first place?

What raises a red flag...

[knorthern knight]

...is WTF the bank app would need to install *ANYTHING* on their phone. SMS is supposed to work on my "dumb" Nokia 6015i http://www.cellphones.ca/cell-phones/nokia-6015i/ [cellphones.ca] I can't install stuff on it. The whole point of SMS autentication is that you use a separate device (cellphone) to authenticate a transaction entered on your PC. Of course, the people who do their banking via mobile phone apps have zilch security.

Why work?

[PacRim Jim]

Beats working.