‘Eurograbber’ banking Trojan

Draining accounts via mobile devices

By Robert E. Holtfreter, Ph.D., CFE, CICA

robert-holtfreter-80x80.jpg   Taking Back the ID: Identity theft prevention analysis


Fritzy Duke is a young attorney who recently graduated at the top of her class and began working at a prestigious law firm in England. She is tech savvy and has downloaded apps for her new smartphone, including one that allows her to bank online. Though she knows the dangers of the Internet, she was shocked when she recently discovered a fraudulent withdrawal from her bank account. Her bank told her she probably was victimized by a phishing scheme.

This case is fictional, but it shows a new online banking scam named “Eurograbber” by the security company Check Point Software Technologies and Versafe, according to Ellen Messmer in her Dec. 5, 2012, article, “ ‘Eurograbber’ online banking scam netted $47 million” on the NetworkWorld website. 

Messmer reported that cyber criminals using the Eurograbber online banking scam gained access to individual and commercial accounts at about 30 banks in European countries including Italy, Germany, Holland and Spain during 2012. Her sources estimate that nearly 30,000 European online banking customers have been scammed out of about €36 million or US$47 million. The range of funds extracted from victim accounts ranged from €500 to €250,000 euros. 

Wake up, everyone! The potentially huge scam could be coming your way in 2013. 

European financial institutions became aware of this cyber-criminal activity after victimized customers reported fraudulent withdrawals from their compromised mobile devices, laptops and PCs. Fraudsters tricked victims into downloading Eurograbber — a variation of another well-known Trojan, Zeus — onto their PCs and mobile devices. Once downloaded in a malware scam a typical Zeus Trojan gains control of users’ computers, hijacks online banking sessions and transfers money out of their bank accounts. In essence, it launches a classic “man-in-the-middle” attack against banking sites. However, cyber criminals can only pull off the Eurograbber scam if a victim’s mobile device also is infected with a slightly different version of the Eurograbber Trojan that infected the PC. (I’ll explain later how these two versions work together.) 

Zeus, first discovered in July 2007, normally works on computers using Microsoft Windows operating systems and, since 2012, on Blackberry and Android phones. Cyber criminals typically infect computers with Trojan malware via phishing schemes or during Internet browsing sessions. It doesn’t take a rocket scientist to figure out why the Eurograbber scam has emerged; it has simply and easily followed the tracks of other Zeus malware scams that have infected millions of Windows users over the years and more recently, Android users. John E. Dunn reinforces this in his Dec. 14, 2012, article on the Techworld website, “ ‘Eurograbber’ SMS attack shows Android’s vulnerability.” “Today, Windows + Android just isn’t good news,” Dunn wrote. “Any Windows user who happened to use an iPhone or Windows Phone would have been unaffected by Eurograbber because Apple and Microsoft don’t allow third-party downloads. But, the attackers noticed, Google does.”

Fraudsters have been successful in exploiting bank accounts with Zeus Trojans because, when security experts shut down a version, cyber criminals come back with many more; thousands of variants of Zeus have appeared in financial scams since 2007.

Messmer, in her NetworkWorld article, wrote that Darrell Burkey, director of IPS products at Check Point, partnered with Israeli-based Versafe to investigate the Eurograbber problem. During their investigation they found that the Android, BlackBerry and Symbian devices were infected with the Eurograbber Trojan and “jailbroken” iPhones in which the Apple iOS security controls have been disabled. The companies believed the scam originated in the Ukraine — as do many others. 

“The sophistication of the attack, rather than the Trojan itself, is what’s most concerning,” says Burkey in a Dec. 17, 2012, Bank Info Security article, “Eurograbber: A Smart Trojan Attack,” by Tracy Kitten. “The attack, which specifically targeted dual-factor authentication that relies on the texting of one-time passcodes to mobile devices, proves hackers behind the attack had an in-depth understanding of how online-banking systems work.” 

The cyber criminals first attack a user’s computer and embed a Eurograbber Trojan via their control center and server. Then, to circumvent a bank’s dual-factor authentication system to secure online banking transactions (username and password), the user’s mobile device is infected with another Eurograbber Trojan that intercepts short message service messages (SMS) from the bank and implements the scam. The end result: Funds are drained from the user’s bank account. 

This scam represents the first major setback for the dual-factor authentication system, which many thought to be invulnerable. The system is still strong, but Eurograbber exposes an implementation weakness in its armor. Eurograbber hasn’t yet affected banks that have advanced multi-layered authentication systems.


The scam begins when a Eurograbber Trojan is downloaded on the victim’s computer, which can happen, for example, when the user clicks on a malicious link in a phishing scam. The malware then lies in wait to ambush the victim’s banking credentials when he or she initiates an online banking session. 

The background for an online banking session is rather simple. According to Dunn in the Techworld article, “The principle of SMS security [for online banking transactions] is sound enough. The user logs on [to his bank account] as normal using a user name and password but can’t access [his] account until the bank sends a verification PIN or password (called a Mobile Transaction Authentication Number, or mTAN)” to that customer’s mobile device. This important step confirms that the individual initiating the online bank session is indeed the bank account holder. 

Now that we’ve established the general background of the online banking session, let’s continue with the scam. “An attacker that has compromised the PC and keylogged the user’s credentials can’t know this second piece of data [the TAN] unless [he] can access the phone during the session,” wrote Dunn. The TAN is used to bridge the connection between the user’s PC and his mobile phone. Then, according to Burkey, in the Bank Info Security interview with Kitten, “that bank customer receives that number or password [TAN] via an SMS [from the bank] to their mobile device and then enters that number into their banking session to verify that the person requesting the bank transaction is the owner of the account.” 

We get the next steps of the scheme from the December 2012 Versafe/Check Point report, “A Case Study of Eurograbber,” by Eran Kalige, head of Versafe’s security operation center, and Burkey. Matthew Schwartz quotes from the report in his Dec. 5, 2012, article “Zeus Botnet Eurograbber Steals $47 Million” on the InformationWeek Security website. According to the report, “ ‘The Eurograbber Trojan [then] intercepts their banking session and injects a Java Script into the customer’s banking page, [which] … informs the customer of the [new] ‘security upgrade’ [to improve the security of the online banking system] and instructs them [to go to their mobile phones where they will get instructions from their banks on how to complete them].’ 

“The security upgrade page,” Schwartz writes, “requests that the user indicated which mobile operating system their smartphone uses — Android, BlackBerry, iOS (iPhone), Symbian (Nokia) or other — as well as their mobile phone number. …  


“A bogus confirmation SMS [supposedly from the bank] is then sent to the user’s smartphone [when he picks it up], Schwartz writes. “ ‘The SMS directs the customer to complete the security upgrade by clicking on the attached link. Doing so downloads a file onto the customer’s mobile device with the appropriate mobile version of the Eurograbber Trojan [instead of the security upgrade],’ ” according to the report. Similar to any phishing scheme, we need to watch out what we click, and, in this case, clicking on the link is bad news.


For full access to story, members may sign in here.

Not a member? Click here to Join Now. Or Click here to sign up for a FREE TRIAL.