Under the guise of upgrading the online banking software, victims were duped into giving additional information including their mobile phone number, infecting the mobile device. The mobile Trojan worked on both Blackberry and Android devices, giving attackers a wider reach.
With victims’ PCs and mobile devices compromised, the attackers could intercept and hijack all the victims’ banking transactions, including the key to completing the transaction: the bank’s SMS to the customer containing the ‘transaction authentication number’ (TAN). With the account number, password, and TAN, the attackers were able to stealthily transfer funds out of victims’ accounts while victims were left with the impression that their transaction had completed successfully.
The attack infected both corporate and private banking users, performing automatic transfers that varied from 500€ to 250,000€ each to accounts spread across Europe.
The attack involved 10 stages, starting with an initial infection by a modified version of Zeus:
- Users’ PCs become infected by a modified Zeus trojan by accidentally visiting an infected web page, or following a link from a phishing email. This opened the door for the attack.
- Users visit their bank’s webpage and log in to their account to make a transaction.
- The modified Zeus trojan injects malicious code into the bank webpage, including a request for users to enter their mobile information, including its number and operating system.
- This information is sent over the Internet to the attacker’s “drop zone” system where it is stored.
- The attacker’s server sends an SMS message to the user’s mobile device that includes a link to the mobile device-targeting trojan, a version of Zitmo (Zeus in the mobile).
- User are directed to click on a link in the SMS to ‘upgrade the security of the online banking system’. This installs the mobile Trojan on the mobile device and completes the system.
- Now, every time the user logs into their bank account, the Trojan initiates an automatic transaction to transfer money out of the victim’s account using their real credentials.
- To complete the transaction, an SMS message containing the TAN is sent to the victim’s mobile device, and the mobile Trojan delivers the TAN to the attacker’s server.
- The Eurograbber attack is complete and the attackers transfer money out of a victim’s account.