Zeus Botnet Eurograbber Steals $47 Million

  /     /     /  
Publicated : 22/11/2024   Category : security


Zeus Botnet Eurograbber Steals $47 Million


Sophisticated, targeted attack campaign enabled criminals to steal an estimated $47 million from more than 30,000 corporate and private banking customers.



Who Is Hacking U.S. Banks? 8 Facts (click image for larger view and for slideshow)
A criminal gang wielding a new version of Zeus malware thats designed for mobile devices has stolen an estimated 36 million euros, or $47 million, from more than 30,000 corporate and private banking customers.
That finding comes from a new
report
published by security vendors Versafe and Check Point Software Technologies. Theyve dubbed the related attack campaign as Eurograbber, and notified banks and law enforcement agencies in the affected countries.
Attackers have configured the malware to target customers of 16 specific banks in Italy, as well as seven in Spain, six in Germany and three in the Netherlands. To date, this exploit has only been detected in euro zone countries, but a variation of this attack could potentially affect banks in countries outside of the European Union as well, according to the report. Individual transfer amounts made by Eurograbber malware have ranged from 500 euros ($656) to 250,000 euros ($328,000).
The malware used by attackers is a customized version of the
Zitmo Trojan spyware application
. Zitmo is short for Zeus in the mobile, and the malware is designed to defeat the
two-factor authentication systems
employed by some banks. To do that, a companion, smartphone version of the malware intercepts the one-time transaction authentication number (TAN) that banks send to a customers mobile device, via SMS, which the customer must then enter into a banking website prompt to authorize a money transfer.
[ Here is a good question:
Can Banks Prevent The Next Cyber Attack?
]
The Zitmo Trojan can infect a PC if a user clicks on a malicious link in a spam or
phishing email
, or on a link on a website thats been compromised by attackers. The malicious Trojan application then remains dormant until a user logs into a targeted financial firms website. The next time the bank customer logs in to their bank account, the Eurograbber Trojan intercepts their banking session and injects a JavaScript into the customers banking page, according to the report. This malicious JavaScript informs the customer of the security upgrade and instructs them on how to proceed.
The security upgrade page requests that the user indicated which mobile operating system their smartphone uses -- Android, BlackBerry, iOS (iPhone), Symbian (Nokia) or other -- as well as their mobile phone number. This information is then relayed to a
drop zone
, which is a publicly writable folder on a Web server -- which attackers may have previously hijacked -- where they store information about every infected bank customers PC, including account numbers, log-in credentials, and one-time passwords.
A bogus confirmation SMS is then sent to the users smartphone. The SMS directs the customer to complete the security upgrade by clicking on the attached link. Doing so downloads a file onto the customers mobile device with the appropriate mobile version of the Eurograbber Trojan, according to the report.
From then on, anytime that PC is used to log onto the targeted financial website, automatic attacks may take place, with the malware on the PC initiating transfers, and the malware on the smartphone intercepting any TAN sent by the bank, and automatically approving the transaction, which
transfers money to mule accounts
. Victims bank accounts will have lost money without their knowledge, according to the report. This entire process occurs every time the bank customer logs into his or her bank account.
News of the Eurograbber Zitmo attack campaign follows the recent discovery of a
cybercrime campaign waged using the Gameover Zeus Trojan
, which steals banking credentials using phony but real-looking emails. Millions of those emails have been circulating in recent weeks, and are being distributed via the Cutwail spamming botnet.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Zeus Botnet Eurograbber Steals $47 Million