Inside Eurograbber: How SMS Was Used to Pilfer Millions

In one of the most sophisticated banking attacks ever publicly reported, over 36 million euros ($47 million U.S.) were stolen from at least 30,000 banking customers across Europe. The attack, dubbed “Eurograbber,” leveraged mobile platforms and a variant of the Zeus platform to do its dirty work.

Darrell Burkey, director of IPS at security vendor Check Point, explained to eSecurity Planet that the attack was a multi-stage process designed to work within the context of online banking in Europe. Many European banks leverage a two factor authentication approach for logging into their online portals. In addition to a standard password, an SMS message is typically sent to the user providing the required second factor for authentication.

How Trojan Fools Users

The Eurograbber Trojan infects users by a variety of different means, including malicious links and drive-by JavaScript download script injection. When an infected user goes to a bank website, the Trojan injects code into the session that alerts the user to follow or click a specific link.

“The bank customer has some level of comfort because they initiated the activity by going to their banking website, which is where the alert popped up,” Burkey said. “The Trojan requests that the user provides their mobile phone number in order to complete a required upgrade.”

A user who falls for the ruse and provides the mobile phone number will then receive an SMS on their phone, purportedly from their bank. That SMS directs the user to click a link which downloads a Zeus mobile Trojan.

“At that point the user is basically owned, and the next time they access their bank account the attack initiates a transaction to transfer money out of the account to the attacker’s account,” Burkey said.

The Eurograbber attack was discovered by Check Point and security vendor vendor Versafe after their customers were hit by the attack. Eyal Gruner, security engineer at Versafe, told eSecurity Planet that when the Eurograbber attempted to inject code into a banking website used by customers of theirs, an alert was triggered.

Versafe and Check Point then analyzed the attack and discovered the full impact. The two companies worked together with the banks, local Internet service providers and law enforcement to take down Eurograbber’s command-and-control infrastructure.

Variant of Zeus

The Eurograbber Trojan is a variant of the well-known Zeus malware. While there is no shortage of anti-virus signatures for Zeus, there is similarly no shortage of variants. Gruner explained that with Zeus, an attacker can easily change the binary and associated configuration file.

“If it’s a zero-day Zeus variant, it is not easy to detect,” Gruner said. “The attackers also frequently changed the servers behind Zeus.”

Defense Against Eurograbber

The Eurograbber attack is a dangerous one, but it can be prevented if users and enterprises take the right steps.

For one, Gruner suggested users make sure they keep everything on their phones and desktops up to date. That includes both the operating system as well as software plugins such as Java and Flash.

“Security is all about layers. You can’t ever block everything so you need layers of security to protect yourself,” he said. “The enterprise can put lots of devices and layers to protect themselves and customers, because you can’t be 100 percent protected against everything with only one solution.”

Sean Michael Kerner is a senior editor at, the news service of the IT Business Edge Network. Follow him on Twitter @TechJournalist.

Sean Michael Kerner
Sean Michael Kerner
Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

Top Products

Related articles