How 36 Million Euros was Stolen via new Zeus botnet Eurograbber

Posted: December 6, 2012 in IT Security News
Tags: , , , , ,

Zeus botnet Eurograbber

Zeus botnet Eurograbber

The company Check Point, which has a serious authority in the protection of information, published 18-page report on the new botnet called ‘Eurograbber’.

According to the results of the investigation conducted by Check Point and Versafe, since it was first detected in Italy in early 2012, the system Eurograbber stole more than 36 million euros ($ 47 USD million) from the accounts of private and corporate clients in various countries in the eurozone.

Technology steal money from bank accounts Eurograbber built on botnet Zeus – very popular with cybercriminals platform to create branched botnets with centralized management server. Unlike Eurograbber of previously detected malware is its high complexity and risk. The fact that Eurograbber uses special circuitry to bypass two-factor authentication, which is still considered a reliable means of protection: messages with one-time passwords that are sent from the bank to the customer’s mobile phone, intercepted and used by hackers.

Name Eurograbber detected complex viruses gave security experts from companies and Check Point Versafe. For 2012, the virus had spread throughout Europe. According to experts, the operators Eurograbber stole more than 36 million euros, with each victim lost from 500 to 25 000.

Zeus botnet Eurograbber

Zeus botnet Eurograbber

Eurograbber attack begins when the victim clicks on a malicious link, perhaps, in a letter sent in the phishing. Transition on a link takes the user to a bogus website where starts downloading one or more Trojans: a modified version of a botnet client Zeus and SpyEye variants thereof or CarBerp. These viruses allow criminals to intercept access to web pages, inserting its code HTML and JavaScript in the victim’s browser. When the victim the next time the user visits the site of his bank, the Trojan records details of access to the account and the script runs JavaScript-issuing fake request for ‘security update’ allegedly from a bank site. This “security update” is proposed to protect the user’s mobile device from possible attacks. As a result, a special JavaScript-script captures the mobile phone number and information about the device’s operating system – the data used in the next stage of attack Eurograbber.

Using this information about the number and mobile device platforms, the criminals send a text message to the victim machine to the website where you download ‘encryption utility’ for the device. In fact, instead of any utility installs the mobile version of the virus Zeus, ‘Zeus in the mobile’ (ZITMO) – Trojan specifically designed for mobile OS Android and BlackBerry. This mobile virus works at a level between the end user and the transmission system SMS messages. Now that compromised both devices (PC and Smartphone), the virus waits until the victim re-enters your bank account through a browser. When you are logged on, the virus immediately sends the money to the victim’s account to the account created by criminals to withdraw money.

At this point, the virus on the device intercepts SMS message asking to confirm the operation, and forwards the message to the server control the botnet through a special phone number that works in repeater mode. Criminals use server message to confirm the transfer of money and withdraws the money from the victim’s account. The same process can be repeated each time the affected user logs in to your account, gradually writing off money without your knowledge. Withdrawal of money by using so-called ‘mules’ – people who, for a small fee open temporary accounts, get them stolen money, remove the amount in cash and transfer them to the criminals.

Both companies, which participated in the investigation – Checkpoint and Versafe – have added signatures and characteristics of behavior Eurograbber in their products to block the virus. The main means of combating such viruses for the end user is a regular update of all programs and components most prone to unauthorized downloads: Adobe Flash, Java, and Web browsers. In addition, it helps healthy caution when passing on any even remotely suspicious links sent by e-mail. In most cases, these simple precautions to help avoid infection completely. Full report in PDF format of the attack Eurograbber can be found on the company’s website at Check Point

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s