Millions stolen with mTAN fraud

The fraud starts with an infected Windows computer
Source: Versafe and Check Point Software Technologies

The Zeus-in-the-Mobile (ZitMO) Trojan has apparently been used to steal as much as 36 million euros, 13 million in Germany alone, from more than 30,000 bank customers. Kaspersky Lab reported on Zeus in the Mobile a few months ago; now, a new study�  from software and security firms Versafe and Check Point Software Technologies gives more details on ZitMO and its scope. They have dubbed the attack campaign "Eurograbber".

Although all Eurograbber victims seem to be in Europe, Versafe and Check Point aren't counting out the possibility that similar attacks are going on elsewhere. They say that the attack began in Italy before spreading out through Germany, Spain and the Netherlands. Trojans infected the victims' computers and then their mobile devices in order to get past the banks' two-factor authentication processes.

After the initial infection, clients are asked to install a security update
Source: Versafe and Check Point Software Technologies

A malicious program installed on an infected Windows computer began the process by monitoring and manipulating the victim's online banking sessions. In this seemingly trustworthy context, it would then ask for the user's mobile phone number and operating system in order to install an important security update. Users who installed the apparent update that was sent to their mobile phone were really installing a Trojan that then proceeded to steal mobile TANs (mTAN) and forward them to the crooks. The stolen data was stored on compromised servers; to keep them a secret, the attackers occasionally changed servers and domain names. The Trojan was written for Android and Blackberry; there doesn't seem to be an iOS version. Since the number of Android users is growing, ZitMO's potential coverage is quite large.

The mTAN system is used throughout continental Europe and provides online banking security by giving the customer a list of one-time passwords to add an additional factor to the authentication process.

Versafe and Check Point say that withdrawals were made from victims' accounts amounting to anything from 500 to 250,000 euros. In many cases, the attackers apparently continued to withdraw money to the full extent of authorised overdraft limits. The total of 36 million euros has not yet been confirmed by any other parties. In mid-November, Berlin police told The H's associates at heise Security that fewer than ten complaints had been received regarding possible ZitMO attacks. One possible explanation for the large monetary figure is that the researchers analysed the servers' logs to estimate a total without taking into account that not all fraud attempts may have actually been successful.

(fab)