June 14, 2021

36 million euros stolen from banking customers across Europe using mobile malware

(LiveHacking.Com) –  A sophisticated and complex attack has been used to systemically steal millions from banking customers, both corporate and private, across Europe. By using a combination of malware for the PC and malware for mobile, the attackers have been able to  intercept SMS messages used by banks as part of their two-factor authentication process. First the attackers would infect the victim’s PC and then  infected their mobile. Once the two-factor authentication was bypassed, the criminals used the corresponding transaction authentication number (TAN), to automatically transfers of funds from the victims’ accounts. The sums varied in size from €500 to €250,000.

According to Check Point, the firewall maker, an estimated €36+ million has been stolen from more than 30,000 corporate and private bank accounts. This attack campaign has been named “Eurograbber” by Versafe and Check Point Software Technologies who have released a case study about the criminals activities. By using a variation of the Zeus-In-The-Mobile Trojan the  victim’s online banking sessions were completely monitored and manipulated by the attackers. The mobile part of the attack used malware developed for both the Blackberry and Android platforms.

“Cyberattacks are constantly evolving to take advantage of the latest trends. As online and mobile banking continue to grow, we will see more targeted attacks in this area, and Eurograbber is a prime example,” said Gabi Reish, Head of Product Management at Check Point Software Technologies. “The best way to prevent these attacks is with a multi-layered security solution that spans network, data, and endpoints, powered by real time threat intelligence.”

In the on-going battle between cyber-criminals and IT infrastructure designers, cyberattacks have become more sophisticated. The Eurograbber attack has found the weakest link in the chain, the banking customers and their devices. In this case by unwittingly installing malware on their PC and phone the victims allowed the attackers to launch and automate their attacks and avoid traceability.

Checkpoint has notified the banks involved and it is actively working with law enforcement  agencies to halt any current or future attacks. The report ends by reminding  individual users that they must be steadfast in ensuring all of their desktops, laptops and tablets have all possible security layers enabled and that they are kept current with software and security updates to ensure the best protection possible.

In brief: Chip and pin random numbers not random enough

(LiveHacking.Com) – A vulnerability in the chip and pin payment system has been discovered by Cambridge University researchers. The chip and pin system is used throughout Europe and much of Asia, and is starting to be introduced in North America too.

As part of the system the payment card contains a chip that understands the system’s authentication protocol. As part of the protcol the point-of-sale (POS) terminals or the ATMs need to generate a random number for each transaction. However the team have discovered that some POSs and ATMs merely  used counters, timestamps or home-grown algorithms to generate this number.

The vulneravility leaves the system open to “pre-play” attacks which are indistinguishable from card cloning attacks.

The team’s research was presented at a cryptography conference in Leuven, Belgium, on Tuesday.

“If you can predict [the UN], you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and location,” said researcher Mike Bond in a blog post. “You can as good as clone the chip. It’s called a pre-play attack.”

The Cambridge team have been in contact with leading banks to explain the risks to them, but they discovered that some had been “explicitly aware of the problem for a number of years”.

“The sort of frauds we’re seeing are easily explained by this, and by no other modus operandi we can think of,” researcher Prof Ross Anderson told the BBC. “For example, a physics professor from Stockholm last Christmas bought a meal for some people for 255 euros ($326, £200), and just an hour and a half later, there were two withdrawals of 750 euros made from a nearby cash machine used by what appears to have been a clone of his card.”

Trusteer discovers a new financial malware and names it Tilon

(LiveHacking.Com) – Trusteer has discovered a new financial malware  based on the 2009 Silon banking trojan. This new variant, named Tilon, is capable of defrauding online banking customers protected by two factor authentication systems and also uses several tricks to avoid being detected by Anti-virus software.

Tilon is “Man in the Browser” (MitB) malware that injects itself into a browser (including Microsoft Internet Explorer, Mozilla Firefox and Google Chrome) and then monitors and manipulates the traffic sent from the browser to a web server and vice versa.

All forms that are filled out by the user are grabbed and sent to a command and control (C&C) server. The upshot of which is that banking login details are sent to the malware authors who can then use the information to hack into the victim’s bank account. The malware also uses a search and replace mechanism to modify certain URLs and replace text to trick the user.

The malware is also capable of tricking AV software and currently only 4 out of the 41 major AV engines can detect the malware. To avoid detection Tilon tries the following tricks:

  • Tilon will not install itself on a virtual machine, instead when a VM is detected it will install a piece of scamware and so the malware will be wrongly tagged and its true nature hidden. The resaon for not installing on a VM is that many security researchers use VMs for their research and not actual PCs.
  • Tilon is also thought to change the way to generates filenames and so makes it harder to distinguish.

ENISA tells banks to assume that all customer PCs are infected with malware

(LiveHacking.Com) – The EU’s cyber security agency ENISA (European Network and Information Security Agency) has released a report in response to the “High Roller” cyber-attacks. These attacks targetted corporate bank accounts and, according to a  report recently published by McAfee and Guardian Analytics, are responsible for the loss of tens of millions dollars.

As part of the recommendations, ENISA has told the banking industry to  assume that all PCs are infected with malware. The  “High Roller” cyber-attacks used the infamous Zeus malware, which isn’t universally detected by anti-malware programs and as such it is safer for banks to assume that all of its customers’ PCs are infected.

The report also mentions that basic two factor authentication does not prevent man-in-the-middle attacks on transactions. Therefore, ENISA recommends that banks cross check with their customers the details of certain types of transactions. These  cross checks can be performed via SMS or a telephone call.

ENISA also calls on the different national Computer Emergency Response Teams (CERTs) and law enforcement agencies to cooperate closer to help bring down the command and control servers used by the criminals.

The recommendations have been published due to the  nature of the “High Roller” attacks. First, these attacks are highly automated making them fast and easily missed. Second, the attacks are sophisticated with the ability to bypass two-factor authentication and fraud detection. Thirdly, the attacks are highly targeted.  Only PCs from users with corresponding high balances were targeted.

Online Banking SMS Authentication Messages Open To Attack

RSA LogoRSA are publishing a report warning of increasing attempts by cyber criminals to intercept online banking SMS messages which are used to authenticate users for online services.

Authentication tokens (normally a randomized six digit number or similar code) sent by SMS are becoming more and more popular. For example, The Commonwealth Bank of Australia claims that 80% of its online customers use their NetCode SMS service for authentication and have recently announced that the service will now be mandatory for “higher risk” transactions. The knock-on effect will be that hackers will increase their efforts to intercept these SMS messages to gain access to online accounts.

This warning comes at a time when it is now possible to eavesdrop GSM phones with cheap off-the-shelf equipment. Of course, a two step authentication process (username/password and then authentication token) is much better than just simple login authentication. However a better and more secure approach is the use of a hand held card reader which in combination with your bank card and PIN generate a unique, one-time code for use during login.

You can read more about this on ZDNet Australia.