Zeus botnet steals $47M from European bank customers

A new version of the Zeus botnet was used to steal about $47 million from European banking customers in the past year, security researchers report.

Dubbed "Eurograbber" by security vendors Versafe and Check Point Software Technologies in a report (PDF) released today, the malware is designed to defeat the two-factor authentication process banks use for transactions by intercepting bank messages sent to victims' phones.

A variant of the Zeus malware used to steal more than $100 million, Eurograbber typically launched its attack when a victim clicked on a malicious link most likely included in a phishing attempt. After installing customized variants of the Zeus, SpyEye, and CarBerp trojans to the victim's computer, victims would be prompted by the malware during their first visit to the bank site after infection to enter their mobile phone number.

During that first visit, Eurograbber would offer a "banking software security upgrade" that would infect victims' phones with a variant of the "Zeus in the mobile" (ZITMO) Trojan, which was specifically designed to intercept the bank's text message containing the bank's transaction authorization number (TAN), the key element of the bank's two-factor authorization. Eurograbber would then quietly use the TAN to quietly transfer funds out of the victim's account.

"To date, this exploit has only been detected in euro zone countries, but a variation of this attack could potentially affect banks in countries outside of the European Union as well," said in the report, which said it has notified affected banks of the malware.

First detected in Italy earlier this year, Eurograbber is responsible for the theft of 36 million euros from about 30,000 commercial and personal bank accounts by initiating transfers ranging from 500 euros ($656) to 250,000 euros ($328,000), according to the report.