Hackers operating in western Europe have managed to make off with more than $47 million, thanks to a new iteration of a widespread banking Trojan that intercepts two-step authentication text messages sent to customers' phones.
"Eurograbber," a variation on the Zeus and Zitmo banking Trojans, has stolen amounts ranging from $650 to $32,000 at a time, security-software company Check Point wrote in a white paper.
Customers become victims of Eurograbber by clicking on malicious links that may come in phishing-attack emails, Ars Technica reported.
From there, the Zeus variant steals the user's login credentials and, crucially, asks for his phone number. If the victim complies, a malicious text is sent that contains the Zitmo (Zeus-in-the-mobile) mobile Trojan, adding the second step of the attack.
Many western European banks have extra-tough security methods, which in many cases involves sending a confirmation code via text message to a customer's mobile phone every time the user logs in on a computer. Eurograbber controls both channels of information, allowing it to hijack any online banking session.
Next time the victim accesses his account, the banking Trojan diverts a small percentage of the balance to a criminal-controlled account, but also intercepts the confirmation text so the victim is none the wiser. This occurs every time users log in from their computers or phones.
Theoretically, the best way for users to protect themselves against sophisticated banking Trojans like these is to avoid clicking on suspicious links, keep software security up to date on both desktop and mobile devices, make sure the security software protects against malicious websites and to be vigilant about monitoring their bank accounts' activity.
But practically, it's more simple. So far, Zeus affects only Windows computers. Zitmo attacks Android, BlackBerry and Windows Mobile phones, but it doesn't work on iPhones.
Inject an Apple product into either end of the equation, or a live-CD-based Linux OS into the computer side, and you'll be safe — for now.