Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Sophisticated Zeus Campaign Stole €36 Million From 30,000 Bank Accounts

A sophisticated Zeus campaign stole an estimated €36 million, or $47 million, from over 30,000 customers across more than 30 banks in Europe this summer.

A sophisticated Zeus campaign stole an estimated €36 million, or $47 million, from over 30,000 customers across more than 30 banks in Europe this summer.

The Eurograbber campaign, as it has been named, used custom versions of Zeus and Zeus in the mobile (ZITMO) Trojans to bypass the two-factor authentication measures to compromise customer bank accounts, Darrell Burkey, director of IPS products at Check Point Software Technologies, told SecurityWeek. The attack intercepted SMS messages sent to customers to confirm financial transactions.

Euros StolenIsrael-based Versafe learned about the campaign after some of its customers were affected in early August, and analyzed the attack with the team from Check Point, Eyal Gruner, a security engineer at Versafe, told SecurityWeek. Check Point and Versafe worked with European law enforcement and various Internet Service Providers to shut down the command-and-control servers in mid-October. The researchers jointly published a report detailing their findings on Wednesday.

The attack hit all the “key buzzwords, as it was sophisticated, multi-dimensional, stealthy, and successful,” Burkey said.

Victims were tricked into downloading a custom version of the Zeus Trojan, either by clicking on a link in an email or by being redirected to a malicious page while browsing online, Burkey said. Once the computer was infected, the malware could steal login credentials for online banking and intercept banking sessions.

However, Eurograbber didn’t just stop with infecting the computer. When the customer logged into online banking for the first time after being infected, the malware prompted the customer to enter the mobile phone number in order to “upgrade the security of the online banking system.” The user then received a link in an SMS message to a “banking software security upgrade,” which was actually a variant of Zeus in the mobile. Zeus in the mobile can target Android, BlackBerry, and Symbian phones, as well as jailbroken iPhones.

What made Eurograbber different from past Zeus campaigns, other than the sheer amount of money stolen, was the fact that it successfully compromised both the user’s computer and mobile device to bypass the bank’s two-factor authentication mechanisms, Burkey said.

Diagram of Eurograbber Attack Details

Many European banks have rolled out two-factor authentication schemes that rely on the customer having a mobile phone. When users set up financial transactions, the bank sends a “transaction authentication number” to the registered mobile phone. The customer has to enter that unique code back on the Website to complete the transaction. The idea being, of course, that if the user has access to the physical device to see the code, then the transaction request must be legitimate.

Advertisement. Scroll to continue reading.

“Eurograbber was designed to work within that banking system,” Burkey said.

With the account number, password, and the SMS messages containing the TAN, Eurograbber criminals were able to set up automatic transfers from €500 to €250,000 from victim accounts to those belonging to a network of money mules. The initial victims were in Italy, but the operation also spread to Germany, Holland, and Spain, Burkey said.

While it is very difficult to definitively determine the attack origin, the Eurograbber gang was most likely based out of Eastern Europe, Burkey said. The operation had command-and-control infrastructure all over the world. Check Point and Versafe worked with European law enforcement and ISPs to shut down the C&C servers in October, Gruner said.

The researchers have not detected additional outbreaks or seen a recurrence of the campaign, leading them to believe it has been successfully dismantled. However, Gruner was cautious, pointing out that unless users had detected and removed the Zeus malware from their computers and mobile phones, they were still vulnerable to future operations. Since the gang remains at large, it is very possible they can start over in a new location, set up the infrastructure and launch a new campaign, Gruner said.

“This iteration is finished, but it can be resurrected again,” Burkey agreed.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...