Check Point has revealed how a sophisticated malware attack was used to steal an estimated €36 million from over 30,000 customers of over 30 banks in Italy, Spain, Germany and Holland over summer this year.

The theft used malware to target the PCs and mobile devices of banking customers. The attack also took advantage of SMS messages used by banks as part of customers’ secure login and authentication process.


The attack worked by infecting victims’ PCs and mobiles with a modified version of the Zeus trojan. When victims attempted online bank transactions, the process was intercepted by the trojan.

Under the guise of upgrading the online banking software, victims were duped into giving additional information including their mobile phone number, infecting the mobile device. The mobile Trojan worked on both Blackberry and Android devices, giving attackers a wider reach.

With victims’ PCs and mobile devices compromised, the attackers could intercept and hijack all the victims’ banking transactions, including the key to completing the transaction: the bank’s SMS to the customer containing the ‘transaction authentication number’ (TAN). With the account number, password, and TAN, the attackers were able to stealthily transfer funds out of victims’ accounts while victims were left with the impression that their transaction had completed successfully.


The attack infected both corporate and private banking users, performing automatic transfers that varied from 500€ to 250,000€ each to accounts spread across Europe.

The attack involved 10 stages, starting with an initial infection by a modified version of Zeus:

• Users’ PCs become infected by a modified Zeus trojan by accidentally visiting an infected web page, or following a link from a phishing email. This opened the door for the attack.
• Users visit their bank’s webpage and log in to their account to make a transaction.
• The modified Zeus trojan injects malicious code into the bank webpage, including a request for users to enter their mobile information, including its number and operating system.
• This information is sent over the Internet to the attacker's “drop zone” system where it is stored.
• The attacker's server sends an SMS message to the user's mobile device that includes a link to the mobile device-targeting trojan, a version of Zitmo (Zeus in the mobile).
• User are directed to click on a link in the SMS to ‘upgrade the security of the online banking system’. This installs the mobile Trojan on the mobile device and completes the system.
• Now, every time the user logs into their bank account, the Trojan initiates an automatic transaction to transfer money out of the victim’s account using their real credentials.
• To complete the transaction, an SMS message containing the TAN is sent to the victim's mobile device, and the mobile Trojan delivers the TAN to the attacker's server.
• The customized Zeus Trojan Javascript running on the victim's computer receives the TAN.
• The Eurograbber attack is complete and the attackers transfer money out of a victim’s account.