The Thief who stole Rs 286 crores from Banks coming to India

Recently all across Europe, the “Euro Grabber” stealthily stole around 36 million euro (Rs 286 crores) from Bank customers. These were all customers who thought that

a) Their money in the Bank was safe.

b) Internet Banking was a great way to do Banking

The Banks thought that they had introduced the “Two Factor Authentication” which was a sophisticated system and made Internet Banking safe.

However, there came a great thief called “Euro Grabber” along with his team of assistants and invaded thousands of  PCs and Mobiles and finally stole money from around 30000 retail and corporate customers of different Banks across different parts of Europe.

“Eurograbber” is a new variant of the Zeus Trojan which steals the credentials of the banking customer both at the desktop and the associated mobile. Hence it easily bypasses the 2 Factor authentication system and is able to execute unauthorized transactions in the customer’s accounts. The trojan is currentlly known to have successfully attack the mobile systems using Android, Blackberry and Symbian operating system which in other words may mean more than 95% of the systems in usage.

The “Eurograbber” is an intelligent trojan which is often dropped through “Drive by Download” method. In otherwords, the infection does not require the user answering a “Phishng Mail”. All those Bankers who are crying from rooftops that “We donot ask for your passwords” and then say “Password can never be compromised unless the customer answers a phishing mail” must realize that  the methodologies used by trojan droppers are above all these routine security warnings. Customers may get infected when they have visited a news paper site or clicked on an unrelated google search result or some times even by visiting the Bank’s own website. (Eg: Bank of India infection in 2007).

Once infected, the Eurograbber, when the customer visits the Bank website, it starts injecting instructions within the running session asking the customer to upgrade security etc. Since these instructions appear during a session initiated by the customer himself he believes that the instructions are from the Bank and proceeds to provide information that compromises his identity including the mobile number. The trojan then sends an SMS message to the mobile with similar instructions ensuring that the customer clicks on a link that infects the mobile also.

With both the desktop and the mobile being infected, the trojan then is able to manipulate both the banking instructions and the OTP password interception and is able to carry out fraudulent transactions.

When such “Unauthorized Transactions” are carried on during a valid session opened by the customer, it creates a huge evidentiary problem for the customers since the time of the transaction coincides with the time of a valid session. Even the IP address of the transaction initiation may tally with the IP address of the customer. Unless the judge hearing the case therefore understands the way these trojans function, it would be near impossible for the hapless customer to convince that the transaction was “Unauthorized”.

Who is to be blamed for placing the Bank Customer in such a situation?

It is clear that Banks are mainly responsible for operating a system of Internet Banking without the adequate  security which places its customers in a compromising position.

To some extent, RBI also should share the blame since it places lot of thrust on the 2 Factor authentication through the mobile.  Users are increasingly being coerced into the use of “Mobile Banking” with false promises. Banks also adopt the policy of  “No Mobile-No account” and mandate the use of mobiles for Internet Banking. 

In this scenario, it will not be long before we will witness a huge Banking fraud emerging in India on the back of the “Eurograbber” trojan.

Naavi

 

Related Article:

Inside Eurograbber: How SMS Was Used to Pilfer Millions

A Case Study on Eurograbber

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Bank, Cyber Law, RBI. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.