back to article Major £30m cyberheist pulled off using MOBILE malware

Cybercrooks swiped £30 million (€36m) from the banks accounts of 30,000 customers in Italy, Germany, Spain and Holland over the summer using an elaborate mobile banking fraud scam. The malware-based attack targeted both corporate and private banking users, performing automatic transfers that varied from €500€ to €250,000 to …


This topic is closed for new posts.
  1. Fred Flintstone Gold badge

    What worries me..

    .. was the amount of planning involved - this was a 10 stage process. We're well past the fly-by grab-what-you-can idea that most people have of hackers, this heist was the result of a carefully planned, step by step strategy which is in my opinion going to be the trend for 2013.

    1. Anonymous Coward
      Anonymous Coward

      Re: What worries me..

      Please fork over a bunch of personal information

      Now please install some crap on your smartphone.

      Insert two fingers in electrical socket while we rob you blind.

      Thank you please.

      1. Anonymous Coward
        Anonymous Coward

        Re: What worries me..

        Missing critical introduction: "Hello this is your bank"

        People have grown to expect all that from their bank.

  2. Anonymous Coward
    Anonymous Coward

    Stealing the money is probably the easier task. Taking this £30m through the laundry is a whole other chapter.

    1. Velv

      Given the amount of planning and staging, I'm willing to bet they've got that covered too

    2. Fred Flintstone Gold badge

      Dunno. Judging by the tenner in my jeans it's actually easy. You just need to use bigger notes (and bigger jeans).

  3. Anonymous Coward 15

    More explanation on the Android attacks please?

    One doesn't normally install an app by clicking links in e-mail. Do they offer their malware in the Play Store? Does it need root? Does it matter whether I have my bank's actual app on my phone or not? Does it work on WiFi-only tablets?

    1. Anonymous Coward
      Anonymous Coward

      Re: More explanation on the Android attacks please?

      Android won't install from outside the play store unless you let it so this puzzles me too.

      But as with so many security stories the details are missing... so I assume it was all done using pixie dust

      1. Anonymous Coward

        Re: More explanation on the Android attacks please?

        Here you go, full details of the attack:

        It seems the Android flavour asks users to download an APK from a server outside the Store, so users will need to have third party installs enabled for this to work. Then again many Android users will have this on.

  4. Anonymous Coward
    Anonymous Coward


    We really should be teaching kids about this stuff in schools. Most importantly, never respond to unsolicited requests for information on the internet without verification via a different channel. (For example phone them, using a number printed in an old fashioned telephone book).

    Also, the popularity of social media sites like Facebook has made crimes like identity theft much easier, and the consequences of that can be horrendous - not to mention the impact on future job prospects of youthful indiscretions.

    1. Anonymous Coward
      Anonymous Coward

      Re: Schools

      I'm actually involved in ISECOM's Hacker Highschool project as an author, and I fully intend to take the full material into my kids' school once the v2 release is complete.

      I'm very much tempted to write a new piece about privacy - people are goaded into revealing information that is simply dangerous in the wrong hands. The Belgians actually made a good (albeit slightly too long) video about this..

    2. Velv

      Re: Schools

      While I agree we should be teaching all sorts in schools, let's not forget that the vast majority of victims were probably at school before the web was invented.

      I remember things I learned at school. I remember Chemistry. I remember Carbon had two forms, diamond and graphite. And that wasn't that long ago. 1985 and Buckminsterfullerenes were discovered.

      So yes, lets teach it in schools - but adulthood should also be a learning experience too.

    3. hughy

      Re: Schools

      I'm an ICT teacher for a secondary school, we cover "Online Safety" several times as a full project, in fact I taught it today, and was asked "Can mobile phones be infected with viruses, sir?", so I think the kids are okay!

    4. Anonymous Coward
      Anonymous Coward

      Re: Schools

      Why are the kids getting the blame for falling for these phishing scams? Although it's anecdotal I'd say the teenagers I know are a lot more savvy about this stuff than the 40+ year olds that I know. Looking down my list of friends on Facebook, the few teenagers that have added me all use pseudonyms, most of the adults are using their full names with D.O.B. and occasional phone numbers listed. Yes, teenagers are prone to saying bloody stupid things on the internet but then they've always said bloody stupid things. No amount of 'awareness' classes are going to make them mature any faster. As for things posted to Facebook affecting their employment possibilities, the pages of under 18's are not searchable to those over 18, regardless of what privacy settings they may or may not have enacted.

  5. yoinkster

    I must be heartless

    because I don't really have all that much sympathy for people who fall for this?

    They were duped into handing over their details by a fake "upgrade the banking software" box. If this sort of thing doesn't set alarm bells ringing then you are not 'qualified' enough to use internet banking. I'm sick of people with no clue getting in a flap because they thought they were magically safe on the internet. Why do these people never learn? It's not like it's a new thing any more!

    1. Anonymous Coward
      Anonymous Coward

      Re: I must be heartless

      Internet banking is (misleadingly) touted as a utility - flick the switch, it works. The party line is that you don't need 'qualifications' to use it.

  6. RyokuMas

    Very easy...

    ... to hide layers of functionality - anyone remember a while back there was a bit of malware that masqueraded as a game where each enemy you shot down deleted a file?

    This is why I've always been in favour of the walled garden approach to app stores - without the vetting this provides, it's very easy to slip malevolent functionality under the radar.

    And before the Android jihaddists get on my case, this is nothing about Android or market shares: open is simply more vulnerable than closed. The fact that open happens to be biggest only increases the appeal to the VXers.

    1. Pie

      Re: Very easy...

      I remember a very old apple one that deleted/corrupted your files while you played some sort of strip poker game...

  7. Anonymous Coward
    Anonymous Coward

    internet banking...

    ...utter madness.

  8. jubtastic1

    That's a big pile of money

    With cash like that for the taking this is only going to get much, much worse, I still don't understand how you get 30M out of the system though, does it transfer to a Bank speciallly set up for crims or is it a syncronised 30M International ATM withdrawal? Surely there's an easily viewable and reversible credit transfer trail?

    Or is this one of those things that's left broken because of 'legitimate' business uses?

    1. Mayhem

      Re: That's a big pile of money

      That's the whole point of laundering the money - breaking the trail to make it difficult to identify where the money went.

      Classic case was bouncing it between multiple dupes in different jurisdictions, so you have to slowly trace through each bank in turn. Route it through a jurisdiction that doesn't ask many questions and doesn't provide much help to law enforcement and that's half the battle won. Put an (apparently) legitimate purchase or two in the middle, and everything slows right down. It is intentionally difficult to reclaim money from vendors due to the past experience of customers reversing payments once they get the goods. The number of dodgy customers is higher than the number of dodgy vendors, so that's the way things work.

      The key for the hackers is to get the money out of the conventional system as fast as possible. By the time the customer has cried Fraud, the money has disappeared. Where it pops up again, who knows. Half the time the laundering is actually done by governments for various purposes. Prime example - the UK government laundered almost a billion dollars worth of IRA funds as part of the NI peace settlement.

      There was quite the bizarre set of statements in the Lords back in 2010 where curiously the media comment on it was extremely rapidly quashed.

      Start reading from 1 Nov 2010 : Column 1538 onwards.

      1. Sir Runcible Spoon

        Re: @Mayhem

        thanks for the link, that was most....illuminating.

      2. Anonymous Coward
        Anonymous Coward

        Re: That's a big pile of money

        "Route it through a jurisdiction that doesn't ask many questions and doesn't provide much help to law enforcement and that's half the battle won. "

        If the European banks weren't such crooked and incompetent arseholes themselves, then there would be a simple solution of blocking all electronic transactions to territories and banks that have lax security standards, poor laundering controls, or uncooperative law enforcement.

        This is wishful thinking of course.

  9. Andy Watt

    Android: Mo' numbers, les' secure...

    Like the fella above said, the sheer weight of android numbers, plus the lovely little "please let me install malware laden crap on my phone" switch provided by Google, plus the occasional purge of a few tens of malware threats from the actual Google Play store (see El Reg passim), equals:

    "Android is a less secure platform than other mobile smartphone OSs".

    Seriously, it's not arguable: the steaming, frothing, spittle-flecked android guys can get in line to try - android is less secure, because Google "did a microsoft" and forgot to think about this in advance (e.g. Microsoft not thinking the internet would ever catch on, therefore windows painful, gradual march towards a secured OS).

  10. NoneSuch Silver badge

    Sorry, all OS's have vulnerabilities. None are immune to a concentrated effort. Open code can be checked by anyone. Closed code is only checked by a few. Most closed programmers assume that as they wrote it, it must be secure. I call that the ostrich head in the sand approach.

    Besides, no operating system security can survive a dumb user.

    1. Sean Timarco Baggaley

      "Open code can be checked by anyone. "

      Indeed, but there's no guarantee that anyone will actually do so. Nor is there any guarantee that the person(s) checking the code are even remotely competent to do so, let alone whether they'll tell everyone about what they find, rather than just keeping their knowledge to themselves and using it to their own nefarious ends.

      Any shyster with a copy of "Programming Bullshit for Shysters" can pretend to know what they're talking about. And any sociopath can decide to keep a juicy little bug to themselves.

      Open source is no better or worse than closed source when it comes to security. It never was. (And it's certainly nowhere near as good as commercial closed-source development when it comes to design and innovation. When your only means of making money is by charging for support, good UI design suffers.)

    2. Andy Watt

      "Besides, no operating system security can survive a dumb user."

      No, but a company which values the platform can at least try to account for them. There's no arguing with this, I'm afraid - smartphones are used by non-geeks because the UI finally got easy enough for them to use. Geeks know about security, non-geeks don't even care. Google have failed miserably to secure the platform, and are now scrabbling for purchase on a slippery steep gravel-laden slope.

      It's exactly what happened to microsoft, and it needn't have been. Higher barriers to malware would have improved matters.

  11. The_Regulator

    Funny how almost every malware issue you ever hear about with mobile phones is a google/android based issue on the most part........yet another reason to switch to something better!!

  12. John H Woods

    Funny how almost every malware issue ...

    ... designed to make money for criminals is targetted at the most popular, and therefore most profitable platforms.

    1. Sean Timarco Baggaley

      Re: Funny how almost every malware issue ...

      Market share does not automatically equate to profits.

      The most profitable mobile platform is iOS, and it has been for some time. It's been creaming off about 50% of the entire mobile platforms market's profits, despite its smaller market share. The reason? Apple are only interested in targeting the market of people with money to spend and who are willing to spend it.

      Apple are more than happy to leave the rest of the market to others. Why waste resources competing for the custom of people who have little or no money and who are thus forced to place affordability over everything else, including usability?

      1. Peladon

        May I propose...

        ... if someone hasn't beaten me to it already, a new version of Godwin's Law? It could run something like this:

        "As an online technology discussion grows longer, the probability of a comparison involving Apple, Unix and/ or Windows approaches 1."

        We could call it something like OSwin's Law.

    2. Andy Watt

      Re: Funny how almost every malware issue ...

      Chicken / egg. If google had ensure sideloading was harder, and made the UIX on security prompts intelligible to your average idiot, they wouldn't be in the shit now.

      The "it's the biggest platform" argument doesn't stack up, because they didn't secure from the start - it was even less secure a whil back.

  13. Displacement Activity
    Thumb Down

    Does anyone actually belive this?

    This is a press release, not a detailed description of how they broke this attack. The last paragraph of the executive summary even ends with The case study closes with an overview of how individuals can protect themselves against the Eurograbber attack, including specific insight to how Check Point products and Versafe products protect against this attack. The article is pathetic, and looks like it was written by teenagers. If there's any truth in the article, then they must have hacked at least two drop zones, but they give no details on how they did this. The article isn't even consistent about the URLs of the drop zones, saying that two were known, and listing 4 elsewhere, and blanking different parts of the URLs in different parts of the article.

    I call very low-quality BS.

This topic is closed for new posts.

Other stories you might like