A new version of the Zeus trojan—a longtime favorite of criminals conducting online financial fraud—has been used in attacks on over 30,000 electronic banking customers in Europe, infecting both their personal computers and smartphones. The sophisticated attack is designed to circumvent banks' use of two-factor authentication for transactions by intercepting messages sent by the bank to victims' mobile phones.

The malware and botnet system, dubbed "Eurograbber" by security researchers from Check Point Software and Versafe, was first detected in Italy earlier this year. It has since spread throughout Europe. Eurograbber is responsible for more than $47 million in fraudulent transfers from victims' bank accounts, stealing amounts from individual victims that range from 500 Euros (about $650) to 25,000 Euros (about $32,000), according to a report published Wednesday (PDF).

The malware attack begins when a victim clicks on a malicious link, possibly sent as part of a phishing attack. Clicking on the link directs them to a site that attempts to download one or more trojans: customized versions of Zeus and its SpyEye and CarBerp variants that allow attackers to record Web visits and then inject HTML and JavaScript into the victim's browser. The next time the victim visits their bank website, the trojans capture their credentials and launch a JavaScript that spoofs a request for a "security upgrade" from the site, offering to protect their mobile device from attack. The JavaScript captures their phone number and their mobile operating system information—which are used in the second level of Eurograbber's attack.

With the phone number and platform information, the attacker sends a text message to the victim's phone with a link to a site that downloads what it says is "encryption software" for the device. But it is, in fact, “Zeus in the mobile” (ZITMO) malware—a Trojan crafted for the Android and BlackBerry mobile operating systems that injects itself between the user and the mobile browser and SMS messaging software. With both devices now compromised, the malware waits for the victim to access a bank account, and then immediately transfers a percentage of the victim's balance to an account set up by the criminals running the botnet.

The malware then intercepts the confirmation text message sent by the bank, forwarding it to the trojan's command and control server via a relay phone number. The server uses the message to confirm the transaction and withdraw the money. The same process happens every time the victim logs into their bank account, gradually withdrawing money without alerting the user.

Both Checkpoint and Versafe have added signature and behavior detection to their malware protection products that can block Eurograbber. Updating software that is a frequent target for Web "driveby download" exploits—such as Adobe Flash, Java, and Web browsers—can help prevent infection by the malware, as can a healthy amount of paranoia about clicking links in e-mails.