Researchers at McAfee and Guardian Analytics have uncovered a heavily automated, sophisticated fraud operation that may have attempted to steal at least $78 million from bank accounts around the world.
In a report entitled ‘Dissecting Operation High Roller’, the companies discovered at least a dozen groups using server-side components and heavy automation to siphon money from bank accounts across the globe. The researchers also found 60 servers processing thousands of attempted thefts from commercial accounts as well as high-balance accounts belonging to individuals. As the attackers roped in businesses as targets, the mule business accounts allowed attempted transfers averaging in the thousands of Euros, including some as high as €100,000 (US$130,000).
“The advanced methods discovered in Operation High Roller show fraudsters moving toward cloud-based servers with multi-faceted automation in a global fraud campaign,” blogged Dave Marcus, director of advanced research and threat intelligence at McAfee, who authored the report with Guardian Analytics Threat Researcher Ryan Sherstobitoff.
According to the researchers, the first series of attacks were observed targeting a popular bank in Italy.
“The attack used SpyEye and Zeus malware to transfer funds to a personal mule account or pre-paid debit card where the thief could retrieve the funds quickly and anonymously,” they note in the report. “While at first consistent with other client-based attacks we have seen, this attack showed more automation. Instead of collecting the data and performing the transaction manually on another computer, this attack injected a hidden iFRAME tag and took over the victim’s account—initiating the transaction locally without an attacker’s active participation.”
In the Italian example, the code looked for the victim’s highest value account, analyzed the balance and transferred either a fixed percentage or a fixed amount to a prepaid debit card or account. When transactions required physical authentication in the form of a smartcard reader, the system was able to capture and process the necessary extra information, effectively bypassing this form of two-factor authentication.
Normally, the report explains, a consumer inserts a smartcard into its reader device and enters a PIN code into the device. The bank’s system generates a digital token based on the data contained on the physical smartcard, authorizing a transaction. The malware defeats this whole process however by simulating this process during login and capturing the token.
In January, an attack similar to the one seen in Italy was discovered in Germany. The victim log data on the server showed the fraudsters compromised 176 accounts and attempted to transfer nearly one million Euros to mule accounts in Portugal, Greece and the United Kingdom. The average account balance was close to €50,000.
Two months later, the fraudsters turned their attention to the Netherlands banking system and added a server-side automated attack into the mix. By performing the unauthorized transfer on the server side, the cyber-criminals were able to circumvent endpoint security and monitoring tools used by fraud detection teams at the financial institution. The server performing these transactions was based in San Jose, California.
This campaign compromised more than 5,000 primarily business accounts in two banks in the Netherlands, the researchers found. The attack also spread to Latin America as well as the United States.
“This first evidence of attacks on North American financial institutions affected 109 companies,” according to the report. “Evidence in the United States indicates there are eight to ten malware variations exclusively targeting American businesses, using commercial transactions to fund mule accounts.”
“One innovation seen in a US attack involved the automated transfer of funds from the victim’s corporate savings to the victim’s corporate checking account, after which it would be normal (within standard business practices) for the funds then to be transferred to an external account,” according to the report. “In this case, the transfer went to a business account controlled by a mule in another country.”