A global fraud ring has been targeting high net-worth businesses and individuals has netted the criminals an estimated €60 million (£48 million).
According to McAfee and Guardian Analytics which today issued a report on the fraud, "Dissecting Operation High Roller," the attacks, first identified this winter, have hit 60 or more institutions and the total amount stolen may in fact be may be much higher.
The two security firms say they have tracked "at least a dozen groups" that are relying on "server-side components and heavy automation" with about 60 servers processing thousands of attempted thefts from commercial accounts and the rich. This appears to be happening mainly in the European Union countries, though there's also evidence of it in Latin America and the US. These attacks are said to differ from the known malware-based SpyEye and Zeus attacks in that they are far more automated and usually done without human intervention.
"The advanced methods discovered in Operation High Roller show fraudsters moving toward cloud-based servers with multi-faceted automation in a global fraud campaign," said Dave Marcus, McAfee director of advanced research and threat intelligence.
McAfee and Guardian Analytics first spotted evidence of these crime activities in late January in an attack on a bank in Germany in which the victim log data on the server "showed the fraudsters compromised 176 accounts and attempted to transfer nearly one million Euros to mule accounts in Portugal, Greece, and the United Kingdom." The average account targeted held about €509,000
An attack against the German bank was highly automated, and in their report, the security firms say they had seen something similar in an earlier attack on a bank in Italy that involved SpyEye and Zeus malware to transfer funds but was more automated than anything they'd seen before.
The report says all manner of banking institutions have been targeted: credit union, large global bank and regional banks. In March, the fraudsters hit the Netherlands banking system with this newer style of server-side automated attack. They circumvented endpoint security and monitoring tools used for fraud detection at the institution, the report says. The server was based in San Jose, California, and has also apparently been used against victims in the US whose accounts contained at least $1 million.
A hit against two banks in the Netherlands reached into more than 5,000 business accounts. The attempted fraud was estimated to be €35.58 million. Later in March, the security firms also became aware of attacks in Latin America, where more than a dozen businesses in Colombia were targeted, each having an account balance between $500,000 and $2 million. The server used in this wave of attacks was hosted in La Brea, California, though there was evidence of fraudsters logging in from Moscow to "manipulate some of the transactions in an attempt to transfer arbitrary amounts as high as 50% - 80% of the victim's balance." McAfee and Guardian Analytics say they've shared their findings with law enforcement agencies.
According to the report, the wave of Operation High Roller attacks builds on Zeus/SpyEye malware to compromise the victims' computers and skim credentials in order to execute a fraudulent transaction from a bank account. But although "there can be live intervention" in the High Roller attacks, most of them have been "completely automated, allowing for repeated thefts once the system has been launched at a particular bank or for a given Internet banking platform."
According to the report, these "updated attacks found in the Netherlands and the US move fraudulent transaction processing from the client to the server. Fraudulent activities - including the actual account log-in - are performed from a fraudster's server that is located at a 'bullet proof' ISP (one with crime-friendly usage policies), locked down against changes, and moved frequently to avoid discovery. After each move, the web injects are updated to link to the new location."
In addition, the attacks up the ante on evasive maneuvers. According to the report, code customisation that includes rootkits for client-side malware and encrypted links help hide the criminal attack process and avoid antivirus scans. "And some of the web serves move dynamically so that blacklisting and reputation-centric technologies are not effective." The report says the techniques used are basically "a significant breakthrough for the fraudsters" because they represent the "defeat of two-factor authentication that uses physical devices."
The report goes on to state: "We are working to assess and improve the defenses at McAfee and Guardian Analytics financial service customers. This attack should not be successful where companies have layered controls and detection software correctly. We are working to map out appropriate security configurations, such as activation of real-time threat intelligence on client hosts and use of hardware-assisted security to defeat evasive malware."
The report points to the need for anomaly-detection software and strengthening of endpoint controls for consumers. But Operation High Roller was "successful," the security firms acknowledge. "Our research found attacks succeeding in the most respected financial institutions, as well as the small, specialised credit unions and regional banks that may have felt they presented too paltry a target."