Ongoing racket drains 'high roller' bank accounts

Powered by SC Magazine
 

SpyEye and Zeus toolkits bypass multifactor authentication in raids on high-balance accounts.

Researchers have exposed a fraud ring that uses enhanced variants of the SpyEye and Zeus toolkits to target the customers carrying high balances at smaller banks.

Dubbed "Operation High Roller," the campaign relies on novel automated, server-side tactics to transfer as much as $US130,000 from boutique financial institutions to accounts set up by money mules, according to a report authored by McAfee and Guardian Analytics.

In addition, the techniques enable the bypass of chip-and-PIN and other two-factor authentication controls.

While Europe has seen a majority of the attacks, the report states that the pernicious activity is spreading to the United States and Latin America.

The malicious software works in two phases, said Brian Contos, senior director of vertical and emerging market solutions at McAfee. The first phase compromises a user's computer through a phishing attack.

Once victims attempt to login to their bank account, the credentials are swiped via a man-in-the-browser-style attack. Users are then issued a “system under maintenance” message, keeping them locked out for an extended period of time while the attackers transfer their funds.

Even if customers are using additional authentication controls, such as chip-and-PIN, which is popular in Europe, they are out of luck.

"Normally, the victim inserts a smart card into its reader device and enters a PIN into the device," the report said. "The bank's system generates a digital token based on the data contained on the physical smart card, authorising a transaction. [But this] malware defeats this authentication by generating an authentic simulation of this process during login to capture the token. To allay suspicion, the script collects the token as the user logs in, rather than during the transfer authorisation process. It then transfers the digital token to validate the transaction later in the online banking session while the user is stalled with a 'Please Wait' message."

Phase two of the attack is what makes it even more unique, Contos said.

According to the report, the miscreants have leveraged up to 60 malicious, cloud-based servers to initiate the transactions, rather than performing them directly from the user's compromised machine.

Most of the malicious servers are hosted by so-called bulletproof internet service providers, which are lenient and thus preferred by cyber crooks, Contos said.

“These are service providers in other countries that are not friendly to law enforcement," he said.

Instead of emptying accounts all at once, the sophisticated software funnels smaller amounts automatically, so not to trigger any red flags, Contos said.

“They try and stay just under three percent of the person's net worth because that's a limit they feel they can operate under,” he said.

To further hide the criminal activity, the hackers alter bank statements, leaving the victims clueless to the transactions.

Although the malware automatically siphons set amounts of money, Contos said that in some cases the attackers have manually logged on and tried to transfer up to 80 percent of the accounts' value.

Researchers are working with international law enforcement organisations to thwart the attacks, the study said. Contos said he believes that the campaign is still active today.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Ongoing racket drains 'high roller' bank accounts
 
 
 
Top Stories
The iTnews Benchmark Awards
Meet the best of the best.
 
Telstra hands over copper, HFC in new $11bn NBN deal
Value of 2011 deal remains intact.
 
Photos: iTnews Benchmark 2015 finalists revealed
Awards alumni gather to celebrate.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  4%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1740

Vote
Do you support the abolition of the Office of the Information Commissioner?