Ongoing racket drains 'high roller' bank accounts

Powered by SC Magazine
 

SpyEye and Zeus toolkits bypass multifactor authentication in raids on high-balance accounts.

Researchers have exposed a fraud ring that uses enhanced variants of the SpyEye and Zeus toolkits to target the customers carrying high balances at smaller banks.

Dubbed "Operation High Roller," the campaign relies on novel automated, server-side tactics to transfer as much as $US130,000 from boutique financial institutions to accounts set up by money mules, according to a report authored by McAfee and Guardian Analytics.

In addition, the techniques enable the bypass of chip-and-PIN and other two-factor authentication controls.

While Europe has seen a majority of the attacks, the report states that the pernicious activity is spreading to the United States and Latin America.

The malicious software works in two phases, said Brian Contos, senior director of vertical and emerging market solutions at McAfee. The first phase compromises a user's computer through a phishing attack.

Once victims attempt to login to their bank account, the credentials are swiped via a man-in-the-browser-style attack. Users are then issued a “system under maintenance” message, keeping them locked out for an extended period of time while the attackers transfer their funds.

Even if customers are using additional authentication controls, such as chip-and-PIN, which is popular in Europe, they are out of luck.

"Normally, the victim inserts a smart card into its reader device and enters a PIN into the device," the report said. "The bank's system generates a digital token based on the data contained on the physical smart card, authorising a transaction. [But this] malware defeats this authentication by generating an authentic simulation of this process during login to capture the token. To allay suspicion, the script collects the token as the user logs in, rather than during the transfer authorisation process. It then transfers the digital token to validate the transaction later in the online banking session while the user is stalled with a 'Please Wait' message."

Phase two of the attack is what makes it even more unique, Contos said.

According to the report, the miscreants have leveraged up to 60 malicious, cloud-based servers to initiate the transactions, rather than performing them directly from the user's compromised machine.

Most of the malicious servers are hosted by so-called bulletproof internet service providers, which are lenient and thus preferred by cyber crooks, Contos said.

“These are service providers in other countries that are not friendly to law enforcement," he said.

Instead of emptying accounts all at once, the sophisticated software funnels smaller amounts automatically, so not to trigger any red flags, Contos said.

“They try and stay just under three percent of the person's net worth because that's a limit they feel they can operate under,” he said.

To further hide the criminal activity, the hackers alter bank statements, leaving the victims clueless to the transactions.

Although the malware automatically siphons set amounts of money, Contos said that in some cases the attackers have manually logged on and tried to transfer up to 80 percent of the accounts' value.

Researchers are working with international law enforcement organisations to thwart the attacks, the study said. Contos said he believes that the campaign is still active today.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Ongoing racket drains 'high roller' bank accounts
 
 
 
Top Stories
ATO shaves $4m off IT contractor panel
Reform cuts admin burden, introduces KPIs.
 
Turnbull introduces data retention legislation
Still no definition of metadata to be stored.
 
Crime Commission prepares core systems overhaul
Will replace 30 year-old national criminal database.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  27%
 
Sourcing and strategy
  13%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  14%
 
Software development
  25%
TOTAL VOTES: 435

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  54%
 
No
  46%
TOTAL VOTES: 209

Vote