Ongoing racket drains 'high roller' bank accounts

By on
Ongoing racket drains 'high roller' bank accounts

SpyEye and Zeus toolkits bypass multifactor authentication in raids on high-balance accounts.

Researchers have exposed a fraud ring that uses enhanced variants of the SpyEye and Zeus toolkits to target the customers carrying high balances at smaller banks.

Dubbed "Operation High Roller," the campaign relies on novel automated, server-side tactics to transfer as much as $US130,000 from boutique financial institutions to accounts set up by money mules, according to a report authored by McAfee and Guardian Analytics.

In addition, the techniques enable the bypass of chip-and-PIN and other two-factor authentication controls.

While Europe has seen a majority of the attacks, the report states that the pernicious activity is spreading to the United States and Latin America.

The malicious software works in two phases, said Brian Contos, senior director of vertical and emerging market solutions at McAfee. The first phase compromises a user's computer through a phishing attack.

Once victims attempt to login to their bank account, the credentials are swiped via a man-in-the-browser-style attack. Users are then issued a “system under maintenance” message, keeping them locked out for an extended period of time while the attackers transfer their funds.

Even if customers are using additional authentication controls, such as chip-and-PIN, which is popular in Europe, they are out of luck.

"Normally, the victim inserts a smart card into its reader device and enters a PIN into the device," the report said. "The bank's system generates a digital token based on the data contained on the physical smart card, authorising a transaction. [But this] malware defeats this authentication by generating an authentic simulation of this process during login to capture the token. To allay suspicion, the script collects the token as the user logs in, rather than during the transfer authorisation process. It then transfers the digital token to validate the transaction later in the online banking session while the user is stalled with a 'Please Wait' message."

Phase two of the attack is what makes it even more unique, Contos said.

According to the report, the miscreants have leveraged up to 60 malicious, cloud-based servers to initiate the transactions, rather than performing them directly from the user's compromised machine.

Most of the malicious servers are hosted by so-called bulletproof internet service providers, which are lenient and thus preferred by cyber crooks, Contos said.

“These are service providers in other countries that are not friendly to law enforcement," he said.

Instead of emptying accounts all at once, the sophisticated software funnels smaller amounts automatically, so not to trigger any red flags, Contos said.

“They try and stay just under three percent of the person's net worth because that's a limit they feel they can operate under,” he said.

To further hide the criminal activity, the hackers alter bank statements, leaving the victims clueless to the transactions.

Although the malware automatically siphons set amounts of money, Contos said that in some cases the attackers have manually logged on and tried to transfer up to 80 percent of the accounts' value.

Researchers are working with international law enforcement organisations to thwart the attacks, the study said. Contos said he believes that the campaign is still active today.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition
Tags:

Most Read Articles

You must be a registered member of iTnews to post a comment.
| Register

Poll

New Windows 10 users, are you upgrading from...
Windows 8
Windows 7
Windows XP
Another operating system
Windows Vista
How should the costs of Australia's piracy scheme be split?
Rights holders should foot the whole bill
50/50
ISPs should foot the whole bill
Government should chip in a bit
Other
View poll archive

Whitepapers from our sponsors

What will the stadium of the future look like?
What will the stadium of the future look like?
New technology adoption is pushing enterprise networks to breaking point
New technology adoption is pushing enterprise networks to breaking point
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
The next era of business continuity: Are you ready for an always-on world?
The next era of business continuity: Are you ready for an always-on world?

Log In

Username:
Password:
|  Forgot your password?