Operation High Roller: online banking fraud on a grand scale
McAfee has collaborated with security firm Guardian Analytics to uncover a ring of online banking criminals who specifically targeted corporate accounts with high balances. According to the two companies' white paper, the fraudsters have attempted to steal at least €60 million, more than €35 million of which was from the Netherlands banking system alone; €1 million involved German banking customers. The report doesn't provide any details on the actual financial damage caused.
The criminals involved in what McAfee has called "Operation High Roller" were also active in Italy, Latin America and North America. Apparently, individual transactions of up to €100,000 were made – such transactions don't necessarily attract attention when made from a corporate account. According to the report, the cyber criminals even targeted accounts that are protected by two-factor authentication mechanisms.
McAfee said that the criminals used heavily modified versions of the ubiquitous ZeuS and SpyEye online banking trojans for their fraudulent campaigns. The security specialists added that they identified a total of 426 previously unknown spyware variants that used rootkits to avoid being detected by virus scanners. Reportedly, the criminals used online search and other methods to establish which financial institution was used by their targeted victims, and then sent victims a link to a specially crafted web page that infected their system.
Source: McAfee Once the victims logged into their online banking facility from an infected system, the criminals used Man-in-the-Browser attacks to assess the victim's financial situation. The malware only became active after the next log in: usually, a fixed percentage (around 10 per cent) was automatically transferred from the account with the highest balance to the account of a mule. In some cases, the fraudsters are believed to have intervened manually to transfer higher sums.
To prevent victims from discovering the fraud, the malware removed the transaction from the transaction list and deleted all links for printing online statements. According to McAfee, the malware was even able to defeat two-factor authentication by persuading victims that this authentication was required during log in and then using the generated token to make an illegitimate transfer.
McAfee says that this method was also used to attack banking customers who log in using EMV-based mechanisms (Chip and PIN). However, this standard is not commonly available to private customers in countries such as Germany, were the FinTS protocol for online banking is used instead. It remains unclear whether the criminals also adapted their malware for common German two-factor methods such as mTAN or chipTAN.
The actual transactions were reportedly performed in iFrames that were invisible to victims, although McAfee mentions that recent cases involved 60 servers that took control of victims' online banking sessions and then performed the transactions. The transaction servers frequently changed address to make tracking them more difficult. The security experts note that they have found evidence that during one transaction, a fraudster accessed one of these servers from Moscow.
The incidents McAfee describes started in early 2012. Customers of more than 60 banks are believed to have been affected. The company declined to provide The H's associates at heise Security with any actual names, adding only that it has been working with investigative authorities to break up the online fraud ring since March.