Professional trojan targets SEPA transactions

Cyber-criminals are targeting the European SEPA payments network, according to a report from security specialist McAfee. Within the EU, SEPA transactions are uncomplicated because they make no distinction between domestic and cross-border transactions. In this case, that also benefits the online crooks who usually transfer money from the victim's account to foreign bank accounts.

The report says the malware involved is part of "Operation High Roller" where criminals extracted large sums from business accounts. Unlike traditional online banking fraud, which uses trojans such as ZeuS and SpyEye, the crooks infect only a small number of specific specialist computers with malware in order to get at money. This reduces the risks of detection considerably. In the current case, the scam only infected about a dozen customers.

The malware acts in a remarkably similar manner to how ZeuS and others work: after infection it inserts itself into the system's browser and waits for a user to access their bank's web site. Once there, the pest adds its own JavaScript code, called Web Injects, to perform the fraudulent withdrawals. The malware takes its instructions from a command and control server which is, McAfee says, located in Moscow. The software is hard-coded to withdraw amounts ranging between €1,000 and €100,000 depending on the balance of the account.

Examination of log entries from the control panels of the command server showed that at least one of the banks being targeted would have seen an estimated €61,000 of attempted SEPA transactions to mule accounts. Some of the bank accounts under attack had over €50,000 reported as their account balance. McAfee concludes that the High Rollers are becoming more sophisticated as they look for new ways to attack, but their current haul is quite small compared to the €60 million they attempted to steal at the start of the year.

(djwm)