Researchers with McAfee and Guardian Analytics have concluded initial analysis of a highly sophisticated and uniquely automated operation that employs banking Trojans such as Zeus and SpyEye to target high-value accounts.
"Unlike standard SpyEye and Zeus attacks that typically feature live (manual) interventions, we have discovered at least a dozen groups now using server-side components and heavy automation. The fraudsters’ objective in these attacks is to siphon large amounts from high balance accounts, hence the name chosen for this research: Operation High Roller," the researchers report.
The analysis, provided in a paper titled "Dissecting Operation High Roller", describes how the cyber criminals were able to bypass physical multi-factor authentication systems to conduct client and server-side attacks to attempt automated fund transfers to mule account databases.
"Where transactions required physical authentication in the form of a smartcard reader, the system was able to capture and process the necessary extra information, representing the first known case of fraud being able to bypass this form of two-factor authentication. Within 60 seconds, a script navigated to the GIRO transfer page, retrieved mule account information from a remote database, and initiated a transfer. No human interventions, no delays, no data entry errors," the researchers stated.
The advanced nature of the operation is highlighted by the attackers in-depth knowledge of the systems they targeted in developing the automated methodology of the exploits which were capable of penetrating "every class of financial institution" including credit unions, large international institutions and regional banks.
"With no human participation required, each attack moves quickly and scales neatly.This operation combines an insider level of understanding of banking transaction systems with both custom and off the shelf malicious code and appears to be worthy of the term 'organized crime,'" the report states.
The operation employed the Zeus Trojan, widely hailed as one of the most dangerous pieces of malware to ever surface in the wild, and SpyEye, a particularly nasty piece of malicious software.
Both Zues and SpyEye can lay dormant for long periods until the user of the infected machine accesses targeted information such as banking accounts, then harvests passwords and authentication codes.
"The attack used SpyEye and Zeus malware to transfer funds to a personal mule account or pre-paid debit card where the thief could retrieve the funds quickly and anonymously... instead of collecting the data and performing the transaction manually on another computer, this attack injected a hidden iFRAME tag and took over the victim’s account—initiating the transaction locally without an attacker’s active participation," the researchers explained.
The research has confirmed the attackers have attempted close to eight-million dollars worth of fraudulent transfers, but note that the total attempted haul may be as much as two-billion dollars in funds.
While the majority of the targets have been dozens of European financial institutions, the researchers found evidence that the attacks have spread to both North and South America.
"Where Europe has been the primary target for this and other financial fraud rings in the past, our research found the thefts spreading outside Europe, including the United States and Colombia," the report warns.
The researchers concluded that the operation is evidence that financial institutions should be prepared for a shift in tactics by criminal hackers, and that protecting against such operations may become ever more difficult.
"Financial institutions should anticipate more automation, obfuscation, and increasingly creative forms of fraud. Botmasters will likely upgrade and exploit the population of existing Zeus/SpyEye infected machines to use more automation. Further, different payment models will be targeted: Automated Clearing House (ACH) payments, remittance payments, and more. As this report shows with the evolution from client-side to server-side attacks, fraudsters will evolve their model to move a majority of the fraud logic to the server. This practice makes it much more difficult for security leaders to develop prevention strategies."