A recent fraud ring through which attackers raided high-value bank accounts, nicknamed Operation High Roller (.PDF), employed attacks that were quick, required no human interaction and have already affected several tiers of credit unions, regional banks and large global banks, over the last several months.
In the ring, analyzed in a report by McAfee and Guardian Analytics, groups of attackers have used 60 servers to exploit 60 banks, focusing on “high-value commercial accounts” and “high net worth individuals” in Europe, Latin America and the United States.
It’s unclear how much money the attackers have managed to make off with so far, though McAfee estimates the criminals have pilfered at least $78 million – yet may have attempted up to $2.5 billion in fraudulent transfers, stretching back to January this year.
Spanning the globe, some of the first attacks were discovered in Germany in January and later the Netherlands and Latin America in March. The first evidence of US-based attacks also came in March following a series of intrusions on 109 companies by eight to 10 types of malware. Bank accounts that contained less than several million dollars were not targeted, backing up the attack’s codename.
Criminals initiated the attacks and narrowed their crosshairs on commercial and investment accounts that usually hold tens of millions of dollars. After the accounts were targeted, a series of mule business accounts attempted to siphon money from the victims, with some transfers nearing $130,000. Later that month, after “the scope of the fraud became clear,” the research team in charge of Operation High Roller began to notify law enforcement in hopes of apprehending the criminals behind the US-controlled servers.
The attacks make use of Zeus and SpyEye, using the the Trojans’ ability to gather intelligence on each bank account owner, bypass two-factor physical authentication and defeat fraud detection. Unlike typical Zeus and SpyEye attacks, however, the type of malware involved in Operation High Roller is completely automated, meaning thefts can happen repeatedly without human intervention after the system has been implemented.
The banking Trojans have been almost synonymous since their alleged union in early 2011, with variants going on to affect Android devices and Autorun before being targeted by Microsoft earlier this year.