A fraud ring that attacked financial transfer systems in an attempt to get at wealthy high-end banking customers used a complicated web of malware and compromised servers in several countries to walk off with an estimated $78 million earlier this year. While the attacks targeted financial systems, the victims seem to be limited to companies involved in manufacturing, import-export businesses, and state or local governments.
Operation High Roller was at its peak during the spring, using automated fast-flux techniques to move command and control and malware servers from host to host, using providers in the Russian city of Kemerovo, as well as other hosts in Albania, Scottsdale, Ariz., and San Jose, Calif. All of them had ties to servers in Albania and China and relied on a cocktail of the Zeus Trojan and variants SpyEye and Ice IX, according to McAfee and Guardian Analytics who jointly discovered the fraud ring in February and completed a deeper analysis of the operation this week.
“The fraudsters’ objective in these attacks is to siphon large amounts from high balance accounts,” said Ryan Sherstobitoff, one of the report’s authors. “With no human participation required, each attack moves quickly and scales neatly. This operation combines an insider level of understanding of banking transaction systems with both custom and off the shelf malicious code and appears to be worthy of the term organized crime.”
Victims were generally lured in via phishing campaigns and were infected by malware adept at bypassing even two-factor authentication and other security devices in place, McAfee said.
American banks have been pummeled by hackers during the past nine months, not only from covert operations like this one, but from high-profile hacktivist-backed denial of service attacks, as well as the promise of a large-scale coordinated attack using man-in-the-middle schemes to conduct fraudulent wire transfers.
Operation High Roller began Feb. 7 when the domain reccheckservingbizpacktoo.net was established as an automated transaction server and used throughout the next two months to pilfer millions. It was moved among a number of IP addresses including one belonging to a legitimate Scottsdale business known as previous host to Ice IX malware and a Zeus control server with the domain brainrace.ru.
This domain was also tied to a server in San Jose, and a look at DNS records led McAfee to conclude there was a fast-flux botnet at work. Fast flux is a DNS technique used by botnets to hide malware between compromised hosts, an effort to stay one step ahead of detection technologies.
McAfee learned that 16 domains, many hosting Zeus malware, were pointed at the San Jose IP address. All of which were connected to servers in Albania and China as well, McAfee said in its report. Those servers hosted an array of malware including Zeus and Ice IX. McAfee also found ransomware on the San Jose server.
“The Ice IX domain brainrace.ru, which pointed to the Arizona and San Jose servers, also used a server in China. Brainrace.ru pointed to the server as an alternative to the Albania and San Jose servers listed in the DNS history, most likely to dynamically rotate its control among the three locations,” McAfee said in its report. “Our analysis is starting to lead to the conclusion that there is a heavy connection to these servers; many of the malicious domains point there.”
The Chinese provider turns out to be a longtime offender in attacks targeting banks, as it acted as a Zeus and SpyEye host for some time before Operation High Roller.
McAfee also found connections to the owners of a Pittsburgh pizza restaurant who owned domains originally hosted on the Chinese server hosting other Zeus malware. McAfee speculates either the owners’ identities were stolen or they were involved in the scheme and the restaurant is a front.
“The latter case is certainly possible, given that the fraudsters would need a way to launder the stolen US funds,” the report said. “The timing for the registry and hosting of the domain is right around the time the Operation High Roller attacks happened in the United States.”