The criminals behind Operation High Roller, a complex wire-fraud scheme that has scammed high-end banking customers out of millions, have added a new dimension of automation to their attacks and expanded their efforts beyond Europe and have targeted a major U.S. bank.
Researchers at McAfee provided details of attacks against Europe’s Single Euro Payments Area (SEPA) system, an integrated payment process for European Union nations that simplifies bank transfers. Their most recent attacks focused on German banks using targeted attacks and money mules to execute fraudulent SEPA transactions. This is a departure from initial Operation High Roller attacks that exclusively centered on wire fraud.
Operation High Roller was discovered earlier this year. The scheme involves using automated transfer systems (ATS), modules embedded into financial malware such as Zeus and SpyEye, that automatically moves funds to a mule’s account and can bypass strong authentication checks.
McAfee said the German attack uses an ATS targeting the users opting for transfers using the SEPA network. Armed with webinjects containing JavaScript payloads, about a dozen online banking customers were injected; the small number of victims helps prevent detection, McAfee’s Ryan Sherstobitoff said. The webinjects define how much money the ATS system would move; the system is hard-coded for transactions between 1,000 and 100,000 Euros.
McAfee discovered a transaction server based in Moscow hosting control panels for each bank the criminals targeted showing recent transfers and links to log files. Sherstobitoff said the log files were locked, but McAfee researchers were able to find a hidden directory where log data was stored. They found the malware had the capability to hide security alerts, enable transactions to be searched and replaced according to how the bank processed SEPA transactions, as well as the capability to send SEPA transfers to mule accounts.
Sherstobitoff said 61,000 Euros in attempted transactions were made to mule accounts from one of the targeted banks; some of the accounts had a standing balance of 50,000 Euros or more.
“The fraudsters are looking for different angles to exploit; these can be anything from the processing times in ACH payments that allow them to get funds to mules quickly, to the lack of two-factor authentication associated with outgoing wires,” he said. “In this case, the fraudsters have evolved from automated wire transactions to different types of payment channels.”
Banks in the United States, meanwhile, cannot let their guard down. After a spate of denial-of-service attacks and the shutdown of a coordinated wire-fraud campaign, McAfee researchers have spotted Operation High Roller targeting a major U.S. financial services organization. McAfee said this is the first time an ATS has been used against an American bank.
Using a variant of the SpyEye banking Trojan, this new attack targets commercial and retail banking customers; the attackers have the option of targeting consumers or businesses.
The webinjects used in this attack hide the fraudulent transactions on the client side and process them on the command-and-control server. It is also capable of side-stepping SMS-based two-factor authentication, used to enroll new devices in an online account.
“This is a significant development,” McAfee wrote in its Q3 threat report. “We expect that attack requires this step because the remote server will authenticate with online banking and perform transactions much like the earlier High Roller campaigns we observed.”
The attack processes only balance replacement and transaction hiding on the client, McAfee’s report said. It also drops malicious JavaScript that scoops up log-in information and sends it to the C&C server, aiding in out-maneuvering fraud detection systems.
The U.S. variant depends on live interaction with the transaction server, McAfee said. The interaction cues the JavaScript what functions and transaction information to hide, masking it from the victim. “The victim will not see the funds deducted from the account, nor will they see that a transaction has been performed by the server,” the report said.
Operation High Roller, meanwhile has gone global. McAfee believes it has its roots not only in Europe, but in Asia-Pacific as well.
“The techniques employed in Operation High Roller will not go away any time soon,” the report said.