Feeds

Automated bank scam 'Operation High Roller' stole from the rich

To give to unknown auto-mule crims in the cloud

Top 5 reasons to deploy VMware with Tegile

Security researchers have uncovered a sophisticated, multi-tiered financial fraud ring that may have defrauded businesses, wealthy individuals and banks of tens of millions of dollars.

Operation High Roller bypasses multi-factor authentication technology employed by banks to attempt fraudulent transactions of &euro,60 million ($80m) worldwide since the scam began operating at the start of the year, according to security researchers from McAfee and Guardian Analytics that uncovered the fraud.

Analysts from the two firms reckon the fraudsters targeted at least 60 banks and financial institutions of varying sizes. The figures of attempted financial fraud are based on the analysis of only a few European-based servers linked to the scam and the true figure of attempted fraudulent transactions is likely to be much higher that the $80m base estimate cited by McAfee.

Banking fraud using Zeus and SpyEye malware to compromise online bank accounts, tied in with local money-mules to compromised accounts, is all too commonplace.

Operation High Roller added a number of innovations to this basic scam including techniques to bypasses physical “chip and pin” authentication, automated mule account databases, server-based fraudulent transactions, and attempted transfers to mule business accounts as high as €100,000 ($130,000).

Initial reconnaissance and infection of victims in Operation High Roller was normally carried out using a customised version of the SpyEye banking Trojan toolkit. Less ubiquitous variants of the ZeuS cybercrime toolkit were deployed. Operation High Roller targeted at least a dozen banking groups that use active and passive automated transfer systems.

"Where transactions required physical authentication in the form of a smartcard reader (common in Europe), the system was able to capture and process the necessary extra information, representing the first known case of fraud being able to bypass this form of two-factor authentication," the researchers note.

The scam targeted high balance accounts held by either businesses or well-heeled individuals.

Compromised accounts were systematically siphoned using automated transactions. Instead of using traditional man-in-the-browser attacks on the victim’s PC, instructions to compromised PCs came from cloud-based servers maintained by the as yet unidentified crooks behind the scam. Instead of using multi-purpose botnet servers, the cybercrooks behind High Roller relied on purpose-built and dedicated servers to process fraudulent transactions.

These innovations allowed the fraudsters to achieve a "high level of automation that captures one-time passwords, checks account balance, initiates transactions, and checks a mule database to find an active mule account, all without fraudsters' active participation," Guardian analytics explains.

The fraud involved a relatively small number of attacks on high-balance accounts. Fraudsters have been at pains to carry out the fraud as surreptitiously as possible. After the transaction, the malware will erase confirmation emails, prevent printing of statements, and change transaction values to match what the victim expects to see.

The banking fraud scam ring principally targeted victims in Europe, but it also hit victims in further flung locations including Colombia and the US.

A report, Dissecting Operation High Roller, explaining the elaborate scam in greater depth, can be found here (PDF). ®

Beginner's guide to SSL certificates

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Free virtual appliance for wire data analytics
The ExtraHop Discovery Edition is a free virtual appliance will help you to discover the performance of your applications across the network, web, VDI, database, and storage tiers.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
The total economic impact of Druva inSync
Examining the ROI enterprises may realize by implementing inSync, as they look to improve backup and recovery of endpoint data in a cost-effective manner.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.