Operation High Roller targets businesses and consumers with ability bypass multi-layer authentication

News by SC Staff

A highly sophisticated fraud campaign that targets businesses and consumers has been detected.

A highly sophisticated fraud campaign that targets businesses and consumers has been detected.

According to McAfee and Guardian Analytics, ‘Operation High Roller' uses server-side components and heavy automation with an objective to siphon large amounts of money from high balance business and consumer accounts.

The report said that this operation combines an insider level of understanding of banking transaction systems and uses both custom and off-the-shelf malicious code. It found 60 servers processing thousands of attempted thefts from high-value commercial accounts and some high net worth individuals, with some transfers as high as £83,000.

It said that so far, it estimated that the criminals have attempted at least £47 million in fraudulent transfers from accounts at 60 or more financial institutions.

The first attack was in Italy against its consumer and business accounts. The research said that the attack used the SpyEye and Zeus malware to transfer funds to a personal mule account or pre-paid debit card. Instead of collecting the data and performing the transaction manually on another computer, this attack injected a hidden iFrame tag and took over the victim's account—initiating the transaction locally without an attacker's active participation.

The code then used by the malware, looked for the victim's highest value account and transferred either a fixed percentage (defined on a per campaign basis) or a relatively small, fixed amount to a prepaid debit card or bank account.

It said that this fraud showed one other important innovation: where transactions required physical authentication in the form of a smartcard reader in the past, the system was able to capture and process the necessary extra information, representing the first known case of fraud being able to bypass this form of two-factor authentication.

The High Roller scheme uses an extensive JavaScript injection to alter the login experience to collect all the information that the fraudsters need for both steps within the login. Since the physical authentication information is gleaned during the login, the victim is less likely to be suspicious, as they will just think the login experience has been upgraded.

Having collected all the information it requires for the entire transfer, the malware stalls the user and executes its transaction in the background using the legitimate digital token.

McAfee said that the defeat of two-factor authentication that uses physical devices is a significant breakthrough for the fraudsters, and encouraged financial institutions to take this innovation seriously, especially considering that the technique used can be expanded for other forms of physical security devices.

Further attacks have been reported in Germany, Holland and Colombia. McAfee said that the fraudulent transaction server controlling this campaign was hosted in Brea, California, although most of the attacks were automated by this server, there was evidence of the fraudster logging in from Moscow to manipulate some of the transactions.

McAfee said that as most Zeus/SpyEye attacks rely on manual components and active participation by the fraudster, including planting malware, most of the High Roller process is completely automated, allowing repeated thefts once the system has been launched at a given bank or for a given internet banking platform.

In terms of protection, McAfee said that this attack should not be successful where companies have layered controls and detection software correctly. Since attacks such as Operation High Roller use multiple tactics and extensive automation, multiple diverse protections must be deployed to detect and disrupt the different aspects of each attack.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews