Online Fraud Scheme Hits ‘High Rollers’ For €60m

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

McAfee spots a highly-automated fraud campaign that has managed to get around banks’ two-factor authentication

Cyber criminals running a highly sophisticated online fraud operation have attempted to steal at least €60 million from bank accounts of rich businesses and individuals across the world, in an attack which beats two-factor authentication systems.

As part of the ‘High Roller’ scheme reported by security company McAfee, the criminals were seen using the Zeus and SpyEye malware, but in an unprecedented and highly-automated fashion. McAfee believes the perpetrators had access to insider knowledge of banking transaction systems and appeared to be part of an organised crime group.

They went after wealthy targets, as some transfers were as high as €100,000. Attacks hit every class of financial institution from credit unions to large global banks and regional organsations. Illegal transfers were made from accounts at 60 or more financial institutions in total.

The Italian job

McAfee became aware of the attacks when it noticed some activity in Italy. Whilst the use of Zeus and SpyEye was typical, with fake login screens presented to online bankers to trick them into giving away information, there was much more automation than normal.

“Instead of collecting the data and performing the transaction manually on another computer, this attack injected a hidden iFRAME tag and took over the victim’s account – initiating the transaction locally without an attacker’s active participation,” the McAfee report read.

“The code used by the malware looked for the victim’s highest value account, looked at the balance, and transferred either a fixed percentage (defined on a per campaign basis, such as 3 percent) or a relatively small, fixed €500 amount to a prepaid debit card or bank account.”

Breaking two-factor authentication

But the most interesting thing about the operation was that the attacks were bypassing two-factor authentication, where the user has a password as well as a physical device that provides a number for extra authentication. This is the first time this has been achieved in a fraud campaign, McAfee said.

The crooks employed JavaScript for web injects to alter the login experience to collect all the information needed to get around all the login steps. The malware collected the transaction authorisation number (TAN) from the victim’s screen, presenting it to the financial institution to enable the fraudulent transaction, while delaying the victim from accessing their account.

“Since the physical authentication information is gleaned during the login,  outside the context of a transaction, the victim is less likely to be suspicious – they just think the login  experience has been upgraded,” the report explained.

“Having collected all the information it requires for the entire transfer, the malware stalls the user and executes its transaction in the background using the legitimate digital token. Fraudsters can replicate this automated process across accounts and reuse it in multiple accounts on the same banking platform, so it scales.

“The defeat of two-factor authentication that uses physical devices is a significant breakthrough for the fraudsters. Financial institutions must take this innovation seriously, especially considering that the technique used can be expanded for other forms of physical security devices.”

The fraudsters used three different attack vectors to steal funds. In the early stages, they used highly-automated techniques that were initiated on the client side. In a bid to avoid detection, they moved to carrying out illegal transactions on their own servers, located at a “bullet proof” ISP where policies are favourable for criminal activity. Future attacks saw the perpetrators getting more involved and installing code into user sessions to make activity appear normal.

There were various innovations introduced by the criminals along the way. “One innovation seen in a US attack involved the automated transfer of funds from the victim’s corporate  savings to the victim’s corporate checking account, after which it would be normal (within standard business practices) for the funds then to be transferred to an external account. In this case, the transfer went to a business account controlled by a mule in another country,” McAfee wrote.

The malware did not stop working after money was transferred, as it attempted to hide illegal activity through various means. The client-side malware killed the links to printable statements, erased any confirmation emails and email copies of the statements, and changed the transaction values and account balances in the statement displayed on the victim’s screen so the amounts were what the account holder expected to see.

Are you a security guru? Try our quiz!