Cyber criminals running a highly sophisticated online fraud operation have attempted to steal at least €60 million from bank accounts of rich businesses and individuals across the world, in an attack which beats two-factor authentication systems.
As part of the ‘High Roller’ scheme reported by security company McAfee, the criminals were seen using the Zeus and SpyEye malware, but in an unprecedented and highly-automated fashion. McAfee believes the perpetrators had access to insider knowledge of banking transaction systems and appeared to be part of an organised crime group.
They went after wealthy targets, as some transfers were as high as €100,000. Attacks hit every class of financial institution from credit unions to large global banks and regional organsations. Illegal transfers were made from accounts at 60 or more financial institutions in total.
McAfee became aware of the attacks when it noticed some activity in Italy. Whilst the use of Zeus and SpyEye was typical, with fake login screens presented to online bankers to trick them into giving away information, there was much more automation than normal.
“Instead of collecting the data and performing the transaction manually on another computer, this attack injected a hidden iFRAME tag and took over the victim’s account – initiating the transaction locally without an attacker’s active participation,” the McAfee report read.
“The code used by the malware looked for the victim’s highest value account, looked at the balance, and transferred either a fixed percentage (defined on a per campaign basis, such as 3 percent) or a relatively small, fixed €500 amount to a prepaid debit card or bank account.”
But the most interesting thing about the operation was that the attacks were bypassing two-factor authentication, where the user has a password as well as a physical device that provides a number for extra authentication. This is the first time this has been achieved in a fraud campaign, McAfee said.
The crooks employed JavaScript for web injects to alter the login experience to collect all the information needed to get around all the login steps. The malware collected the transaction authorisation number (TAN) from the victim’s screen, presenting it to the financial institution to enable the fraudulent transaction, while delaying the victim from accessing their account.
“Since the physical authentication information is gleaned during the login, outside the context of a transaction, the victim is less likely to be suspicious – they just think the login experience has been upgraded,” the report explained.
“Having collected all the information it requires for the entire transfer, the malware stalls the user and executes its transaction in the background using the legitimate digital token. Fraudsters can replicate this automated process across accounts and reuse it in multiple accounts on the same banking platform, so it scales.
“The defeat of two-factor authentication that uses physical devices is a significant breakthrough for the fraudsters. Financial institutions must take this innovation seriously, especially considering that the technique used can be expanded for other forms of physical security devices.”
The fraudsters used three different attack vectors to steal funds. In the early stages, they used highly-automated techniques that were initiated on the client side. In a bid to avoid detection, they moved to carrying out illegal transactions on their own servers, located at a “bullet proof” ISP where policies are favourable for criminal activity. Future attacks saw the perpetrators getting more involved and installing code into user sessions to make activity appear normal.
There were various innovations introduced by the criminals along the way. “One innovation seen in a US attack involved the automated transfer of funds from the victim’s corporate savings to the victim’s corporate checking account, after which it would be normal (within standard business practices) for the funds then to be transferred to an external account. In this case, the transfer went to a business account controlled by a mule in another country,” McAfee wrote.
The malware did not stop working after money was transferred, as it attempted to hide illegal activity through various means. The client-side malware killed the links to printable statements, erased any confirmation emails and email copies of the statements, and changed the transaction values and account balances in the statement displayed on the victim’s screen so the amounts were what the account holder expected to see.
Are you a security guru? Try our quiz!
AI push sees Alphabet's Google saying it will consolidate its AI teams in its Research…
Beijing orders Apple to pull Meta's WhatsApp and Threads from its Chinese App Store over…
Key milestone sees Intel Foundry assemble ASML's new “High NA EUV” lithography tool, to begin…
Oracle's huge AI, Cloud investment in Japan will meet growing local demand and address digital…
People who create sexually explicit ‘deepfakes’ of adults will face prosecution under a new law…
Protest at cloud contract with Israel results in staff firings, in addition to layoffs of…
View Comments
To say that Two-Factor Authentication is defeated I think is a stretch. For one thing the 2FA we are talking about are tokens that were issued from the banks some of which I am sure are old. (And I would like to say I feel this form of token is out-of-date.) The second thing is if it were not for the malware these attacks could not have happened. I do find it interesting to see that an Internet Security company (who is supposed to prevent malware) was so quick states “2-Factor Authentication has been defeated”. I they were protecting us from malware which is their job 2FA would be able to work properly. But when an Internet Security company allows malware to be placed, no form of secondary security is going function properly. In my opinion the blame needs to fall on the shoulders of the ones who allowed the malware to be installed. For me I don’t think that we can say the 2FA has been defeated. Many of the big global online banking sites have moved to the use of a telephone (mobile or other) as a form of a token where the user is asked to telesign into their account by entering a one-time PIN code which is delivered to your phone via SMS or voice, I feel this is the safest option available.