Bank hack: 'Operation High Roller' has netted $78M – so far

A global fraud ring has been targeting high net-worth businesses and individuals has netted the criminals an estimated $78 million (60 million euros).

According to McAfee and Guardian Analytics which today issued a report on the fraud, "Dissecting Operation High Roller," the attacks, first identified this winter, have hit 60 or more institutions and the total amount stolen may in fact be may be much higher.

IN PICTURES: The Worst Data Breach Incidents of 20912 – So Far

The two security firms say they have tracked "at least a dozen groups" that are relying on "server-side components and heavy automation" with about 60 servers processing thousands of attempted thefts from commercial accounts and the rich. This appears to be happening mainly in the European Union countries, though there's also evidence of it in Latin America and the U.S. These attacks are said to differ from the known malware-based SpyEye and Zeus attacks in that they are far more automated and usually done without human intervention.

"The advanced methods discovered in Operation High Roller show fraudsters moving toward cloud-based servers with multi-faceted automation in a global fraud campaign," said Dave Marcus, McAfee director of advanced research and threat intelligence.

McAfee and Guardian Analytics first spotted evidence of these crime activities in late January in an attack on a bank in Germany in which the victim log data on the server "showed the fraudsters compromised 176 accounts and attempted to transfer nearly one million Euros to mule accounts in Portugal, Greece, and the United Kingdom." The average account targeted held about 509,000 euros.

An attack against the German bank was highly automated, and in their report, the security firms say they had seen something similar in an earlier attack on a bank in Italy that involved SpyEye and Zeus malware to transfer funds but was more automated than anything they'd seen before.

The report says all manner of banking institutions have been targeted: credit union, large global bank and regional banks. In March, the fraudsters hit the Netherlands banking system with this newer style of server-side automated attack. They circumvented endpoint security and monitoring tools used for fraud detection at the institution, the report says. The server was based in San Jose, Calif., and has also apparently been used against victims in the U.S. whose accounts contained at least $1 million.

A hit against two banks in the Netherlands reached into more than 5,000 business accounts. The attempted fraud was estimated to be 35.58 million euros. Later in March, the security firms also became aware of attacks in Latin America, where more than a dozen businesses in Colombia were targeted, each having an account balance between $500,000 and $2 million. The server used in this wave of attacks was hosted in La Brea, Calif., though there was evidence of fraudsters logging in from Moscow to "manipulate some of the transactions in an attempt to transfer arbitrary amounts as high as 50% - 80% of the victim's balance." McAfee and Guardian Analytics say they've shared their findings with law enforcement agencies.

According to the report, the wave of Operation High Roller attacks builds on Zeus/SpyEye malware to compromise the victims' computers and skim credentials in order to execute a fraudulent transaction from a bank account. But although "there can be live intervention" in the High Roller attacks, most of them have been "completely automated, allowing for repeated thefts once the system has been launched at a particular bank or for a given Internet banking platform."

According to the report, these "updated attacks found in the Netherlands and the U.S. move fraudulent transaction processing from the client to the server. Fraudulent activities -- including the actual account log-in -- are performed from a fraudster's server that is located at a 'bullet proof' ISP (one with crime-friendly usage policies), locked down against changes, and moved frequently to avoid discovery. After each move, the web injects are updated to link to the new location."

In addition, the attacks up the ante on evasive maneuvers. According to the report, code customization that includes rootkits for client-side malware and encrypted links help hide the criminal attack process and avoid antivirus scans. "And some of the web serves move dynamically so that blacklisting and reputation-centric technologies are not effective." The report says the techniques used are basically "a significant breakthrough for the fraudsters" because they represent the "defeat of two-factor authentication that uses physical devices."

The report goes on to state: "We are working to assess and improve the defenses at McAfee and Guardian Analytics financial service customers. This attack should not be successful where companies have layered controls and detection software correctly. We are working to map out appropriate security configurations, such as activation of real-time threat intelligence on client hosts and use of hardware-assisted security to defeat evasive malware."

The report points to the need for anomaly-detection software and strengthening of endpoint controls for consumers. But Operation High Roller was "successful," the security firms acknowledge. "Our research found attacks succeeding in the most respected financial institutions, as well as the small, specialized credit unions and regional banks that may have felt they presented too paltry a target."

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place