Sophisticated bank fraud attempted to steal at least $78 million
McAfee and fellow security firm Guardian Analytics released a report
today that detailed a sophisticated type of bank fraud that originated
in Italy and spread globally, initiating the transfer of at least $78
million from around 60 financial institutions. Banks in the Netherlands
were hit the hardest, with fraudsters attempting to transfer over $44
million worth of funds.
The security firms said the attack was unique because it featured
both off-the-shelf and custom malicious code to break into the banks'
systems. The firms suggested that the creators of the code knew a lot
about internal banking transactions, calling the operation "organized
McAfee and Guardian called their investigation "Operation High
Roller" because the fraudsters targeted high-worth individuals and
businesses to disguise illegal transfers that were much larger than
those in usual bank fraud. Some attempted transfers reached as high as
$130,000 (McAfee does not mention whether the transfers were successful
or not). As the investigation continued, researchers found the method
used by the criminals evolved a little with every incarnation, making it
a little more adaptable for each new banking system.
"While at first consistent with other client-based attacks we have
seen, this attack showed more automation. Instead of collecting the data
and performing the transaction manually on another computer, this
attack injected a hidden iFRAME tag and took over the victim’s
account—initiating the transaction locally without an attacker’s active
participation," the Operation High Roller white paper
(PDF) read. In Italy, "the code used by the malware looked for the
victim’s highest value account, looked at the balance, and transferred
either a fixed percentage (defined on a per campaign basis, such as
three percent) or a relatively small, fixed €500 amount [roughly
$625] to a prepaid debit card or bank account."
Eventually, the money launderers were able to simulate a two-factor
authentication. Where the victim would have to use a SIM card to
authenticate a transfer in the system, the thief's system was "able to
capture and process the necessary extra information, representing the
first known case of fraud being able to bypass this form of two-factor
Two months later, in the Netherlands attack, the criminals found that
they could get around security and monitoring tools by enabling
transfers on the server side of the bank accounts. In one instance where
servers automating the attacks were found in Brea, California, a
criminal was found logging in from Moscow, Russia.
relatório da McAffee