Guardian Analytics and McAfee have released a report on a new breed of sophisticated, global fraud attacks that leverage cloud-based servers, extensive automation and sophisticated knowledge of how the banking industry works. The attacks, which have been underway for approximately one year, target business-to-business transactions, as well as high-balance banking consumers.
“This is a system designed by people who understand banking platforms, banking software, and understand how transactions really work,” said David Marcus, Director of Advanced Research and Threat Intelligence at McAfee. “They know how to make transactions look non-fraudulent. Clearly, these people have an insider's level of understanding.”
McAfee and other security firms have already targeted the malware, which should be easily blocked or identified via scan, he said. But there are also actions that can be taken by the channel to better protect their customers.
“I think there's a tremendous opportunity for the channel to do hot health checks,” Marcus said. “A lot of people will go out and buy technologies and services, but they won't spend enough time during the health checks and configurations that the channel partners are very good at. So I think there's an opportunity to do that kind of custom work to make sure that they are adequately covered. They can configure the technologies specific to the environment.”
Through their effort, known as Operation High Roller, the two companies identified customized versions of SpyEye, Zeus and Ice 9 within the malware. The threat can execute sophisticated web injections to the infected host, adding new data, screen shots and other fraudulent information that looks like it’s coming from the bank, itself. Authentication, in this case, does not provide any protection because the user is duped into performing proper authentication, whether that be via usernames, passwords or even two-factor authentication components.
NEXT: Looks Legitimate to Bank, UserBanks targeted so far have been located in Europe, Latin America and the United States. According to the report, more than $1 billion in fraud has been attempted, but only $50 million to $70 million worth of transactions have been successful. Marcus says the data is unclear as to why some attacks succeed and others fail, but because the attempts are fully automated, the criminals would not need to waste time on the failures. When successful, the money is transferred to a variety of different locations, both within the United States and outside the U.S.
“You can essentially have parallel transactions going on, without even knowing it,” explained Marcus. “The web injection can even manipulate the browser so that the amount of money listed on the account does not reflect the stolen funds. And from the banks point of view, it doesn't really look like fraud because the user is logged in and it appears to be doing things of their own volition. The criminals have moved from multipurpose botnet servers to using servers purpose-built and dedicated to processing fraudulent transactions.”
Marcus added that the investigation is currently wrapping up the first phase of the research and documenting the flow of the money, identifying the servers and the mule accounts, and working with the infected institutions and users, as well as law enforcement authorities.
PUBLISHED JUNE 26, 2012