Innovations introduced by Operation High Roller include bypasses for physical “chip and pin” authentication, automated “mule” account databases, server-based fraudulent transactions, and attempted transfers to mule business accounts as high as $130,000, wrote David Marcus, director of advanced research and threat intelligence at McAfee, in a blog.
“These guys are going after high-balance consumers and business-to-business banking transactions”, Marcus said in an interview with Infosecurity. So far the criminals have stolen at least $60 million based on confirmed transactions, but that number could be as high as $1 billion based on attempted transactions, he added.
Marcus explained that the cybercriminals are using a “server-centric” attack model. “Up until recently, most of the actual [fraudulent] transaction took place on the infected client….This has transitioned to these automated transaction servers existing somewhere out in the cloud. So a lot of the functionality has gone away from the infected client to the cloud-based servers”, he said.
The McAfee researcher said that the use of the cloud for fraud is a “natural evolution” for cybercriminals.
“Utilizing a server in a remote location is beneficial for a lot of reasons. You can maintain your code in the cloud, you can be stealthful with it, you stand less of a chance of being identified when you are doing stuff from a server, as well as the fact that you are not worried about the client getting cleaned up or detected because you can just point something new to your cloud server”, he related.
To avoid becoming a victim of these attacks, Marcus advised individuals to educate themselves about phishing and spearphishing attacks, particularly how to recognize fraudulent emails. In addition, individuals should make sure that their devices and networks are properly protected. Banks should look at implementing backend anomaly and fraud detection technologies, he added.
Commenting on the report, Marcus Carey, security researcher with Rapid7, said: “The fact the attackers have already compromised thousands of users allowed them to study the banking website’s authentication methods. Once an end-user is compromised, all bets are off when it comes to authentication, so the fact the attackers were able to circumvent two-factor authentication should not come as a huge surprise. I have always maintained that two-factor authentication is beaten as soon as an end system is compromised.”