November 14, 2012
Operation High Roller, a financial Internet fraud attack, is using a new version of SpyEye malware to target a major U.S. multinational financial institution. In this attack, the cybercriminals have set up an automated transfer system (ATS) to siphon money from individual bank accounts. Although fraudsters have routinely used an ATS to unlock European financial institutions, this is the first time it has been used against a U.S. target.
One clever aspect of this attack is its ability to target both business and retail banking within the same framework — selectively targeting and compromising consumer and business banking users. This new attack conducts fraudulent transactions in much the same way as the original Operation High Roller attacks:
McAfee Labs researchers analyzed the SpyEye “webinject” (packaged commercial functions created by SpyEye developers) that was used in the attack. This webinject appears to be a hybrid version that uses both local and remote components to conduct financial fraud.
Intercepting SMS code is a common way to bypass out-of-bound authentication. It is also used by some banks to validate new devices, such as when a customer uses a new computer to access online banking. This powerful new technique allows attackers to enroll a remote transaction server with online banking. We expect to see the use of this technique to increase.
Dynamically hiding the evidence