Operation High Roller Linked to European and Asia-Pacific Attacks

14 November 2012

Automated transfer system (ATS) attacks are a global issue. The latest Operation High Roller attack targeting a U.S. financial institution had roots to earlier automated attacks in European and Asia-Pacific regions.

With Operation High Roller attacks, hackers usually develop a single set of “webinjects” (packaged commercial functions created by cybercriminal developers) to be used in multiple campaigns. McAfee Labs researchers track these webinjects according to their unique attributes to determine if a variant is using a webinject from the same developer. Researchers can then search variations of the code to determine if there are similarities to other campaigns.

By analyzing similarities between Operation High Roller attacks, McAfee Labs researchers have determined that the latest attack can be linked to earlier automated attacks in the European and Asia-Pacific regions.

  • The latest attack targets a single U.S. bank and uses a transaction server hosted in Russia. Many previous attacks have used ATS hosts in Russia.
  • This campaign, targeting a U.S. financial institution, is not unique — it has relationships with deep foundations in European and Asia-Pacific regions.
  • Researchers can link this attack to earlier campaigns in Europe based on the appearance of a shared URL hosting the Ajax Cross Domain (ACD) script — a component that almost every automated attack we have seen uses.

By analyzing five previous financial fraud campaigns targeting European banks that used the same URL for the ACD link, McAfee Labs was able to determine that those attacks are related to the recent U.S. attack because they reused the same location to retrieve the ACD script, although with a different transaction-server URL. The same group also conducted similar automated attacks in Germany and Australia, and other campaigns in different regions of the world

Cybercriminals will continue to use the techniques employed in Operation High Roller. Financial institutions and consumers need to remain vigilant against these attacks.