Operation High Roller: U.S. Is Now a Target

14 November 2012

Operation High Roller, a financial Internet fraud attack, is using a new version of SpyEye malware to target a major U.S. multinational financial institution. In this attack, the cybercriminals have set up an automated transfer system (ATS) to siphon money from individual bank accounts. Although fraudsters have routinely used an ATS to unlock European financial institutions, this is the first time it has been used against a U.S. target.

One clever aspect of this attack is its ability to target both business and retail banking within the same framework — selectively targeting and compromising consumer and business banking users. This new attack conducts fraudulent transactions in much the same way as the original Operation High Roller attacks:

  • It seamlessly hides the bogus transactions from the victim’s browser, while cybercriminals siphon money behind the scenes using the financial institution’s server.
  • Minimal components reside on the victim’s PC — only operations such as balance replacement and transaction hiding, which can’t run on the server.
  • A JavaScript function collects the necessary information from the victim and relays it to the transaction server. This tactic allows the fraudster to use a bank’s two-factor authentication to avoid many types of fraud detection.

McAfee Labs researchers analyzed the SpyEye “webinject” (packaged commercial functions created by SpyEye developers) that was used in the attack. This webinject appears to be a hybrid version that uses both local and remote components to conduct financial fraud.

  • As with previous attacks, the fraudulent transactions are hidden from the victim.
  • It uses a local component installed on the victim’s PC to bypass short message service (SMS) out-of-bound authentication (used to enroll a new device for access to online banking). This is a significant variation from other campaigns.

Intercepting SMS code is a common way to bypass out-of-bound authentication. It is also used by some banks to validate new devices, such as when a customer uses a new computer to access online banking. This powerful new technique allows attackers to enroll a remote transaction server with online banking. We expect to see the use of this technique to increase.

Dynamically hiding the evidence
Although most European ATS systems hide their evidence on the victim’s computer after the attack occurs, the U.S. variant uses JavaScript code on the victim’s computer to hide the transactions as they are being performed on the server. It dynamically grabs data from the transaction server to feed to other functions that will erase the evidence. The victim will not see the funds deducted from the account nor will they see a transaction being performed by the server.