Cloud-based  fraud scheme targeting banks

June 27, 2012

Fraudulent transfers on a cloud-based system have helped cybercriminals steal between $75 million and $2.5 billion, according to a report from a security company that studied the criminal ring. Originating in Europe before spreading to the United States and Latin America, the ring is international in scope and has been under investigation for at least the last six months from web security specialists and law enforcement.

Dubbed "Operation High Roller" by the investigating team because of the accounts it targets, the security team discovered 60 servers attempting thousands of fraudulent transfers. While many were for amounts under $10,000, the largest totalled $130,000. Most of the accounts held an average of between $300,000 and $600,000.

High sophistication
The investigation raised concerns about the use of advanced technology as, despite investigators being able to track the network through its servers, the criminal's identity security in the cloud has appeared to remain unaffected. Because of the automation and widespread movement of the attacks, it was apparent to investigators that cloud computing capabilities were being utilized.

"The automated nature of these attacks really require that kind of server/cloud functionality," the director of the lab working on" Operation High Roller" told Network World. "It can't all take place on the host [computer]. All of the logic and all of the sophistication really does reside on that [cloud] server."

Insider knowledge
While the use of cloud represents a high level of attack sophistication, the cybercriminals' knowledge of electronic banking transactions dumbfounded the researchers. Although the report notes that now commonplace malware building blocks like Zeus and SpyEye were used, the coding was further customized for each bank.

It was the ability of scammers not just to bypass the data protection in place on the systems, but to make the entire system believe that the entire transfer was legitimate that showed the investigative team that they were dealing with highly-sophisticated criminals.

"You can't make a fraudulent transaction look like a valid transaction if you don't know what you are doing," the lab director told Network World. "And these guys knew what they were doing."

Using the malware, the criminals were able to steal the necessary information and perform the transfers using web-injects launched while the victims were on the banks' websites. Control servers performing the actual transfers were capable of bypassing the requirements of the two-factor authentication, the report noting that it was the first known case of fraud to do so.

-McAfee Cloud Security