"High roller" fraud campaign persists, origin revealed

Share this article:

Researchers tracking a campaign targeting high-net worth businesses and individuals in the United States and the Netherlands now believe the attackers are operating from servers in Russia, Albania and China to carry out electronic funds transfers.

In June, researchers at McAfee and Guardian Analytics published findings on the racket, dubbed “Operation High Roller," which delivers Zeus and SpyEye variants using automated techniques. McAfee has now followed up with a new study released last Tuesday, giving insight on the origin of the attacks, which in some cases resulted in the attempted transfer of up to $130,000.

New findings suggest that scammers linked to the ring used automated transfer tactics dating back to late 2011 to steal money from European banks. 

Ryan Sherstobitoff, a researcher at McAfee and author of the report, said the campaign originated on a server hosted in Kemerovo, Russia. The hosting provider was also connected to servers in Albania and China. 

“These campaigns, like many other attempts at fraud, originated in Eastern Europe, so it is not surprising that the actors had an extensive history of Zeus and SpyEye [trojan] activity,” Sherstobitoff wrote in the report. “These fraudsters planned these campaigns for some time and actively participated in other criminal activity long before Operation High Roller was conceived.”

He added that the initial fraud victims were likely the “test ground” for attackers wanting to refine their schemes.

The attack method first compromises victims through phishing, before launching a man-in-the-browser assault to steal credentials to login to accounts on banking sites. Attackers, who were already capable of beating authentication controls like chip-and-PIN safeguards, have made their tactics more advanced by using a complex network of servers and numerous strains of banking trojans.

While the fraudsters' goals are to target any entity or individual with a high cash flow, new research found that there has been a prevalence of manufacturing, import and export businesses, and state and local governments falling victim to the attacks. 

Crooks prefer the electronic payments system --particularly the Automated Clearing House (ACH), which is used by businesses for things like direct deposits -- to drain bank accounts.

Avivah Litan, vice president and distinguished analyst at Gartner, told SCMagazine.com in a Friday that that ACH fraud is often initiated through socially-engineered email ruses or sometimes by a simple phone call, if scammers are bold enough to do so. 

"They tend to target high-value accounts," Litan said. "They will also do some social engineering to target certain bank employees assigned to private banking clients. They are familiar with the person's voice. Sometimes they may email pretending to be the wealthy individual who's in a hurry." 

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.