Researchers tracking a campaign targeting high-net worth businesses and individuals in the United States and the Netherlands now believe the attackers are operating from servers in Russia, Albania and China to carry out electronic funds transfers.
In June, researchers at McAfee and Guardian Analytics published findings on the racket, dubbed “Operation High Roller," which delivers Zeus and SpyEye variants using automated techniques. McAfee has now followed up with a new study released last Tuesday, giving insight on the origin of the attacks, which in some cases resulted in the attempted transfer of up to $130,000.
New findings suggest that scammers linked to the ring used automated transfer tactics dating back to late 2011 to steal money from European banks.
Ryan Sherstobitoff, a researcher at McAfee and author of the report, said the campaign originated on a server hosted in Kemerovo, Russia. The hosting provider was also connected to servers in Albania and China.
“These campaigns, like many other attempts at fraud, originated in Eastern Europe, so it is not surprising that the actors had an extensive history of Zeus and SpyEye [trojan] activity,” Sherstobitoff wrote in the report. “These fraudsters planned these campaigns for some time and actively participated in other criminal activity long before Operation High Roller was conceived.”
He added that the initial fraud victims were likely the “test ground” for attackers wanting to refine their schemes.
The attack method first compromises victims through phishing, before launching a man-in-the-browser assault to steal credentials to login to accounts on banking sites. Attackers, who were already capable of beating authentication controls like chip-and-PIN safeguards, have made their tactics more advanced by using a complex network of servers and numerous strains of banking trojans.
While the fraudsters' goals are to target any entity or individual with a high cash flow, new research found that there has been a prevalence of manufacturing, import and export businesses, and state and local governments falling victim to the attacks.
Crooks prefer the electronic payments system --particularly the Automated Clearing House (ACH), which is used by businesses for things like direct deposits -- to drain bank accounts.
Avivah Litan, vice president and distinguished analyst at Gartner, told SCMagazine.com in a Friday that that ACH fraud is often initiated through socially-engineered email ruses or sometimes by a simple phone call, if scammers are bold enough to do so.
"They tend to target high-value accounts," Litan said. "They will also do some social engineering to target certain bank employees assigned to private banking clients. They are familiar with the person's voice. Sometimes they may email pretending to be the wealthy individual who's in a hurry."