Fraudsters who launched a campaign to target high-value bank accounts have begun exploiting the Single Euro Payments Area (SEPA) system to con victims.
Similar to the United States' Automated Clearing House (ACH) electronic payment system, which perpetrators of “Operating High Roller” also abused earlier this year to commit fraud, SEPA streamlines fund transfer processes among European banks.
Researchers at McAfee published findings on the fraud ring in June, and found that attackers were using Zeus and SpyEye to intercept wire transactions throughout European banks in late 2011. High-net worth business and personal accounts in the United States and the Netherlands were eventually targeted as well, according to an October report.
The latest analysis shows that attackers have tried to carry out fraudulent SEPA transactions at two banks in Germany, Ryan Sherstobitoff, threat researcher at McAfee, told SCMagazine.com Tuesday.
“The goal of SEPA is to simplify transborder transactions, so it makes sense for them to target it since they can [get] larger transfers without the typical complexities of intercepting a wire transfer,” Sherstobitoff said.
Attackers have coded the malware so that when users login to targeted banking sites, they see a “please wait” message, which leads them to believe their settings are being updated. While victims wait to access the banking site, a remote server logs in to their account and initiates a SEPA transaction.
“The next time the victim logs in, [the web inject] alters the balance to avoid showing them that money has been deducted from the account,” Sherstobitoff said.
Fraudsters attempted to transfer €61,000, or around $78,000, to mule accounts through fraudulent SEPA requests, according to log files McAfee retrieved from one targeted bank.