Researchers have exposed a fraud ring that uses enhanced variants of the SpyEye and Zeus toolkits to target the customers carrying high balances at smaller banks.
Dubbed "Operation High Roller," the campaign relies on novel automated, server-side tactics to transfer as much as $130,000 from boutique financial institutions to accounts set up by money mules, according to a report authored by McAfee and Guardian Analytics.
In addition, the techniques enable the bypass of chip-and-PIN and other two-factor authentication controls.
While Europe has seen a majority of the attacks, the report states that the pernicious activity is spreading to the United States and Latin America.
The malicious software works in two phases, said Brian Contos, senior director of vertical and emerging market solutions at McAfee. The first phase compromises a user's computer through a phishing attack.
Once victims attempt to login to their bank account, the credentials are swiped via a man-in-the-browser-style attack. Users are then issued a “system under maintenance” message, keeping them locked out for an extended period of time while the attackers transfer their funds. Even if customers are using additional authentication controls, such as chip-and-PIN, which is popular in Europe, they are out of luck.
"Normally, the victim inserts a smart card into its reader device and enters a PIN into the device," the report said. "The bank's system generates a digital token based on the data contained on the physical smart card, authorizing a transaction. [But this] malware defeats this authentication by generating an authentic simulation of this process during login to capture the token. To allay suspicion, the script collects the token as the user logs in, rather than during the transfer authorization process. It then transfers the digital token to validate the transaction later in the online banking session while the user is stalled with a 'Please Wait' message."
Phase two of the attack is what makes it even more unique, Contos said. According to the report, the miscreants have leveraged up to 60 malicious, cloud-based servers to initiate the transactions, rather than performing them directly from the user's compromised machine.
Most of the malicious servers are hosted by so-called bulletproof ISPs (internet service providers), which are lenient and thus preferred by cyber crooks, Contos said.
“These are service providers in other countries that are not friendly to law enforcement," he said.
Instead of emptying accounts all at once, the sophisticated software funnels smaller amounts automatically, so not to trigger any red flags, Contos said.
“They try and stay just under three percent of the person's net worth because that's a limit they feel they can operate under,” he said.
To further hide the criminal activity, the hackers alter bank statements, leaving the victims clueless to the transactions.
Although the malware automatically siphons set amounts of money, Contos said that in some cases the attackers have manually logged on and tried to transfer up to 80 percent of the accounts' value.
Researchers are working with international law enforcement organizations to thwart the attacks, the study said. Contos said he believes that the campaign is still active today.