Late last month, Guardian Analytics and McAfee Labs released the joint report “Dissecting Operation High Roller,” which details a new breed of sophisticated fraud attack. Unlike previous attacks using Zeus and SpyEye, these new tactics use server-side components and heavy automation to bypass traditional network security.
New Heights in Heists: What’s New Compared to SpyEye and Zeus?
Extensive Automation – While most Zeus/SpyEyes attacks rely on active participation by the fraudster to process a fraudulent transfer, most of the High Roller attacks were completely automated. This allows for repeated thefts once the system has been launched at a given bank.
Server-side Automation – Operation High Roller also adopted sophisticated server-side automation to conceal how the system interacts with online banking platforms. By moving fraudulent transaction processing from the client to a fraudster’s protected server, activity becomes more difficult to detect.
Rich Targets – The United States victims were all companies with accounts with a minimum balance of several million dollars (hence the name, Operation High Roller). Most of these victims were found through online reconnaissance and spear phishing.
Automated Bypass of Two-Factor Physical Authentication – The malware discovered within Operation High Roller is the first to work around the “smartcard/physical reader + PIN” combination of two-factor authentication. Normally, a victim inserts a smartcard into a reader device and enters a PIN, generating a digital token to authorize the transaction. The Operation High Roller attacks are able to generate an authentic simulation of this process during login to capture the token, using it to validate the transaction later in the online banking session.
Fraudsters Know the Banking Industry – The bad guys behind Operation High Roller clearly knew what they were doing as they carefully navigated around the regulatory triggers of bank fraud detection. For example, automated transactions were set to check the balance and not to exceed a fixed percentage of the account value.
The Future of Finance and Network Security
The Operation High Roller attacks hold implications for banks of all sizes, as targets ranged from some of the most respected financial institutions to small credit unions and regional banks. Moving forward, the finance industry should anticipate more automation, obfuscation and increasingly creative forms of fraud.
However, there are fraud prevention solutions that have been proven effective, even against the attacks documented in Operation High Roller. Anomaly detection solutions like those integrated into the McAfee Network Security Platform have been proven to detect the widest array of fraud attacks, including manual and automated schemes, as well as well-known and newly emerging techniques.
Share your thoughts on this topic in the comments below, and be sure to follow @IntelSec_Biz on Twitter for the latest updates on McAfee news and events.