In June 2012, McAfee® Labs and Guardian Analytics released research on Operation High Roller that scratched the surface of a complex web of automated fraudulent transactions. In a follow-on study released today, we dig into and map out the details on the origins and actors. Placing the data in context shows how mature and creative these fraudsters have been and provides a baseline for researchers and security professionals on what to expect in the future.
The June report found evidence of millions of attempted transactions leveraging Zeus and SpyEye malware against financial institutions in the United States and the Netherlands. This new study documents the origin of these campaigns at a hosting provider in Kemerovo, Russia, with heavy connections to Albania and China. A key finding in our new research was that malicious infrastructure was reused in independent attacks. Both the starting point in Russia and a hosting provider in San Jose, California, have been involved in other Zeus botnet activity. Tracking these malicious activities can provide useful indications, “telltales,” of future events.
Prior to conceiving Operation High Roller, our data shows that the fraudsters actively participated in early automated transfer systems against consumers and some business accounts and actively used Zeus and SpyEye in these attacks. These initial efforts were likely their test ground to gain knowledge of financial systems and their various fraud prevention practices. After initial experimentation, these groups evolved to more sophisticated techniques. Many of them actively used automated transfer system code against numerous European banks in late 2011, followed by the Winter and Spring 2012 attacks we documented in our first Operation High Roller report.
Next stop: ACH
Financial institutions, regulators, and security researchers should expect the likely next target to be Automated Clearing House payment channels. The fraudsters will build on the methods, malware, and infrastructure employed in Operation High Roller, laced with new ideas and locations to be discovered. We should be looking for any signs of “test cases” against these systems and tracking interactions to uncover malicious sites and infrastructure.