McAfee and Guardian Analytics have revealed the results of a months-long study that uncovered a global financial services cyber-crime operation. "Operation High Roller" targeted the online banking accounts used by high-net worth individuals and companies.
The attacks ranged from the EU, to Latin America, and most recently to the U.S. All sizes of banks were targeted, from global institutions to local credit unions. As for the size of the thefts: "the total attempted fraud could be as high as €2 billion."
Initially, the infection pattern seen in Europe was similar to other SpyEye and Zeus fraud activities, but performed hands-free, automated transactions. This is the standard flow:
• The email contains a disguised link. When the victim clicks the link, they visit a web page that starts a malicious sequence:
– The page contains a blackhole exploit kit or other similar framework. The kit will look for an appropriate vulnerability in the victim’s browser, and upon finding one, will load exploit scripts that compromise the victim’s computer.
– The exploit script installs a Downloader Trojan.
– The Downloader Trojan then will install SpyEye or Zeus on the victim’s device.
• The fraud process starts when the account holder subsequently attempts to log into his account from the infected computer
• The injected script takes control of the session and contacts the fraudsters’ server for specific instructions. It may insert content within the session, such as a transaction field or error message. For example, as the victim logs in, he may be asked to answer a security question and get an error. The error message creates the delay that allows the fraudster’s software to perform the transaction.
• At this point the victim has not actually authenticated and typically is stalled with a “please wait” message for about 60 seconds (see Figure 4).
• If during the automated attack, the financial institution requests a transaction authorization number (TAN), the fraudsters’ client-side web injection displays a fake TAN page to the victim and the malware proceeds as follows:
– The malware collects the TAN from the victim’s screen and presents the authentic TAN to the financial institution to enable the fraudulent transaction, while delaying the victim from accessing their account.
– The malware uses the intercepted credentials to initiate a silent, separate transaction to a mule account (either individual or business) or in one case, a prepaid debit card.
– The malware looks up a valid mule account from a separate database, automating a traditionally manual step in the process. The transaction is performed in a hidden iFrame, a parallel instance of the online banking session on the client that operates in the background. The code navigates to the transaction page and initiates an automated form submission that adds the mule information.
• The user is allowed to proceed with the session
• The mule withdraws the money and converts it to a Western Union or Liberty Reserve payment that he remits to the fraudster. The mule retains a small percentage of the take, and the money is untraceable within a few days.
• To conceal the theft, the malware will stay resident in memory on the victim’s computer. It will alter the victim’s bank statement to show a false balance, remove line items associated with the transaction, and block printing of statements that would show the true account balance and transaction sequences.
Put simply, don't click on any email you don't have 100 percent confidence in. Even one from me.