Zeus-Inspired Malware Targeting Cloud-Based Banking Transactions

Hackers have implemented a sophisticated malware variant to siphon large amounts of money from businesses conducting online transactions, according to a joint report by McAfee and Guardian Analytics.

The malware, named "High Roller" after the high-profile targets it goes after, was created using many of the same techniques used in the formation of the Zeus and SpyEye worms, including implementing "a familiar core of Web injects code." However, according to the report, titled "Dissecting Operation High Roller," what makes this particular worm unique is the amount of automation used during the thefts.

"In contrast, although there can be live intervention in the most high-value transactions, most of the High Roller process is completely automated, allowing repeated thefts once the system has been launched at a given bank or for a given Internet banking platform," according to the report. "For example, before it does the transfer, the code looks up account information from an 'active mule account' database so that the 'drop' information is always current."

According to David Marcus, McAfee's director of Advanced Research and Threat Intelligence, malware that uses automation in its operation would not be possible without the spread of cloud-based technology.

"The advanced methods discovered in Operation High Roller show fraudsters moving toward cloud-based servers with multifaceted automation in a global fraud campaign," wrote Marcus in a blog post.

After finding its desired target (accounts with an average of $300,000 to $600,000), the worm instigates transfers of over $100,000 to a dummy account. While an exact amount of how much this scam has stolen is unknown, McAfee estimates it's between $75 million and $2.5 billion.

Those individuals responsible for the malware have extensive experience on how the financial sector operates, along with considerable knowledge of cloud-based systems, according to McAfee.

While the report said this malware, operated by unknown individuals, has been in the wild for over a year, the majority of the targets have been in Europe. However, researchers said that it has recently moved overseas and is now increasing actions in Latin America and North America.

Banking institutions that have taken a more active role in security efforts are more protected from attack than those with a "slow and disjointed 'white hat' detection system," according to McAfee.

"As this report shows with the evolution from client-side to server-side attacks, fraudsters will evolve their model to move a majority of the fraud logic to the server," said the report.

McAfee and Guardian Analytics recommend that banking institutions apply a tested anomaly detection solution that can monitor for both manual and automated attacks since the attackers have been changing their tactics with this malware.

About the Author

Chris Paoli is the site producer for and

comments powered by Disqus

Reader Comments:

Mon, Jul 2, 2012


Fri, Jun 29, 2012 ibsteve2u Commonwealth of Pennsylvania

It is important that you believe the idea of worms running rampant amongst the institutions which define the difference between a billion made on the second and a billion made on the millisecond. d. Of course it was worms...external threats...not patterns of behavior such as LIBOR manipulation...that cost the many so much...not uniquely targeted financial instruments such as CDOs... d. Of course the masters of high-frequency trading could not themselves be at fault...of course they could not detect theft over aeons of computational time.... d. Of course a pattern of arrogance itself enabled by the media's willingness to report precisely what the financial institutions feed them has nothing to do with the mysteriously vulnerable - yet most secure and accurate - computational systems in the world.... d. Of course any losses are not the fault of the institutions - the people, that is, who hide behind the facade of corporation-as-person - themselves.... d. Of course...

Fri, Jun 29, 2012 is pretty easy. Just check out this gal...does it get any easier? Apparently all you have to do is tell the govenment they should give you 2.1 million and they do.

Fri, Jun 29, 2012 Skeldgard

So nice that we can count on the cooperation of all the (almost certainly) foreign banks where these sudden, fat transfers end up to help us catch these criminals. They think they're "protecting the privacy of our customers"--until there's some tiff and the criminals switch institutions and turn on their previous banks. What's that old tale about the frog and the scorpion...?

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.