Zeus-Inspired Malware Targeting Cloud-Based Banking Transactions

Hackers have implemented a sophisticated malware variant to siphon large amounts of money from businesses conducting online transactions, according to a joint report by McAfee and Guardian Analytics.

The malware, named "High Roller" after the high-profile targets it goes after, was created using many of the same techniques used in the formation of the Zeus and SpyEye worms, including implementing "a familiar core of Web injects code." However, according to the report, titled "Dissecting Operation High Roller," what makes this particular worm unique is the amount of automation used during the thefts.

"In contrast, although there can be live intervention in the most high-value transactions, most of the High Roller process is completely automated, allowing repeated thefts once the system has been launched at a given bank or for a given Internet banking platform," according to the report. "For example, before it does the transfer, the code looks up account information from an 'active mule account' database so that the 'drop' information is always current."

According to David Marcus, McAfee's director of Advanced Research and Threat Intelligence, malware that uses automation in its operation would not be possible without the spread of cloud-based technology.

"The advanced methods discovered in Operation High Roller show fraudsters moving toward cloud-based servers with multifaceted automation in a global fraud campaign," wrote Marcus in a blog post.

After finding its desired target (accounts with an average of $300,000 to $600,000), the worm instigates transfers of over $100,000 to a dummy account. While an exact amount of how much this scam has stolen is unknown, McAfee estimates it's between $75 million and $2.5 billion.

Those individuals responsible for the malware have extensive experience on how the financial sector operates, along with considerable knowledge of cloud-based systems, according to McAfee.

While the report said this malware, operated by unknown individuals, has been in the wild for over a year, the majority of the targets have been in Europe. However, researchers said that it has recently moved overseas and is now increasing actions in Latin America and North America.

Banking institutions that have taken a more active role in security efforts are more protected from attack than those with a "slow and disjointed 'white hat' detection system," according to McAfee.

"As this report shows with the evolution from client-side to server-side attacks, fraudsters will evolve their model to move a majority of the fraud logic to the server," said the report.

McAfee and Guardian Analytics recommend that banking institutions apply a tested anomaly detection solution that can monitor for both manual and automated attacks since the attackers have been changing their tactics with this malware.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube