Cybercriminals attempted to steal at least US$75 million from high-balance business and consumer bank accounts by using sophisticated fraud automation techniques that can bypass two-factor authentication, according to a report released on Monday by antivirus firm McAfee and online banking security vendor Guardian Analytics.
The new fraud automation techniques are an advancement over the so-called man-in-the-browser (MitB) attacks performed through online banking malware like Zeus or SpyEye.
Banking malware has long had the ability to inject rogue content such as forms or pop-ups into online banking websites when they are accessed from infected computers. This feature has traditionally been used to collect financial details and log-in credentials from victims that could be abused at a later time.
However, attackers are increasingly combining malware-based Web injection with server-hosted scripts in order to piggyback on active online banking sessions and initiate fraudulent transfers in real time, McAfee and Guardian Analytics researchers said in their report.
The externally hosted scripts called by the malware are designed to work with specific online banking websites and automate the entire fraud process. They can read account balances and transfer predefined sums to money mules — intermediaries — the selection of which is also done automatically by querying a constantly updated database of money mule accounts, the researchers said.
This type of automated attacks, which the McAfee and Guardian Analytics researchers collectively call “Operation High Roller,” were first observed in Europe — in Italy, Germany and the Netherlands. However, since March they have also been detected in Latin America and the U.S.
By extrapolating the data gathered from the European attacks, security researchers estimate that cybercriminals attempted to steal between $75 million and $2.5 billion using fraud automation techniques.
Such attacks usually target high-balance accounts owned by businesses or high net-worth individuals, the researchers said. “The United States victims were all companies with commercial accounts with a minimum balance of several million dollars.”
The fraud automation scripts also allow cybercriminals to bypass two-factor authorization systems implemented by banks for security purposes.
The malware intercepts the authentication process and captures the one-time password generated by the victim’s bank-issued hardware token and uses it to perform the fraud in the background. Meanwhile, the user is shown a “please wait” message on the screen.
“The defeat of two-factor authentication that uses physical devices is a significant breakthrough for the fraudsters,” the researchers said. “Financial institutions must take this innovation seriously, especially considering that the technique used can be expanded for other forms of physical security devices.”