• Visit Our Network:
  • AFP
  • CTP Certification
  • FP&A Certification
  • AFP Annual Conference
  • CTC
The Resource for the Global Finance Profession

AFP Fraudwatch: High Roller Loots Corporate Bank Accounts

  • By Andrew Deichler
  • Published: 2012-07-02

AFP compiles the most alarming—and informative—fraud news relevant to corporates in Fraudwatch. This column is part of AFP’s Payments Fraud Resource Center and is intended to keep you aware of the latest threats to your organization. Follow @AFPFraudwatch on Twitter for all the latest updates.

This week, a new cyber threat is revealed to have stolen billion from corporate bank accounts, a study reveals a 318 percent uptick in mobile payments fraud, and the FBI takes down a massive international carding ring.

High Roller Steals Billions from Corporate Bank Accounts

A report by McAfee and Guardian Analytics revealed details on a new cyberattack, dubbed Operation High Roller, which has stolen millions—and possibly billions—from corporate bank accounts.

An expansion of Zeus and SpyEye malware tactics, High Roller has achieved major milestones, bypassing complex multi-stage authentication, establishing mule account databases, completing server-based fraudulent transactions, and attempting transfers to mule business accounts of up to $130,000.

The fraud ring has primarily targeted commercial accounts and high net-worth individuals in Europe, but has also expanded into Latin America and the United States. The report documented attacks in Italy, Germany, the Netherlands, Colombia and the U.S. A server based in San Jose, Calif. launched attacks against U.S. banks by initiating wire transfers from special purpose commercial and investment accounts—ones that regularly hold assets valued at tens of millions of dollars. “This first evidence of attacks on North American financial institutions affected 109 companies,” the report said. “Evidence in the United States indicates there are eight to 10 malware variations exclusively targeting American businesses, using commercial transactions to fund mule accounts.”

The report stated that the attacks have hit every type of financial institution (credit unions, large global banks and regional banks). “So far, we estimate the criminals have attempted at least €60 million (US$78 million) in fraudulent transfers from accounts at 60 or more financial institutions,” the report said. “If all of the attempted fraud campaigns were as successful as the Netherlands example we describe in this report, the total attempted fraud could be as high as €2 billion.”

Most Zeus/SpyEye attacks rely on active participation by a fraudster. An individual typically uses social engineering and a remote manipulation to compromise each host system and online bank account. Fraudsters plant malware and execute a man-in-the-browser attack to skim credentials and form data, and then proceed to complete a fraudulent transfer. However, the High Roller process is often completely automated and allows repeated thefts once the system has been launched at a bank or Internet platform.  In most high value transactions, however, there is often still live intervention.

When attacking marquee business accounts, the report states that fraudsters will often participate in a semi-manual parallel session to circumvent extra security controls. Fraudsters will monitor events across multiple compromised computers. Once a user attempts to log in, the malware alerts the fraudster to take over the session and blocks the user from authenticating while the fraudster fields security questions and process transactions. As additional information is needed, requests can be injected into the user’s session. Fraudsters can manually adjust the amount of the transaction if they want to steal more than the fixed amount already programmed into the malware. As the server then processes the fraudulent transfer, the user receives a “system under maintenance” message.

Fraudsters have also been known to launch more than one attack on a particular business. They can make changes to the client web inject script to point to a different server and thus evade detection by blacklisting software. Fraudsters also can redirect victims to a new server or upgrade the script with new functionality. 

McAfree and Guardian advise banks to anticipate more automation, obfuscation and increasingly creative methods of fraud. “Different payment models will be targeted: Automated Clearing House (ACH) payments, remittance payments, and more,” said the report. “As this report shows with the evolution from client-side to server-side attacks, fraudsters will evolve their model to move a majority of the fraud logic to the server. This practice makes it much more difficult for security leaders to develop prevention strategies.”

Study: Mobile Fraud Up 318 Percent

According to a new white paper by iovation, mobile payments fraud has seen a 318 percent increase in the past year. With mobile usage continuing to grow and technology constantly evolving, mobile fraud is also likely to continue surging.

The report notes that the value of mobile payments transactions is projected to reach almost $630 billion by 2014, up from $170 billion in 2010. Iovation has observed a 1,000 percent increase in mobile transactions since it began tracking mobile commerce in 2004. From January to June of this year, iovation tracked a 55 percent increase.

Mobile banking is also expanding by 40 percent year-over-year and is expected to surpass traditional banking by 2020. The financial services sector is utilizing mobile more and more for money transfers, bill pay and check deposits.

Fully 90 percent of all fraud attempts reported from mobile devices include credit card fraud and account takeover attempts, iovation said. A recent report by Javelin Strategy & Research revealed that 7 percent of smartphone users were victims of identity fraud, compared to 4.9 percent of the general population. Moreover, a recent report by Juniper Networks revealed that between the summer of 2010 and the spring of 2011, malware targeting Android smartphones jumped a staggering 400 percent. 

The report recognizes that account takeovers are among the most alarming fraud threats, with the rise in phishing, spear phishing and smishing (phishing through a mobile device). The recent LinkedIn breach was a major red flag; with personal information such as birth dates and home addresses so readily available via social media, cybercriminals can easily steal data or trick victims into sharing it. Fraudsters have also grown particularly adept at exploiting weaknesses in security surrounding SMS messaging and automated voice calls used in second factor authentication processes.

FBI Takes Down International Carding Ring

The FBI has arrested 24 people around the world for their alleged involvement in a carding ring that spanned 13 countries. The two-year sting investigation, known as “Operation Card Shop” is the largest-coordinated international law enforcement action ever to be directed at carding crimes.

The FBI set up a fake forum known as Carder Profit, where fraudsters could buy and sell stolen credit card data and other personal identification information. Manhattan U.S. Attorney Preet Bharara said fraudsters sold credit cards “by the thousands,” traded private information of “untold numbers of people,” and shared every version of malware and virus available.

The Carder Profit site required fraudsters to register with valid email addresses and at times, receive recommendations from two other users and/or pay fees. The agency monitored discussion threads and private messages and recorded users’ IP addresses. Based on information gathered from the site, the FBI warned targeted companies, financial institutions, government entities, educational institutions and individuals of security breaches. The agency estimates that it prevented potential losses in excess of $205 million via 411,000 compromised cards.

The FBI has arrested 11 suspects in the U.S., six in the UK, two in Bosnia and one each in Norway, Bulgaria, Germany, Japan and Italy. Australia, Canada, Denmark and Macedonia each conducted interviews, executed search warrants, and participated in other actions related to the investigation. Mir Islam, one of the U.S. suspects, is believed to be the leader of UGNazi, the hacktivist group that claimed to take down Twitter last week.

“As the cyber threat grows more international, the response must be increasingly global and forceful,” said Bharara. “The coordinated law enforcement actions taken by an unprecedented number of countries around the world today demonstrate that hackers and fraudsters cannot count on being able to prowl the Internet in anonymity and with impunity, even across national boundaries.”

Copyright © 2015 Association for Financial Professionals, Inc.
All rights reserved.

You May Also Be Interested In...

Copyright © 2015 Association for Financial Professionals, Inc. - All rights reserved.
AFP, 4520 East-West Highway, Suite 750, Bethesda, MD 20814, Phone 1.301.907.2862
Follow Us AFP on LinkedInAFP on TwitterAFP on YouTubeAFP Newsfeed