McAfee and Guardian Analytics have released a new whitepaper entitled, Dissecting Operation High Roller. In the whitepaper, they describe a massive global attack that is stealing tens of millions of dollars banks, institutions and wealthy individuals.
Unlike standard SpyEye and Zeus attacks that typically feature live (manual) interventions, we have
discovered at least a dozen groups now using server-side components and heavy automation. The
fraudsters’ objective in these attacks is to siphon large amounts from high balance accounts, hence
the name chosen for this research: Operation High Roller.
With no human participation required, each attack moves quickly and scales neatly. This operation
combines an insider level of understanding of banking transaction systems with both custom and off
the shelf malicious code and appears to be worthy of the term “organized crime.”
The report describes the automation techniques used to increase the speed and efficiency of the new attacks:
Where transactions required physical authentication … in the form of a smartcard reader (common in Europe), the system was able to capture and process the necessary extra information, representing the first known case of fraud being able to bypass this form of two-factor authentication. Within 60 seconds, a script navigated to the GIRO transfer page, retrieved mule account information from a remote database, and initiated a transfer. No human interventions, no delays, no data entry errors.
The attackers use spearphishing as a means to install their malware. The report includes this sample spearphishing email:
The report details the measures the attackers have taken to avoid detection by anti-malware detection software and then how the thieves cover their tracks after stealing the money.
Finally, the report describes how to protect against these thefts. These techniques boil down to faster response after suspicious activity is detected. At Iconix, we agree that fast response is important. AND, we think that prevention is important.
How can a spearphishing attack be prevented? Clearly, training is not the answer. The new DMARC standard is not the answer. What is needed is a method to deprive the attacker of his ability to deceive. Spearphishers deceive by masquerading as trusted senders. At Iconix we identify trusted senders. Our identification system makes it easy for users to distinguish trusted senders from attackers masquerading as trusted senders. SP Guard from Iconix provides the ability to distinguish real email from spearphishing attacks. Click here to learn more. You can contact us at 408-727-6342, ext 3 or use our online form.
Know who. No Doubt. SP Guard from Iconix.