Today, there’s a new generation of attacks against online banking. Criminals are evolving Man-in-the-Browser schemes to move execution of key criminal activity away from the PC and into the cloud, using new servers dedicated to automating and executing fraudulent transactions. The attacks described in the report target the elite – commercial accounts and high net worth consumers – in Europe, Latin America and the United States, hence the name “Operation High Roller.”

Criminals in the Cloud – Disguise and Adaptability
In “server-side attacks”  the fraudsters use automated logic on a server in the cloud to identify targets and subsequently compromise the account, find mules, initiate transactions and mask account balances. This is a new server in the criminals’ arsenal, purpose-built and solely dedicated to processing fraudulent transactions (unlike typical  multi-purpose botnet servers used for spam, DDOS, credential harvesting). This means fewer signals for researchers or detection tools to find.

With server-based attacks, criminals are highly adaptable. They can readily modify their attack code to adapt to any workflow or security changes at a financial institution and dynamically adjust communications to clients as servers are moved around, without having to update code on every infected client.

Targeting the Elite Across the Globe
This fraud campaign started with automated attacks against wealthy consumers in Italy (balances of €200,000-€500,000) and then evolved to use server-side automated attacks against businesses in the Netherlands, Germany, and Columbia and the US. The most recent attacks started in March with an new evolution – criminals employed hybrid automated/manual scheme targeting high-balance U.S. businesses (assets in the tens of millions of dollars).  Overall,  the limited, targeted approach creates a highly favorable risk-reward scenario for the criminals- big payoffs with reduced chances of detection.

A few key takeaways for the industry:

  • Criminals are not sitting still: they are continually innovating their attacks to increase their paydays and reduce detection.
  • Every financial institution should be prepared for this and other attacks: The attacks hit financial institutions of all sizes including community banks and credit unions in the United States that use common online banking platforms
  • The industry needs collaboration on threat research: By working together, as McAfee and Guardian Analytics did on this project, we can improve the industry’s ability to understand quickly detect new schemes and alert the rest of the industry and law enforcement
  • Criminals still look like criminals, not like real users: Despite the sophistication of these attacks, behavior-based anomaly detection solutions like Guardian Analytics’ ACH ODFI & RDFI Fraud Detection will still detect the subtle differences in behavior that can tip off FIs that a specific banking session may be a fraud attack, not the legitimate account holder