Fraudsters are taking their attacks on banks and payment companies to alarming new levels using automation and cloud-based servers, according to a new report from Guardian Analytics and McAfee Inc.
The report focuses on "Operation High Roller," a complex and recent international fraud ring that stole millions of dollars from bank accounts belonging to businesses and high-net-worth individuals across several continents.
The scheme harnessed new automation and encryption techniques, making it difficult for banks to spot the crimes while they were in progress, according to Santa Clara, Calif.-based McAfee and Mountain View, Calif.-based Guardian.
This pattern of attacking corporate accounts and those likely to have higher balances is becoming a common pattern.
Julie Conroy McNelley, a senior analyst at Aite Group, earlier this month said anecdotal reports show a sharp rise in fraud incidents targeting corporations and wealthy accountholders.
The good news is that such attacks are unlikely to succeed where financial institutions and companies have "layered controls and detection software" in place, according to the report, "Dissecting Operation High Roller," which was published June 25.
Based on new data from its recent investigation, financial institutions should anticipate "more automation, obfuscation and increasingly creative forms of fraud," McAfee and Guardian said.
Banks also ought to beware of new types of payment models fraudsters may attack, including automated clearinghouse and remittance payments, the firms said.
Anomaly detection systems, which can monitor all online and mobile banking activity for each account holder, "have been proven to detect the widest array of fraud attacks, including manual and automated schemes, and including both well-known and newly emerging techniques," the firms said.
Unfortunately, "many regional banks and credit unions lack anomaly detection software, so they are completely exposed to this (type of) attack," the firms said in the report.
The fraud ring behind "High Roller" used new techniques to bypass chip-and-PIN payment card authentication, as well as to automatically create databases to fraudulently transfer funds to criminals' accounts and to engineer a series of server-based fraudulent transactions, the firms said.
Fraudsters typically attempted to transfer funds from breached business accounts in lump sums as high as $130,000, according to the report.
Beginning in January of this year, the investigators discovered a replication of the attack in Germany, where fraudsters breached 176 accounts and attempted to transfer more than $1 million to bogus accounts in Portugal, Greece and the United Kingdom.
In March the fraudsters moved on to the Netherlands, where they compromised more than 5,000 mostly business accounts in two banks there. This attack used a server based in San Jose, Calif.
The fraudsters used that same server later that month to launch automated attacks against commercial and investment accounts at various U.S. banks, ultimately affecting 109 companies in a scam that unfolded over 60 days.
Fraudsters attacked U.S. accountholders with bank balances each exceeding $1 million, and identified victims through "online reconnaissance and spear phishing," the report said.
One trick the fraudsters used in the U.S. was automatically transferring funds from a victim's corporate savings account to a corporate checking account, then moving those funds to an account criminals controlled in another country, the report said.
"The shift from consumer to business targets allows the fraudsters to transfer larger sums without bumping up against thresholds or money-laundering limits or raising red flags," the report said.
Later in March the fraudsters extended their campaign to Latin America, where a single attack targeted 12 businesses in Colombia that all shared the same bank and had account balances ranging from $500,000 to $2 million, according to McAfee and Guardian.
The Colombian scam was tied to a server fraudsters controlled in Brea, Calif., but evidence also revealed a fraudster logged in from Moscow to manipulate some transactions.
The latest wave of scams relies on sophisticated automated processes and cloud-based systems, the report said.
Malware "stalls the user" and executes a transaction in the background using a legitimate digital token. "Fraudsters can replicate this automated process across accounts and reuse it in multiple accounts on the same banking platform, so it scales," according to the report.
Detection of such scams is difficult because components are hidden to avoid classification or blacklisting by reputation-based systems.
McAfee and Guardian note their systems gather billions of data points in the cloud to assign reputations to malicious sites. The companies concluded their report by calling for industry cooperation to block more such fraud rings.