Insight into these attacks has been offered in a paper by McAfee and Guardian Analytics, who discovered that once the users' computers have been compromised with banking Trojans such as Zeus and SpyEye, at least a dozen groups proceeded using client- and server-side components and heavy automation in order to swiftly effect the fraudulent money transfers.
"With no human participation required, each attack moves quickly and scales neatly," the researchers pointed out. "This operation combines an insider level of understanding of banking transaction systems with both custom and off the shelf malicious code and appears to be worthy of the term 'organized crime.'"
All types of financial institutions were targeted: credit unions, regional banks, large global banks. Still, the attackers showed a decided preference for the accounts containing large sums of money, making the researchers dub the campaign "Operation High Roller."
The attacks started in Italy.
"The attack used SpyEye and Zeus malware to transfer funds to a personal mule account or pre-paid debit card where the thief could retrieve the funds quickly and anonymously," they said. But, "instead of collecting the data and performing the transaction manually on another computer, this attack injected a hidden iFRAME tag and took over the victim’s account—initiating the transaction locally without an attacker’s active participation."
"This fraud showed one other important innovation. Where transactions required physical authentication in the form of a smartcard reader, the system was able to capture and process the necessary extra information, representing the first known case of fraud being able to bypass this form of two-factor authentication," they pointed out. "Within 60 seconds, a script navigated to the GIRO transfer page, retrieved mule account information from a remote database, and initiated a transfer. No human interventions, no delays, no data entry errors."
From Italy, the attacks spread to other European countries (Germany, the Netherlands) and some American ones (the US, Colombia).
As the attacks shifted from targeting individual high net worth consumers in Europe to the high net worth businesses in Latin America, the attack strategies have changed from automated consumer attacks to automated server-based attacks and hybrid automated/manual attacks against marquee business accounts.
All in all, it has been estimated that the attackers have so far attempted to steal over $78 millions.
The attacks have been thoroughly described in the paper, so if you are looking for greater insight, I suggest you check it out.
In the meantime, the two security companies are working actively with international law enforcement organizations to shut down these attacks.