New twist on Zeus/SpyEye used in massive global fraud scheme

A global fraud campaign is using automated tactics with the Zeus and SpyEye malware to steal tens of millions of dollars from banks, other institutions and well-heeled individuals in Europe, the United States and South America, two security research companies report.

The attacks, spread by targeted spear-phishing campaigns, manage to bypass multi-factor authentication systems to gain access and transfer funds, according to a report by McAfee and Guardian Security, which dubbed the fraud scheme Operation High Roller.

“Unlike standard SpyEye and Zeus attacks that typically feature live (manual) interventions, we have discovered at least a dozen groups now using server-side components and heavy automation,” the report states. “With no human participation required, each attack moves quickly and scales neatly.”

Related story:

New variant of Zeus Trojan targeting bank accounts, FBI warns

Attackers, operating via 60 servers, have attempted to make individual transfers of as much as $130,000, and have attempted to steal at least $78 million, although the actual total could be as high as $2 billion, the report’s authors write.

The thefts apparently started in Europe, where fraud rings have frequently operated but then spread to the United States and Colombia. The attacks originally targeted commercial accounts and wealthy individuals but shifted its focus to businesses, and affected all sizes of financial institutions, from credit unions and regional banks to large global banks, the report said.

In the United States, each target was a company with at least several million dollars in a commercial account.

The attacks began, like many attacks on government and business organizations, with spear-phishing e-mails that attempted to fool recipients into downloading the malware. Once inside, SpyEye or Zeus, which have been used in tandem in other attacks, gather details such as the banking platform and account data from the host machine, according to the report. From that information, a custom attack with other malware is launched.

“All of the instances that involved High Roller malware could bypass complex multi-stage authentication,” using a complex process the report states.

“In the High Roller scheme, an extensive JavaScript uses Web injects to alter the login experience to collect all the information the fraudsters need for both steps within the login step. Since the physical authentication information is gleaned during the login, outside the context of a transaction, the victim is less likely to be suspicious — they just think the login experience has been upgraded.”

McAfee and Guardian researchers first detected the High Roller attacks in Germany in January, and then found other instances in Europe. By March, they found evidence of High Roller attacks in the United States and Colombia. When the scope of the attacks became clear, researchers notified law enforcement and have been working with agencies to try to catch the fraudsters, the report states.

Variants of Zeus has been used at least since 2007 in a variety of attacks targeting financial accounts and apparently has been sued in tandem with SpyEye since early 2011.

In January, the FBI issued a warning that a new variant of Zeus was targeting individual banks accounts via phishing e-mails purportedly from financial institutions such as National Automated Clearing House Association and the Federal Deposit Insurance Corporation. The McAffe/Guardia report, however, does not refer to those attacks.


About the Author

Kevin McCaney is a former editor of Defense Systems and GCN.

inside gcn

  • analytics (Wright Studio/

    3 data strategies to help crackdown on internal corruption

Reader Comments

Thu, Jul 5, 2012

Regarding the "Is stealing from those who stole legally a crime?" comment. Please, GCN moderator, do a better job of weeding out unrelated political comments from the Occupy Wall Street crowd and stick to the topic at hand - cybersecurity.

Fri, Jun 29, 2012

Davis is an idiot. It is child's play to intercept, modify, delete cellular phone transmissions. He makes no mention of cellular encryption. court records are filled with cases of enemies, ex-lovers etc using cell phones to defraud, humiliate, masquerade as their past "friends"

Fri, Jun 29, 2012

Is stealing from those who stole legally a crime? If those folks had just transferred some of that money to the accounts of laid-off workers, there wouldn't be a jury in the US that would convict them...

Thu, Jun 28, 2012 Davis

I found it mildly amusing to see that an Internet Security company (who is supposed to prevent malware attacks) was so quick state that “2-Factor Authentication has been defeated”. If they were protecting us from malware attacks which is their job, 2FA would be able to work properly. But when an Internet Security company allows malware attacks to happen, and a computer is compromised, no form of secondary security is going function properly. In my opinion the blame needs to fall on the shoulders of the ones who allowed the malware to compromise the computers. I don’t think that they can say the 2FA has been defeated. I have seen many of the big global online banking sites have moved to the use of a telephone (mobile or other) as a form of a token where the user is asked to telesign into their account by entering a one-time PIN code which is delivered to your phone via SMS or voice, I will continue to feel this is the safest option available.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group