New twist on Zeus/SpyEye used in massive global fraud scheme

A global fraud campaign is using automated tactics with the Zeus and SpyEye malware to steal tens of millions of dollars from banks, other institutions and well-heeled individuals in Europe, the United States and South America, two security research companies report.

The attacks, spread by targeted spear-phishing campaigns, manage to bypass multi-factor authentication systems to gain access and transfer funds, according to a report by McAfee and Guardian Security, which dubbed the fraud scheme Operation High Roller.

“Unlike standard SpyEye and Zeus attacks that typically feature live (manual) interventions, we have discovered at least a dozen groups now using server-side components and heavy automation,” the report states. “With no human participation required, each attack moves quickly and scales neatly.”

Related story:

New variant of Zeus Trojan targeting bank accounts, FBI warns

Attackers, operating via 60 servers, have attempted to make individual transfers of as much as $130,000, and have attempted to steal at least $78 million, although the actual total could be as high as $2 billion, the report’s authors write.

The thefts apparently started in Europe, where fraud rings have frequently operated but then spread to the United States and Colombia. The attacks originally targeted commercial accounts and wealthy individuals but shifted its focus to businesses, and affected all sizes of financial institutions, from credit unions and regional banks to large global banks, the report said.

In the United States, each target was a company with at least several million dollars in a commercial account.

The attacks began, like many attacks on government and business organizations, with spear-phishing e-mails that attempted to fool recipients into downloading the malware. Once inside, SpyEye or Zeus, which have been used in tandem in other attacks, gather details such as the banking platform and account data from the host machine, according to the report. From that information, a custom attack with other malware is launched.

“All of the instances that involved High Roller malware could bypass complex multi-stage authentication,” using a complex process the report states.

“In the High Roller scheme, an extensive JavaScript uses Web injects to alter the login experience to collect all the information the fraudsters need for both steps within the login step. Since the physical authentication information is gleaned during the login, outside the context of a transaction, the victim is less likely to be suspicious — they just think the login experience has been upgraded.”

McAfee and Guardian researchers first detected the High Roller attacks in Germany in January, and then found other instances in Europe. By March, they found evidence of High Roller attacks in the United States and Colombia. When the scope of the attacks became clear, researchers notified law enforcement and have been working with agencies to try to catch the fraudsters, the report states.

Variants of Zeus has been used at least since 2007 in a variety of attacks targeting financial accounts and apparently has been sued in tandem with SpyEye since early 2011.

In January, the FBI issued a warning that a new variant of Zeus was targeting individual banks accounts via phishing e-mails purportedly from financial institutions such as National Automated Clearing House Association and the Federal Deposit Insurance Corporation. The McAffe/Guardia report, however, does not refer to those attacks.


About the Author

Kevin McCaney is a former editor of Defense Systems and GCN.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected