Operation High Roller: Cybercriminals Target European SEPA Network

Operation High Roller, a criminal campaign that’s aimed at stealing money from high-value accounts from all over the world, has been found to target the European Single Euro Payments Area (SEPA) network via automated transfer systems (ATS).

This is not the first time when cybercriminals rely on SEPA payments in their operations, but this time they’re combining the method with Operation High Roller elements to create a sophisticated automated attack, McAfee experts report.

SEPA payment channels, which are similar to the US’s Automated Clearing House (ACH) system, are preferred by fraudsters because they benefit from numerous advantages when making cross-border transactions.

Researchers reveal that, on one occasion, Russian crooks attempted to transfer 61,000 EUR ($77,854) to multiple mule accounts from a German bank utilizing this method. At the time of the attack, some of the targeted accounts had balances of over 50,000 EUR ($63,845).

So how do these attacks work?

In the latest attacks that targeted the German banking industry, the cybercriminals infected the computers of around a dozen online banking customers with a piece of malware. The attackers made sure that all the users targeted with their specially crafted JavaScript payload had the SEPA option enabled.

Since the infections are targeted and affect only a small number of customers, the malicious attempts are difficult to identify.

The attackers use a server located in Moscow, Russia, which hosts separate control panels for each of the targeted financial institutions. The control panels don’t seem sophisticated, but they hide highly complex mechanisms.

For instance, the webinjects contain variables that allow cybercriminals to specify the ranges used by the ATS when performing transactions. Also, there’s a section that defines the elements that the ATS code can utilize.

The system is designed to allow SEPA transactions ranging between 1,000 EUR ($1,200) and 100,000 EUR ($120,000).

Although some of the functions are similar to ones used in older European ATS schemes, the code appears to be newly developed.

The attacks can be considered a hybrid because they combine both server-side and client-side elements.