In our report Dissecting Operation High Roller, a joint publication from McAfee Labs and Guardian Analytics, we examined a global fraud ring’s efforts to steal money from wealthy businesses and individuals. The complexities of Operation High Roller left many questions unanswered as to the origins and actors responsible for attempting millions of fraudulent transactions. Now we want to revisit the details at a much deeper level to develop a clearer picture of the hidden details and to further map the campaigns and their connections.
These campaigns, like many other attempts at fraud, originated in Eastern Europe, so it is not surprising that the actors had an extensive history of Zeus and SpyEye activity. These fraudsters planned these campaigns for some time and actively participated in other criminal activity long before Operation High Roller was conceived. We have found evidence that ties these actors to early automated transfer systems built to target users. These initial efforts were likely their test ground to gain knowledge of financial systems and their various fraud prevention practices.
These groups have evolved to using more sophisticated techniques, and many of them actively used automated transfer system code against numerous European banks in late 2011.
This analysis attempts to map the domain infrastructure used during Operation High Roller to determine its origins. As with the previous report, we have informed law enforcement of our findings.