Operation High Roller

Operation High Roller, a huge global fraud ring, was publicly exposed in June 2012, having targeted high net-worth businesses and individuals. It was estimated that the criminals behind this operation have netted $78 million. This article takes a closer look at this highly automated financial fraud ring.

Dissecting Operation High Roller

McAfee and Guardian Analytics issued a report on Operation High Roller, which explained that the attacks were first identified during the winter and have hit at least 60 institutions. The total amount stolen may be much higher than the estimated $78 million. According to the report, Operation High Roller is a “highly sophisticated, global financial services fraud campaign that has reached the American banking system.”

Unlike standard SpyEye and Zeus attacks, which typically feature live (manual) interventions, Operation High Roller involves at least one dozen groups using server-side components and heavy automation. The objective of these attacks is to take large amounts of money from high balance accounts.

In Operation High Roller, US-based victims were all companies that had commercial accounts with a minimum balance of several million dollars. Victims were traced through methods including online reconnaissance and spear phishing, targeted emails to a group of people with malicious links or attachments. Once victims’ computers were infected with malware, the hackers then used SpyEye or Zeus software to capture keystrokes and gather sensitive data, including the target’s internet banking platform and account information that would then be used to create a custom attack.

According to the report, “With no human participation required, each attack moves quickly and scales neatly. This operation combines an insider level of understanding of banking transaction systems with both custom and off the shelf malicious code and appears to be worthy of the term “organized crime.””

Large Scale Automation

Greg Schaffer, chief information security officer of FIS, a banking and payment technologies company, says, “What we’re seeing across the board from a cyber perspective is a greater sophistication on the part of threat actors. There just seems to be a progression where there’s more automation, more sophisticated and more targeted attacks that are coming in a way that is really focused on the weakest link, which is the people who interact with the machines.”

The level of automation of these attacks is notable. Once compromised, the target computer interacts with a server controlled by the hackers. Much of the processing of transactions is performed on the perpetrator’s server, making it easier to hide and bypass corporate security software. All instances involving High Roller malware were able to bypass complex authentication, including two-factor authentication, which uses smartcard readers to generate a one-time password.

So far, the security researchers have found 60 servers processing thousands of attempted thefts from high-value commercial accounts and some high net worth individuals. Transfers have averaged in the thousands of euros, and some transfers have even been as high as €100,000 (or US$130,000). Attacks have targeted every class of financial institution: credit union, large global bank and regional bank.

A timeline of events

McAfee and Guardian Analytics first spotted evidence of Operation High Roller in late January 2012, in an attack on a German bank in which the victim log data on the server “showed the fraudsters compromised 176 accounts and attempted to transfer nearly one million Euros to mule accounts in Portugal, Greece and the United Kingdom.” This attack was more automated than anything they had encountered before.

In March 2012, two banks in the Netherlands were attacked, affecting over 5,000 business accounts. The attempted fraud had an estimated value of 35.58 million euros. In the same month, security firms learned of attacks in Latin America, where over a dozen businesses in Colombia were targeted, each with an account balance ranging from $500,000 to $2million.

Beyond the recorded incidents, security experts project that hackers could be stealing as much as $1 billion each year from small and medium-sized company bank accounts. Don Jackson, expert at Dell SecureWorks, reported that three of the largest and most sophisticated gangs each bring in at least $100 million each year, more than the $43 million stolen in conventional bank robberies in 2010.


This article takes a look at Operation High Roller, a financial fraud ring that has targeted high-value accounts belonging to businesses and individuals across the globe. This ring develops on Zeus and SpyEye techniques and is highly automated, bypassing physical multi-factor authentication, automates mule account databases, performs server-based fraudulent transactions and attempts transfers to mule business accounts. It is estimated that at least $78 million has been stolen by Operation High Roller.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam,  a privacy professional should be comfortable with topics related to this post, including:

  • Data security risks (I.D.a.)
  • Automated data retrieval (III.D.b.)
  • Limiting or preventing automated data capture (III.E.a.)
  • Combating threats and exploits (III.E.b.)
  • Credentialing (III.E.c.iii.4.)
  • Authentication and authorization models (VI.D.d.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>