McAfee and fellow security firm Guardian Analytics released a report today that detailed a sophisticated type of bank fraud that originated in Italy and spread globally, initiating the transfer of at least $78 million from around 60 financial institutions. Banks in the Netherlands were hit the hardest, with fraudsters attempting to transfer over $44 million worth of funds.

The security firms said the attack was unique because it featured both off-the-shelf and custom malicious code to break into the banks' systems. The firms suggested that the creators of the code knew a lot about internal banking transactions, calling the operation "organized crime."

McAfee and Guardian called their investigation "Operation High Roller" because the fraudsters targeted high-worth individuals and businesses to disguise illegal transfers that were much larger than those in usual bank fraud. Some attempted transfers reached as high as $130,000 (McAfee does not mention whether the transfers were successful or not). As the investigation continued, researchers found the method used by the criminals evolved a little with every incarnation, making it a little more adaptable for each new banking system.

"While at first consistent with other client-based attacks we have seen, this attack showed more automation. Instead of collecting the data and performing the transaction manually on another computer, this attack injected a hidden iFRAME tag and took over the victim’s account—initiating the transaction locally without an attacker’s active participation," the Operation High Roller white paper (PDF) read. In Italy, "the code used by the malware looked for the victim’s highest value account, looked at the balance, and transferred either a fixed percentage (defined on a per campaign basis, such as three percent) or a relatively small, fixed €500 amount [roughly $625] to a prepaid debit card or bank account."

Eventually, the money launderers were able to simulate a two-factor authentication. Where the victim would have to use a SIM card to authenticate a transfer in the system, the thief's system was "able to capture and process the necessary extra information, representing the first known case of fraud being able to bypass this form of two-factor authentication."

Two months later, in the Netherlands attack, the criminals found that they could get around security and monitoring tools by enabling transfers on the server side of the bank accounts. In one instance where servers automating the attacks were found in Brea, California, a criminal was found logging in from Moscow, Russia.

"As this research study goes to press, we are working actively with international law enforcement organizations to shut down these attacks," the two groups stated in their white paper.