|
Exclusive: Hackers hit Russian bank
customers, planned international cyber raids
Send a link to a friend
 [May 22, 2017]
By Jack Stubbs
MOSCOW (Reuters) - Russian cyber criminals
used malware planted on Android mobile devices to steal from domestic
bank customers and were planning to target European lenders before their
arrest, investigators and sources with knowledge of the case told
Reuters.
Their campaign raised a relatively small sum by cyber-crime standards -
more than 50 million roubles ($892,000) - but they had also obtained
more sophisticated malicious software for a modest monthly fee to go
after the clients of banks in France and possibly a range of other
western nations.
Russia's relationship to cyber crime is under intense scrutiny after
U.S. intelligence officials alleged that Russian hackers had tried to
help Republican Donald Trump win the U.S. presidency by hacking
Democratic Party servers.
The Kremlin has repeatedly denied the allegation.
The gang members tricked the Russian banks' customers into downloading
malware via fake mobile banking applications, as well as via pornography
and e-commerce programs, according to a report compiled by cyber
security firm Group-IB which investigated the attack with the Russian
Interior Ministry.
The criminals - 16 suspects were arrested by Russian law enforcement
authorities in November last year - infected more than a million
smartphones in Russia, on average compromising 3,500 devices a day,
Group-IB said.
The hackers targeted customers of state lender Sberbank, and also stole
money from accounts at Alfa Bank and online payments company Qiwi,
exploiting weaknesses in the companies' SMS text message transfer
services, said two people with direct knowledge of the case.
Although operating only in Russia before their arrest, they had
developed plans to target large European banks including French lenders
Credit Agricole, BNP Paribas and Societe General, Group-IB said.
A BNP Paribas spokeswoman said the bank could not confirm this
information, but added that it "has a significant set of measures in
place aimed at fighting cyber attacks on a daily basis". Societe General
and Credit Agricole declined comment.
The gang, which was called "Cron" after the malware it used, did not
steal any funds from customers of the three French banks. However, it
exploited the bank service in Russia that allows users to transfer small
sums to other accounts by sending an SMS message.
Having infected the users' phones, the gang sent SMS messages from those
devices instructing the banks to transfer money to the hackers' own
accounts.
The findings illustrate the dangers of using SMS messages for mobile
banking, a method favored in emerging countries with less advanced
internet infrastructure, said Lukas Stefanko, a malware researcher at
cyber security firm ESET in Slovakia.
"It's becoming popular among developing nations or in the countryside
where access to conventional banking is difficult for people," he said.
"For them it is quick, easy and they don't need to visit a bank... But
security always has to outweigh consumer convenience."
CYBER CRIMINALS
The Russian Interior Ministry said a number of people had been arrested,
including what it described as the gang leader. This was a 30-year-old
man living in Ivanovo, an industrial city 300 km (185 miles) northeast
of Moscow, from where he had commanded a team of 20 people across six
different regions.
Four people remain in detention while the others are under house arrest,
the ministry said in a statement.
"In the course of 20 searches across six regions, police seized
computers, hundreds of bank cards and SIM cards registered under fake
names," it said.
Group-IB said the existence of the Cron malware was first detected in
mid-2015, and by the time of the arrests the hackers had been using it
for under a year.
The core members of the group were detained on Nov. 22 last year in
Ivanovo. Photographs of the operation released by Group-IB showed one
suspect face down in the snow as police in ski masks handcuffed him.
The "Cron" hackers were arrested before they could mount attacks outside
Russia, but plans to do that were at an advanced stage, said the
investigators.
[to top of second column] |
The logo of Sberbank is seen on top of a building in central Moscow,
Russia April 22, 2016. REUTERS/Maxim Zmeyev/File Photo
Group-IB said that in June 2016 they had rented a piece of malware
designed to attack mobile banking systems, called "Tiny.z" for
$2,000 a month. The creators of the "Tiny.z" malware had adapted it
to attack banks in Britain, Germany, France, the United States and
Turkey, among other countries.
The "Cron" gang developed software designed to attack lenders
including the three French groups, it said, adding it had notified
these and other European banks at risk.
A spokeswoman for Sberbank said she had no information about the
group involved. However, she said: "Several groups of cyber
criminals are working against Sberbank. The number of groups and the
methods they use to attack us change constantly."
"It isn't clear which specific group is being referred to here
because the fraudulent scheme involving Android OS (operating
system) viruses is widespread in Russia and Sberbank has effectively
combated it for an extensive period of time."
Alfa Bank did not provide a comment. Qiwi did not respond to
multiple requests for comment.
Google, the maker of Android, has taken steps in recent years to
protect users from downloading malicious code and by blocking apps
which are insecure, impersonate legitimate companies or engage in
deceptive behaviors.
The company declined to comment for this story, saying they had not
seen the Group-IB report.
FAKE MOBILE APPS
The Russian authorities, bombarded with allegations of
state-sponsored hacking, are keen to show Russia too is a frequent
victim of cyber crime and that they are working hard to combat it.
The interior and emergencies ministries, as well as Sberbank, said
they were targeted in a global cyberattack earlier this month.
Since the allegations about the U.S. election hacking, further
evidence has emerged of what some Western officials say is a
symbiotic relationship between cyber criminals and Russian
authorities, with hackers allowed to attack foreign targets with
impunity in return for cooperating with the security services while
Moscow clamps down on those operating at home.
The success of the Cron gang was facilitated by the popularity of
SMS-banking services in Russia, said Dmitry Volkov, head of
investigations at Group-IB.
The gang got their malware on to victims' devices by setting up
applications designed to mimic banks' genuine apps. When users
searched online, the results would suggest the fake app, which they
would then download. The hackers also inserted malware into fake
mobile apps for well-known pornography sites.
After infecting a customer's phone, the hackers were able to send a
text message to the bank initiating a transfer of up to $120 to one
of 6,000 bank accounts set up to receive the fraudulent payments.
The malware would then intercept a confirmation code sent by the
bank and block the victim from receiving a message notifying them
about the transaction.
"Cron's success was due to two main factors," Volkov said. "First,
the large-scale use of partner programs to distribute the malware in
different ways. Second, the automation of many (mobile) functions
which allowed them to carry out the thefts without direct
involvement."
($1 = 56.0418 roubles)
(Additional reporting by Maya Nikolaeva in Paris and Eric Auchard in
Frankfurt; Editing by Christian Lowe and David Stamp)
[© 2017 Thomson Reuters. All rights
reserved.]
Copyright 2017 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
 |
