In 2017, the damage will apparently be even greater. Oddly enough, it has become easier to rob financial organizations, but protection against new types of scammers is not working well.

VLADIMIR RUVINSKY

Theft of the Year

On the last day of winter 2016, February 29, the capital's Metallinvestbank lost 200 million rubles. They were later found to have been stolen by hackers. Everything happened quickly. The terminals from which the correspondent account of a credit institution with the Central Bank is managed began to unauthorizedly send money from it to third-party accounts. Addressees are private individuals in commercial banks countrywide.

Suspicious behavior of computers at Metallinvestbank was discovered immediately, Deputy Chairman of the Board Mikhail Okunev assured Dengi. “This was a hacking of the channel of the automated workstation of a client of the Bank of Russia, automated workplace of the KBR,” he said. The hack, according to Okunev, lasted about an hour. To stop the transfers, the bank even asked the Central Bank to disconnect it from the settlement system. By this time, 667 million rubles had left the Metallinvestbank correspondent account. “A third of the money was returned immediately, about a third was seized from bank accounts, we expect that they will return to us based on the results of the trial, which we expect will begin in April,” says Mikhail Okunev. About 200 million rubles, as already mentioned, were still not returned by the bank: the attackers either quickly cashed them out from controlled accounts or transferred them further.

This story has an ending that is rare for Russia. Three months later, in June 2016, the FSB and the Ministry of Internal Affairs reported that together in 15 regions of the Russian Federation they detained 50 people belonging to a hacker group called Buhtrap. She was noticed back in 2014 when she was fleecing companies. And in August 2015, the group switched exclusively to financial organizations:

over the six months until February 2016, Buhtrap carried out 13 successful attacks on Russian banks, stealing 1.8 billion rubles, notes Group-IB, which specializes in preventing and investigating cyber attacks.

This group, as Money sources say on banking market, is also behind the attack on Metallinvestbank. Group-IB shares this opinion.

Growth by 300%

The theft of 667 million rubles from Metallinvestbank was one of the largest in the Russian Federation - of those that were made public. The average hacker theft from Russian banks in the period from June 2015 to May 2016 was about 140 million rubles. Although there were also large amounts. “In two cases, the amount of theft was 2.5 times higher than authorized capital bank,” noted in last year’s Group-IB report.

In total, in 2016, the Central Bank reported in February 2017, hackers stole 2.2 billion rubles from Russian commercial banks.

"If we talk about attempted thefts Money from accounts credit institutions“, then in 2016, nine organizations were subjected to similar attacks,” the regulator’s press service clarified to Denga. “The attackers tried to steal about 5 billion rubles. At the same time, it was possible to stop thefts totaling about 2.8 billion rubles." Obviously, banks in 2016 would have lost an even larger amount if not for the capture of members of Buhtrap, a group that, according to Group-IB, accounted for two-thirds of the stolen at banks.

Total amount of cyber thefts from financial organizations over the past year, however, there may be more. At least, according to Group-IB estimates, during the period from June 2015 to May 2016, hackers stole 2.5 billion rubles from Russian banks as a result of targeted attacks (when the victim is not random, but is chosen with skill).

The amount of targeted cyber thefts from banks, according to Group-IB, increased by 292% compared to the same period in 2013-2014. (According to the Central Bank, from June 2015 to May 2016, hackers stole 1.37 billion rubles from Russian banks.) “We are often accused of exaggerating the numbers, but I believe that we are underestimating,” emphasizes the director of the cyber intelligence department Group-IB Dmitry Volkov.

The company does not yet have more recent figures for 2017, but the banking community unofficially confirms to Denga, if not an increase in the amount of stolen goods, then an increase in the number of cyber attacks in Russian financial organizations. (At the same time, the amount stolen at one time may decrease.) “Attacks for the sake of the banks’ own money are being carried out more and more often. There is an opinion that in the last few years the number of attacks has doubled annually,” confirms Elman Mehdiyev, executive vice president of the Association of Russian Banks ( EPIRB). And the company Positive Technologies, which also investigates cybercrimes, predicts that in 2017 there will be a 30% increase in hacker attacks on banks in the Russian Federation. This also applies to processing, brokerage structures, operators money transfers— their losses from cyber theft will also increase.

Not recognized

Metallinvestbank is a rare exception to the rule. He publicly acknowledged the theft and the amount of damage caused by the hackers. The Russian International Bank and Kazan Altynbank also reported cyber thefts (though without details). The rest prefer not to talk about their losses.

Meanwhile, in the United States, for example, financial organizations, if they want to avoid heavy fines, are required not only to report damage from hackers to the regulator, but also to disclose it publicly. In our country, bankers say, financial and credit institutions did not widely publicize such information, fearing large image and reputational losses (and the law does not oblige them to frankness).

There is no open, complete data on how much hackers stole from the accounts of banks and their clients—individuals or legal entities—in Russia.

The corresponding statistics of the Central Bank are formed from the reports of banks, which until 2015 were in no hurry to share confidential information about cyber thefts with the regulator. A little over a year ago they were obliged to do this. “The data from the Central Bank as a whole on cyber thefts in the Russian Federation do not reflect the picture,” says the former head of a unit in the department of the Ministry of Internal Affairs, who wished to remain anonymous. “There are much more of them than the banks say.” This, however, primarily concerns cyber thefts from clients of financial organizations. It is not in the interests of banks to hide such attacks against themselves from the Central Bank, Deneg’s interlocutors are sure. But it is quite possible to do this.

“When generating statistical reporting, the Bank of Russia proceeds from the fact that credit institutions approach reporting in good faith,” the regulator’s press service said. “At the end of 2016, Bank of Russia statistics almost completely correlate with the Ministry of Internal Affairs statistics on this type of crime.”

Banks are the main target

Several thousand rubles stolen from your card are the spoils of the tweezers. Professional computer criminals “take” hundreds of millions at a time.

If back in 2013, the main targets of experienced hackers were bank clients, now they are financial institutions themselves, say experts interviewed by Dengi. The most professional cybercriminals, having trained on companies, switched to banks. There the risks and excitement are higher, the business is more complicated, but the jackpot is much more tempting.

The income of hackers from targeted attacks on banks for the period from June 2015 to May 2016, according to Group-IB, “covered the total income from all other methods of theft, making banks the most attractive target.” If hackers stole 2.5 billion rubles from banks during the specified period, then from legal entities - 956 million, from individuals through desktop computers - 6.4 million, from them, but through smartphones - 348.6 million.

From legal entities, for one theft in Internet banking, it was possible to “receive” almost 300 times less than from banks: 480 thousand versus 140 million rubles.

The most qualified hackers—the “elite”—work with both of them. The accounts of ordinary citizens are cleaned out by a separate group of cyber fraudsters - this, experts say, is, in fact, an analogue of low-skilled tweezers in the digital era. They steal an average of 51.6 thousand rubles at a time from citizens’ bank accounts via desktop personal computers, and an average of 4 thousand at a time through Android smartphones (not much, but thefts are committed much more often here).

Russian cybertheft market for Q2 2015 – Q1 2016

Type of theft Number of hacker groups Average amount of one theft, rub. Total amount of theft, rub. Growth compared to the previous period, % Targeted attacks on banks 5 140 million 2.5 billion 292 Internet banking for legal entities 6 480 thousand 956 million -50 Desktop PCs for individuals 1 51.6 thousand 6.4 million -83 Android smartphones for individuals 11 4 thousand 348.6 million 471 Cashing out stolen funds 1.7 billion 44 Total 5.5 billion 44

Source: Group-IB

No one is invulnerable

In total, there are now about 570 commercial banks operating in the country, and hackers have most likely probed all of them (including more than 300 that were closed during the purge launched by the Central Bank). “There are no banks that don’t attack,” says Elmar Nabigaev, head of the threat response department information security Positive Technologies company. “Everyone is subject to hacker attacks,” agrees Alexey Golenishchev, director of electronic business monitoring at Alfa Bank. “But few people will go to a secure bank from where it is difficult to withdraw money.”

Many financial organizations, primarily regional ones, are poorly prepared for cyber attacks. “Banks, especially in the regions, are still confident that cyber fraudsters are only gutting clients, for which they have already paid,” notes a top manager from banking sector, who wished to remain anonymous. According to Elmar Nabigaev, as a rule, after the first theft, banks change their approach. “Now there are fewer of them,” he notes. Less, partly because the bulk of closed banks are regional.

“Readiness is different, depending on the size of the bank. Large ones are ready for attacks, medium and small ones are not all... But you can never be one hundred percent ready for betrayal within an organization, regardless of the size of the bank,” notes Elman Mehdiyev from ARB . Roman Chaplygin, director of cybersecurity risk analysis and control at PwC, draws attention to the lack of funding: “In Russia there are many banks that do not have sufficient financial resources to build a cybersecurity system within an organization and repel attacks."

However, there is another problem. “Some banks in Russia and abroad don’t believe that computer crime exists,” says Ilya Sachkov, CEO of Group-IB. “Even in respected government agencies there are people who don’t believe in it either.”

About weak readiness credit institutions penetration tests also indicate cyberattacks information system companies and banks, conducted in 2015 by Positive Technologies. 17 institutions were inspected in Russia and abroad, a third of which were banks and financial institutions.

In 82% of systems it was possible to get into the network, in every second case it was possible to gain control over critical company resources, and in 28% complete control over the entire infrastructure of the organization was obtained.

According to Elmar Nabigaev, the situation has not changed significantly to date: “In the banking sector, from a security point of view, everything is not very good. Most attackers have no difficulty obtaining full privileges on the network. The results of our investigations of incidents in banks show that in most cases the attacks ended in complete compromise of the network and theft of funds."

Weakness of banks

Lending institutions seem to be investing in cybersecurity. Even despite the crisis. “According to our data, in 2017 the budget for cybersecurity in Russia increased by 18%,” says Roman Chaplygin from PwC.

Increasing the budget, however, does not always help. “Many banks limit themselves to investing in security at the level of compliance with standards,” explains Elmar Nabigaev. “If you put a check mark in the document, you bought the right security measure, then everything is fine. But you can’t just buy a piece of hardware and forget it, information security is a process, an infrastructure banking organization is changing, cybercriminals are updating tools and attack patterns, so security must constantly improve.”

Those who provided cyber protection that did not help found themselves in a very sticky situation. “Unfortunately, many information security employees hid the problem from bank management, and this could last until 2013-2014,” says Ilya Sachkov. “You spent a lot of money, but it didn’t solve the problem. And you have to spend more. With us There were even conflicts with some banks when, through the monitoring system, we were able to identify crimes at the stage of their preparation, we knew from whom money could be stolen, we reported this to the employees of the information security service, but they did not use this information in any way, they were afraid to show it to management. theft."

Those to whom the bank management did not allocate funds for cyber protection use this as a reason to abdicate responsibility: they say, we asked for money, but you did not give it, says a top manager from the banking sector who wished to remain anonymous. “In those banks where IT security is part of a service that has grown out of the physical security service, this happens most often,” our interlocutor is sure.

Sergey Golovanov, a leading anti-virus expert at Kaspersky Lab, who participated in the investigation of cyber thefts in financial organizations, agrees: “Most often, banks have problems not with budgets, but with awareness of incidents.

Most attacks happen due to stupidity, oversight, accident, if you like. And so it is all over the world.

If a bank formally follows the letter of the law (so-called paper cybersecurity), then it will still become a victim of an attacker."

“It’s not enough to buy expensive systems,” notes Elmar Nabigaev. “For their effective operation and configuration, highly qualified and very expensive personnel are needed, and not every bank can afford to keep such professionals on staff. And there are very few of them.”

There are few knowledgeable specialists not only in banks, but also in law enforcement agencies, says Denga’s source in the Department of the Ministry of Internal Affairs: “There are almost no operatives or investigators who are able to understand the technical side of cases, combine the episodes and explain their essence to the prosecutor and the judge.”

Thief from a thief

Using exclusively inside information, they steal money in Russia from cashing banks that accept funds and receive instructions on where to transfer them. “There are groups of attackers - they gain access to such mail from a cash-out bank or money sender,” says Dmitry Volkov from Group-IB. “The fraudsters see the correspondence and from the hacked mail they themselves send these instructions to the bank.

For example, today money should go to China - attackers intercept such a letter and replace it: yes, also China, but a different legal entity. And $200 million goes to the wrong company.

They control the mail. The bank asks: “Should I send it there exactly?” Hackers answer: “Yes, there.” That's all. The amounts of theft here are large, and a lot of things are done based on tips.”

And who admits to the Central Bank, clients or partners that gray money was stolen, that a laundering or cash-out, essentially criminal, scheme was affected?

How banks are robbed

Have your employees stopped subscribing to a paper newspaper or a popular weekly magazine? Wait for hackers and robbers.

Human factor

An attack on a bank is primarily an attack on a person.

First, it is important for attackers to penetrate the computer of a bank employee.

From there, access to local networks is opened, hackers receive administrator privileges, which allows them to attack systems responsible for financial transactions: CBD workstations, ATM networks, stock exchange terminals, electronic settlements and interbank transfers, SWIFT and processing systems. Which makes it possible to steal funds.

This is exactly how the theft most likely occurred at Metallinvestbank: payment terminals and the corporate network were combined here, which played into the hands of the hackers. “It is truly difficult to say what served as the initial entry point into banking system, says Mikhail Okunev. “But we have closed all the vulnerabilities and are constantly improving in this regard.” We physically separated the common banking network and those machines that are responsible for sending any payments. The bank carried out a complete restructuring of its information security system."

Mail hack

There are several ways to penetrate a bank employee’s computer. The most common is via email. Specific employees are sent a letter containing a document containing a malicious program with so-called exploits. Using vulnerabilities in the software, they find a back door to the employee's computer. In order for a malicious file to be opened, attackers send it on behalf of bank clients, or from the Central Bank (as the Buhtrap group did), or from government agencies.

The letter can also be confirmed by a telephone call: they say, check the details of the contract, the reconciliation report, the latest orders. And it won’t necessarily be a letter from a fake address: hackers can send infected files from real, but hacked addresses. In addition, it could be a genuine email from partners, but with malware.

"Criminals have additional features carry out attacks through numerous banking counterparties, whose defense systems against cyber threats are often not at all developed,”

says Roman Chaplygin.

What happens next? An employee opens a document, for example, in .pdf format, and a malicious program embedded in it checks whether there are vulnerabilities in the reader. Often they exist, since updates that put “patches” on software, are done irregularly. However, updates are not a panacea; they only reduce risks: programs, to the delight of hackers, have vulnerabilities unknown to developers.

Using these vulnerabilities, using exploits embedded in the sent document, cybercriminals enter the victim's computer through the back door. “The attacker installs a program that will allow him to obtain the passwords of the network administrator, then he goes to different computers and gains full access,” says Ilya Sachkov. “We investigated a case where attackers controlled the entire banking network, stealing a large amount from a correspondent account, which they then dispersed throughout different accounts and cashed out. They had access to the mail server, the main servers, and they read how the bank responded to the investigation."

Meanness through the newspaper

Another way to get onto a bank employee’s computer is mass, which, as experts say, is a thing of the past. Fraudsters carry out so-called scams on popular sites, such as business and news publications, legal or government directories. Unbeknownst to their owners, hackers embed a small program into the site that checks all visitors to see what browser, operating system, flash player, pdf reader they have, their update versions, etc. “In this way, vulnerable software is found - on average, 13-15% of visitors,” says Dmitry Volkov. By the way, now this method, according to Group-IB, is actively used to infect with Trojans and steal money from Android smartphones. Then, through the detected back doors, programs are downloaded onto the computer that check, in particular, whether it has connections with banking or accounting programs, what kind of antivirus it costs, etc. Some of these computers may end up in a bank.

But the attackers do not know which computer they hit. To cope with the problem, they, for example, downloaded a modified malicious program that found out whether there were traces of work with banking or accounting applications. "In some cases it works: if you're lucky,

One in a thousand of those hacked will be an accountant’s computer, the antivirus on it is bad, and there is an opportunity to steal money,”—

Volkov explains. When it comes to penetrating a banking network, scammers have recently infiltrated a computer often using legitimate or free remote control tools. Previously, it was necessary to write Trojans, now the system of theft in banks is highly automated and cheaper, penetration into the banking network, notes Group-IB, “does not require special experience or hard-to-find software.”

Steal and Cash

According to a source in the department of the Ministry of Internal Affairs, cybercriminals paid 30-60% of the stolen money for cashing, depending on the “purity” of the money and the complexity of the schemes. If the amount is large, the money is scattered: say, the so-called salary project when 50 million rubles are transferred through a legal entity to 50 bank cards.

Or money flows, for example, to two thousand Qiwi wallets and 100 thousand SIM cards, and from them to bank cards. To withdraw money, they hire people who have to “be visible” at ATMs; they are paid about 5% of what is withdrawn.

If you need to get a lot at once, the person is sent to a bank branch with certified documents from the director of a shell company, and he receives everything through the cash desk. When cashing groups break up or go under, the thefts temporarily stop. However, you can cash out money anywhere, says Elmar Nabigaev: hackers successfully use foreign accounts.

ATM attack

New technologies are changing the scheme. By penetrating a bank's network, you can steal money from ATMs. “Now hackers are penetrating the bank’s corporate network, finding the ATM network, that is, they are infiltrating the computers of the employees who service these ATMs, and downloading malware to the ATMs,” says Nabigaev. The hackers' cash-out accomplices approach the ATMs, and the hacker remotely commands the device to dispense cash. This money theft scheme, he said, is gaining popularity. Cases of such thefts were reported in the media, but the amounts of thefts and the owners of ATMs were not specified.

The scheme is convenient for hackers because a small number of cashers allows them to rob many ATMs. “Banks may not immediately notice this, since collection of ATMs is not daily, and banking systems may report that there is still money in ATMs,” says Nabigaev. “It may take a week until it turns out that the money is stolen. It is difficult to find the criminals, since time is already lost, and the traces of their crime are usually covered up - for example, hackers turn off cameras on ATMs."

Having penetrated the computer system of a financial organization, in July 2016, a group of masked youths organized an attack on 34 ATMs of one of the largest Taiwanese banks, First Bank, taking away 83.27 million Taiwan dollars (more than $2 million).

In August, 12 million baht (about $350 thousand) were stolen from 21 Government Savings Banks ATMs in Thailand using a similar scheme. In September, similar attacks, Group-IB notes, were recorded in Europe, but they were not made public.

"Stages of cyber theft of money from banks"

Stage Method of action Penetration The main one is sending a phishing email with an attachment in the form of a document with an exploit/macro, an executable file, or a password-protected archive with an executable file. You can create an attachment with an exploit using ready-made tools. No special tools are required to send an executable file. Remote access After successful infection, all groups use various remote control tools. Typically, these are legitimate and free tools. Obtaining privileges Having gained remote access to a bank's network, attackers often use a free tool that allows them to extract logins and passwords from open form from the RAM of the infected computer. The source code of this utility is available to everyone without restrictions. Search for targets Having domain administrator privileges, scammers begin to explore the bank's internal network in search of systems of interest. The targets may be interbank transfer systems, instant transfers For individuals, ATM control networks, payment gateways, card processing. The search is carried out manually and does not require special tools. Working with target systems Having discovered systems of interest, attackers, using the same remote control tools, monitor the actions of legal operators in order to subsequently repeat their steps and send money to controlled accounts. More advanced groups use ready-made tools for modifying payment documents - simple scripts or executable files that replicate the work of scripts that automate the generation of fraudulent payments. Cashing out If the first five stages are accessible to many hackers and each of them can be implemented at minimal cost, then to cash out large amounts of money you need people with experience and resources. Therefore, when professional groups involved in cashing disintegrate or go to the bottom, thefts stop.

For software banking equipment and attempts to steal cash.” This is the first case of a hacker attack of this scale on a bank in our country, which became known to the public. Citizens' money, fortunately, was not damaged. FINANCE.TUT.BY recalled the five most high-profile and largest cyber bank robberies in history.

Image: cbsnews.com

One step away from a billion

In February 2016, a group of hackers tried to gain access to funds central bank Bangladesh, which maintains an account with the Federal Reserve Bank of New York (part of the Federal Reserve Bank of New York) reserve system USA). The criminals tried to withdraw about $1 billion from the account, but they only managed to steal a little more than $80 million.

The hackers successfully completed only four transactions out of several dozen requested. On the fifth transaction of $20 million, the bankers became suspicious. The hackers were given away by a typo: in the name of the organization for which the translation was intended, instead of “Shalika Foundation” they wrote “Shalika Fandation”. An employee of Deutsche Bank, through which the transaction took place, noticed this and contacted Bangladesh to confirm the transaction - and this is how the scam was revealed.

The Fed says it found no signs of hacking. Bank representatives insist that the hackers knew the real credentials, and the payment order was confirmed by the SWIFT system. The Central Bank of Bangladesh managed to return part of the stolen funds. The Chairman of the Central Bank resigned after the incident.

ATMs going crazy

In 2013, a group of hackers from Russia, Japan and Europe managed to steal about $300 million. They stole from all over the world: from more than 100 banks in 30 countries - from Australia to Iceland. At the same time, as experts note, estimates of losses are very approximate and can be three times higher. The hackers call themselves the Carbanak group.

In Kyiv, for example, an ATM began dispensing money at completely random moments. No one inserted cards into it or touched the buttons. The cameras recorded that the money was taken by people who happened to be nearby at that moment. Bank employees could not understand what was happening until Kaspersky Lab got involved.

photo:Strong news

Programmers discovered that bank computers had malicious software installed that allowed cybercriminals to monitor every move of bank employees. The software was hidden on computers for months - cybercriminals were able to find out how the bank carried out its daily transactions. So they were able to reprogram ATMs and transfer millions of dollars to fake accounts.

The Carbanak group was not discovered and detained. She is still working, periodically disappearing before returning. For example, in 2015, hackers stole about 60 million from the Russian Avangard bank. Russian rubles. The scheme is very similar - ATMs began to behave simply crazy: “The ATMs received a command to ‘give out money’, people approached the ATMs and stuffed their jackets with money, and in five minutes they could take away several million.”

Cheating move

Last year, a group of Russian hackers managed to steal 250 million Russian rubles from the country's five largest banks. The criminals withdrew money from ATMs. This scheme is called “ATM-reverse”, or “reverse reverse”.

Photo: Sergey Balai, TUT.BY

“The criminal received at the bank unnamed card, deposited from 5 thousand to 30 thousand rubles into it through an ATM, and then withdrew them from the same ATM and received a receipt for the transaction. Next, the fraudster sent the check to his accomplice, who had remote access to virus-infected POS terminals, usually located outside of Russia. Using the terminals, using the transaction code specified in the receipt, the accomplice generated a command to cancel the cash withdrawal operation: on the terminal it looked, for example, like a return of goods. As a result of canceling the operation, the card balance was restored instantly, and the attacker had the issued cash in hand and the previous card balance. The criminals repeated these actions until the ATMs ran out of cash,” RBC describes the pattern of such crimes.

It was possible to stop the thefts only after they implemented a new security system together with the Visa and MasterCard payment systems.

Russian hackers also withdrew money from bank client accounts through Cell phones on the Android platform. They sent SMS messages with a Trojan program inside, which transferred money from the bank account to the hackers' accounts.

Taiwanese gang

This summer in Taiwan, hackers managed to steal more than $2 million from ATMs without using their cards. Criminals approached ATMs and launched a special malicious program - the machines willingly gave out all the cash that was stored in them. After that, the robbers hid the evidence: no traces of malware could be found in the hacked devices. It took about 10 minutes to hack the ATM.

In total, the attackers hacked about 30 ATMs that belonged to largest bank First Bank countries. To stop the criminals, the bank was banned from withdrawing money through its ATMs for several days. Out of caution, several banks in Taiwan have also introduced a similar ban.

Hacker #1

Photo from stock website. xchng

In 1994, when computers and the Internet were not so common, Russian programmer Vladimir Levin stole more than ten million dollars from an American bank. Sitting in his room on Malaya Morskaya Street in St. Petersburg, he hacked the funds management system of New York's Citibank, one of the largest banks on the planet. Over five months, Levin managed to steal about $12 million from the bank.

Arriving at work on the morning of June 30, 1994, an employee of the Hong Kong Philippe National Bank Int. Finance Ltd. discovered that $144,000 was missing from their accounts. He saw that this money, through Citibank, had been transferred to another account, but it was unclear where exactly. In New York they said that the problem was not theirs, since all transactions were recorded, and they did not transfer any money. A couple of weeks later, the money mysteriously disappeared from accounts in Uruguay. Citibank then contacted the FBI to begin an investigation.

Levin transferred money to accounts in Finland, Germany, Israel, the USA and the Netherlands. At first, the FBI arrested his assistants who tried to cash out the accounts. All of them were found with fake passports and tickets to St. Petersburg. Levin himself was arrested in March 1995, and in 1998 he was sentenced to three years in prison.

It is still unknown how Levin penetrated the Citibank computer network. The hacker himself refused to disclose the details of the hack at the trial. There is a version that a certain group of Russian hackers initially gained access to the systems, after which one of them sold the technique to Levin for $100.

Hackers tried to steal 1.5 billion rubles, which is about 1% of the total profit of Russian banks in 2015. To do this, they registered a payment system abroad

Threat to banks

​Law enforcement agencies managed to stop in 2015 an attempt at large-scale theft of money from almost all banks in Russia. This was stated by the head of the “K” department for combating crimes in the field of computer security of the Russian Ministry of Internal Affairs, Aleksey Moshkov, Interfax reports.

Directorate “K” prevented thefts last year in the amount of 1.5 billion rubles, head of the press service of Directorate “K” Alexander Vurasko told RBC. This is almost 1% of the total profit of banks for 2015 (RUB 192 billion). The size of the actual damage is estimated at 400-600 million rubles, but it could grow as new victims are announced, Vurasko added. Hackers have developed about a hundred different schemes to steal funds from the accounts of both banks themselves and their clients. “They compromised international payment systems - they discovered vulnerabilities in them and wrote software that would allow the generation of false payment documents, but the use of this software was stopped,” says Vurasko.

The Visa payment system and its VisaNet processing network were not compromised, the press service said in a response Visa at RBC's request. "It seems to us that the examples referred to by the representative of the Ministry of Internal Affairs of the Russian Federation concern third-party processing companies not related to Visa systems. Therefore, we cannot comment on them,” the response says.

According to Vurasko, hackers almost paralyzed the banking system by compromising the interbank messaging system (the most used international system by Russian banks is SWIFT, but the Ministry of Internal Affairs does not disclose information whether it is this or not).

To withdraw funds from accounts, hackers created and registered their own payment system. As Vurasko said, it was registered in a foreign jurisdiction and complied with all international standards. “It is quite possible that the hackers sent the documents necessary for registration by email; in some countries this registration mode is acceptable,” he notes.

RBC's source in one of the international payment systems suggests that the system could be registered in one of the CIS countries. “The legislation of Europe and the USA does not provide for the registration of payment systems,” he adds. Source to another payment system says that there is no such regime in Asian countries either.

Employees of the Ministry of Internal Affairs detained a criminal group in November last year. However, in January of this year two major Russian banks again subject to hacker attacks. It was a new group, but it was connected with the one detained in November and consisted of 40-60 people. “Hackers attacked two banks out of the top hundred, the banks’ processing centers gave orders to transfer funds from the accounts, money began to flow out in millions, and the Central Bank even had to disconnect these banks from BESP,” says Vurasko. Members of this group were also detained.

The ideologist of the criminal group is a 30-year-old Muscovite with a higher education; the Ministry of Internal Affairs does not disclose his name in the interests of the investigation.

Hackers are coming

Representatives of the Ministry of Internal Affairs say that if previously hackers stole money mainly from bank clients, now they are developing programs that allow them to write off money from the accounts of the banks themselves, which they have opened, for example, in other banks.

According to the Central Bank, in 2014, hackers wrote off 3.5 billion rubles from the accounts of citizens and companies. Fraudsters wrote off 1.58 billion rubles from cards. Most of the amount (over 1 billion rubles) was stolen by scammers through Internet banking and a mobile application. Volume of illegal transactions made through remote channels services, grew by 44.8%. IN at the end of 2015, Sberbank assessed the damage to Russia from cybercrimes $1 billion, and, as the first deputy chairman of the bank Lev said Khasis , there are no grounds for reducing the damage from such crimes.

At the beginning of this year company Digital Security review, in which experts predicted that in 2016, banks and their clients will face an increase in hacker attacks - the number of attacks on users using so-called social engineering will increase, when scammers encourage users to install malicious software on their own. Also in 2016, the number of attacks on customer accounts through attacks on banks themselves will increase, the company predicts. Attackers can take over various internal systems, including payment systems, platforms for paying for government services, mobile communications, and the Internet. “Seizing control of such a platform will allow clients’ money to be transferred directly to electronic wallets,” previously warned Alexey Tyurin, director of the security audit department at Digital Security.

Fraudsters come up with new ways to steal money from bank cards every day. CCTV cameras reduce criminals' interest in ATMs, but criminals are looking for ways around them.

Theft on the territory of the Russian Federation is a criminal offense; depending on the severity, punishment may be applied under different parts of Art. 158 of the Criminal Code of the Russian Federation: imprisonment from one to 10 years, forced labor, fine from 80 to a million rubles.

Is ATM security in question?

Two types of theft of money from payment terminals are common:

• skimming - an overlay on the card reader for reading the PIN code;
• "Lebanese loop" - sealing the cash dispensing pocket, in which the ATM reports the dispensing of money, while the banknotes remain inside the machine. The victim moves away from the device to complain to the facility employee or call support, and the scammer removes the sticky strip along with the money and leaves the scene.

Law enforcement officers in the capital interrupted a series of robberies when the criminals acted like this: they blew up ATMs or wrapped a chain around them and took them away to open them in an unknown place. This method turned out to be effective, despite its primitiveness.

Stealing money from ATMs: old ways

An old method of stealing money from ATMs is to steal the card after the victim has withdrawn funds. Another traditional method is for an attacker to open the device or take cash by taking the device from a bank or supermarket.

Udmurt criminals installed several fake ATMs a non-existent credit institution in Moscow, the Moscow region and Sochi. Citizens who tried to use payment terminals to perform monetary transactions, later contacted the police with statements about the theft of money. Criminals have obtained passwords for more than a thousand bank cards.

New ways to steal money

Fraudsters in the Astrakhan region stole 4 million rubles by cutting and gluing banknotes: six five-thousandth bills and one thousandth. Each bill was cut into 6 parts and glued together so that a five-thousandth bill was obtained, consisting of 1/6 of a thousandth. The updated but defaulted money was credited to the cards through ATMs. After cashing out the funds, the criminals could again circulate money.

A Saratov fraudster pulled money out of a payment terminal using a strong thread attached to a five-thousand-dollar bill. He put the bill into the terminal many times to be credited to the account and took it back out. So, the criminal took out 200 thousand rubles.

Burglars from Ufa penetrated the computer system of an ATM, changed the service code, with the help of which the dollar exchange rate was “raised” to 1.5 thousand rubles, then exchanged 800 dollars for 1.2 million rubles. One of the culprits was detained by law enforcement officers.

Kaspersky Lab specialists have uncovered another money theft scheme. Representatives of financial institutions complained that ATMs were randomly dispensing money to people who did not take any action. Based on the results of the verification activities, it turned out that no virus programs were installed on the devices, but the virus was found on a computer connected to a single network with ATMs. The hackers gained access to employees' computers, then used legal withdrawal methods to transfer money using the SWIFT system or cash out through ATMs. The hackers have not yet been caught, but more than 30 financial institutions in Russia, China, Canada, Ukraine and the United States have suffered from their actions. Some thefts amounted to $10 million, and the total financial losses of the affected banks approached a billion dollars.

Sberbank of Russia announced a new method of stealing money from ATMs, called drilled box. It can only be used in certain types of devices. A small hole is drilled in the body of the payment terminal, and a special bus is connected to pump out money. Despite the discovery of this type of fraud, the ATM manufacturer has not responded to the problem.

Note!

New fraudulent devices include shimmers, which are produced openly and en masse; they are thinner than a human hair. The technology allows you to steal accounts, PIN codes, and other information through an ATM. A flexible metal plate is inserted into the card reader and reads data from the cards. This method can be called advanced skimming.

From a bank client card

In order to steal money from a bank card, fraudsters often use:

• fake keyboard - a special cover is installed on the ATM keyboard. It remembers all the buttons pressed, including the PIN code;
• tiny video camera - installed by scammers near or above the keyboard for the same purpose: to find out the PIN code and take possession of the card for withdrawing funds;
• false money acceptors - plastic envelopes covering the ATM slot;
• fake ATM - installed by criminals in crowded places to collect information about the cards of future victims;
• Virus software is an innovative way to steal money when payment terminals become infected with viruses. As a result, fraudulent programs transmit technical information and PIN codes plastic cards clients.

Today, another type of theft is actively developing - account hacking. Criminals gain access to electronic services online banking and electronic wallets, without leaving home. Phishing is a method of fraud, the purpose of which is to seize other people's money by gaining access to confidential information - card number, password, login. Fraud involves sending emails and SMS messages from well-known brands and banks and payment systems themselves, which contain a link to a site that looks similar to the original web resource. By opening the letter, the network user downloads a virus program to the computer, which collects information about passwords, logins, payment card numbers and returns to the sender of the program or automatically starts the transfer of money from all available wallets to the fraudster’s details.

One type of card fraud is Winlocker - malware that blocks or complicates the operation of the Windows operating system. A message appears on the victim’s screen stating that the computer cannot function until a special password is entered, to obtain which it is necessary to send a certain amount to the attackers. After receiving the money, the criminals send a code that removes the restrictions permanently or temporarily, but the problem may arise again.

Note!

It is also possible that after receiving the money, the scammers steal information about the card number, PIN code, CVV and withdraw all the money in the account, card, or wallet.

At the bank

The method of instantly pumping money out of an ATM is called drilled box. Fraudsters drill a hole in a specific ATM configuration and connect the bus, instantly siphoning off the money. Modern ATMs are quite well protected from hacking and viruses; it is necessary to put them in safe mode, when the dispenser and the computer exchange information through cryptographic protocols. Then the fraudster will not be able to do anything with the device’s information bus.

Certain problems arise for banks that have not updated their software to the required level and operate without protected mode. Some credit institutions require a hardware update.

Independent manufacturers have long invented a device that allows you to protect yourself from fraud attacks, since it controls the connection to the ATM information bus. When connected externally, the ATM dispenser is turned off and it stops responding to fraudsters’ commands. Banks make a lot of efforts to prevent such crimes.

In 2017, Russian ATMs were attacked by a new dangerous virus - a contactless hacking of the external circuit of the bank's network, then - a device administration server in a closed network and a direct attack on ATMs. Experts explain that reliable protection is necessary, otherwise the network of credit institutions will be compromised. It is necessary to implement specialized information security programs and involve third-party contractors to reduce the risk of security gaps.

If fraudsters have obtained the details of a bank card, it is considered compromised, the details of its owner, logins and passwords for accessing the Internet bank or mobile application become known to attackers.

How to protect yourself from theft?

• withdraw money from ATMs located inside branches, avoid supermarket areas where there are a lot of people and spotters;
• If the ATM does not see the card you inserted or does not return it, immediately call support and block the card. Give the employee the device number so they can check it;
• use SMS notifications about movements on your card account. If you have not made any transaction with the money in the account, immediately inform the bank;
• In case of special problems, after blocking the card, you need to come to the branch to write a statement of disagreement with the transaction.

More than 80 thousand sites distribute malicious browser extensions through which bank card data is stolen. Be vigilant and do not click on suspicious links.

Every day, Internet fraudsters steal about 400 thousand rubles from private bank clients, estimates the company Group-IB, which investigates cybercrimes. How to protect yourself from theft?

Over the course of a year, from April 2014 to April 2015, fraudsters stole 99 million rubles from the accounts of Russians through Internet banks. This is stated in a report published on Thursday, October 15, by Group-IB, a company engaged in the prevention and investigation of fraud using high technologies.

The criminals managed to steal most of this amount (61 million rubles) using Trojan programs - viruses that infect mobile devices running on the Android operating system. Viruses allow you to intercept bank card data, logins and passwords for online banking. The remaining 38 million rubles. were stolen using virus programs on personal computers.

Moreover, the average amount of one theft in an attack on a computer is much higher than in an attack on mobile devices (RUB 76.5 thousand versus RUB 3.5 thousand). But the number of hacker attacks on smartphones and tablets is incomparably higher. Mobile devices were attacked an average of 70 times a day, while computers were attacked only twice.

In total, in one day, scammers stole 398 thousand rubles from Russians, Group-IB calculated. Over the year, the number of daily thefts of funds from individuals has tripled. The company does not indicate how this affected the volume of stolen funds.

But the main goal of hackers remains legal entities. During the year, 1.9 billion rubles were stolen from them. Another 638 million rubles. cybercriminals have stolen through targeted attacks on banks. In total, the volume of cash thefts in the Russian segment of Internet banking for the year amounted to more than 2.6 billion rubles. - this is 3.7 times less than a year earlier.