In 2017, the damage will apparently be even greater. Oddly enough, it has become easier to rob financial organizations, but protection against new types of scammers is not working well.

VLADIMIR RUVINSKY

Theft of the Year

On the last day of winter 2016, February 29, the capital's Metallinvestbank lost 200 million rubles. They were later found to have been stolen by hackers. Everything happened quickly. The terminals from which the correspondent account of a credit institution with the Central Bank is managed began to unauthorizedly send money from it to third-party accounts. Addressees are private individuals in commercial banks countrywide.

Suspicious behavior of computers at Metallinvestbank was discovered immediately, Deputy Chairman of the Board Mikhail Okunev assured Dengi. “This was a hacking of the channel of the automated workstation of a client of the Bank of Russia, automated workplace of the KBR,” he said. The hack, according to Okunev, lasted about an hour. To stop the transfers, the bank even asked the Central Bank to disconnect it from the settlement system. By this time, 667 million rubles had left the Metallinvestbank correspondent account. “A third of the money was returned immediately, about a third was seized from bank accounts, we expect that they will return to us based on the results of the trial, which we expect will begin in April,” says Mikhail Okunev. About 200 million rubles, as already mentioned, were still not returned by the bank: the attackers either quickly cashed them out from controlled accounts or transferred them further.

This story has an ending that is rare for Russia. Three months later, in June 2016, the FSB and the Ministry of Internal Affairs reported that together in 15 regions of the Russian Federation they detained 50 people belonging to a hacker group called Buhtrap. She was noticed back in 2014 when she was fleecing companies. And in August 2015, the group switched exclusively to financial organizations:

over the six months until February 2016, Buhtrap carried out 13 successful attacks on Russian banks, stealing 1.8 billion rubles, notes Group-IB, which specializes in preventing and investigating cyber attacks.

This group, as Money sources say on banking market, is also behind the attack on Metallinvestbank. Group-IB shares this opinion.

Growth by 300%

The theft of 667 million rubles from Metallinvestbank was one of the largest in the Russian Federation - of those that were made public. The average hacker theft from Russian banks in the period from June 2015 to May 2016 was about 140 million rubles. Although there were also large amounts. “In two cases, the amount of theft was 2.5 times higher than authorized capital bank,” noted in last year’s Group-IB report.

In total, in 2016, the Central Bank reported in February 2017, hackers stole 2.2 billion rubles from Russian commercial banks.

"If we talk about attempted thefts Money from the accounts of credit institutions, then in 2016 nine organizations were subjected to similar attacks,” the regulator’s press service clarified to Denga. “The attackers tried to steal about 5 billion rubles. At the same time, it was possible to stop thefts totaling about 2.8 billion rubles." Obviously, banks in 2016 would have lost an even larger amount if not for the capture of members of Buhtrap, a group that, according to Group-IB, accounted for two-thirds of the stolen at banks.

Total amount of cyber thefts from financial organizations over the past year, however, there may be more. At least, according to Group-IB estimates, during the period from June 2015 to May 2016, hackers stole 2.5 billion rubles from Russian banks as a result of targeted attacks (when the victim is not random, but is chosen with skill).

The amount of targeted cyber thefts from banks, according to Group-IB, increased by 292% compared to the same period in 2013-2014. (According to the Central Bank, from June 2015 to May 2016, hackers stole 1.37 billion rubles from Russian banks.) “We are often accused of exaggerating the numbers, but I believe that we are underestimating,” emphasizes the director of the cyber intelligence department Group-IB Dmitry Volkov.

The company does not yet have more recent figures for 2017, but the banking community unofficially confirms to Denga, if not an increase in the amount of stolen goods, then an increase in the number of cyber attacks in Russian financial organizations. (At the same time, the amount stolen at one time may decrease.) “Attacks for the sake of the banks’ own money are being carried out more and more often. There is an opinion that in the last few years the number of attacks has doubled annually,” confirms Elman Mehdiyev, executive vice president of the Association of Russian Banks ( EPIRB). And the company Positive Technologies, which also investigates cybercrimes, predicts that in 2017 there will be a 30% increase in hacker attacks on banks in the Russian Federation. This also applies to processing, brokerage structures, operators money transfers— their losses from cyber theft will also increase.

Not recognized

Metallinvestbank is a rare exception to the rule. He publicly acknowledged the theft and the amount of damage caused by the hackers. The Russian International Bank and Kazan Altynbank also reported cyber thefts (though without details). The rest prefer not to talk about their losses.

Meanwhile, in the United States, for example, financial organizations, if they want to avoid heavy fines, are required not only to report damage from hackers to the regulator, but also to disclose it publicly. In our country, bankers say, financial and credit institutions did not widely publicize such information, fearing large image and reputational losses (and the law does not oblige them to frankness).

Open, complete data on how much hackers stole from the accounts of banks and their clients—individuals or legal entities- in Russia there is no.

The corresponding statistics of the Central Bank are formed from the reports of banks, which until 2015 were in no hurry to share confidential information about cyber thefts with the regulator. A little over a year ago they were obliged to do this. “The data from the Central Bank as a whole on cyber thefts in the Russian Federation do not reflect the picture,” says the former head of a unit in the department of the Ministry of Internal Affairs, who wished to remain anonymous. “There are much more of them than the banks say.” This, however, primarily concerns cyber thefts from clients of financial organizations. It is not in the interests of banks to hide such attacks against themselves from the Central Bank, Deneg’s interlocutors are sure. But it is quite possible to do this.

"When forming statistical reporting, the Bank of Russia proceeds from the fact that credit organizations“conscientiously approach the preparation of reports,” the regulator’s press service reported. “At the end of 2016, the Bank of Russia statistics almost completely correlate with the Ministry of Internal Affairs statistics on this type of crime.”

Banks are the main target

Several thousand rubles stolen from your card are the spoils of the tweezers. Professional computer criminals “take” hundreds of millions at a time.

If back in 2013, the main targets of experienced hackers were bank clients, now they are financial institutions themselves, say experts interviewed by Dengi. The most professional cybercriminals, having trained on companies, switched to banks. There the risks and excitement are higher, the business is more complicated, but the jackpot is much more tempting.

The income of hackers from targeted attacks on banks for the period from June 2015 to May 2016, according to Group-IB, “covered the total income from all other methods of theft, making banks the most attractive target.” If hackers stole 2.5 billion rubles from banks during the specified period, then from legal entities - 956 million, from individuals through desktop computers - 6.4 million, from them, but through smartphones - 348.6 million.

From legal entities, for one theft in Internet banking, it was possible to “receive” almost 300 times less than from banks: 480 thousand versus 140 million rubles.

The most qualified hackers—the “elite”—work with both of them. The accounts of ordinary citizens are cleaned out by a separate group of cyber fraudsters - this, experts say, is, in fact, an analogue of low-skilled tweezers in the digital era. They steal an average of 51.6 thousand rubles at a time from citizens’ bank accounts via desktop personal computers, and an average of 4 thousand at a time through Android smartphones (not much, but thefts are committed much more often here).

Russian cybertheft market for Q2 2015 – Q1 2016

Type of theft Number of hacker groups Average amount of one theft, rub. Total amount of theft, rub. Growth compared to the previous period, % Targeted attacks on banks 5 140 million 2.5 billion 292 Internet banking for legal entities 6 480 thousand 956 million -50 Desktop PCs for individuals 1 51.6 thousand 6.4 million -83 Android smartphones for individuals 11 4 thousand 348.6 million 471 Cashing out stolen funds 1.7 billion 44 Total 5.5 billion 44

Source: Group-IB

No one is invulnerable

In total, there are now about 570 commercial banks operating in the country, and hackers have most likely probed all of them (including more than 300 that were closed during the purge launched by the Central Bank). “There are no banks that don’t attack,” says Elmar Nabigaev, head of the threat response department information security Positive Technologies company. “Everyone is subject to hacker attacks,” agrees Alexey Golenishchev, director of electronic business monitoring at Alfa Bank. “But few people will go to a secure bank from where it is difficult to withdraw money.”

Many financial organizations, primarily regional ones, are poorly prepared for cyber attacks. “Banks, especially in the regions, are still confident that cyber fraudsters are only gutting clients, for which they have already paid,” notes a top manager from banking sector, who wished to remain anonymous. According to Elmar Nabigaev, as a rule, after the first theft, banks change their approach. “Now there are fewer of them,” he notes. Less, partly because the bulk of closed banks are regional.

“Readiness is different, depending on the size of the bank. Large ones are ready for attacks, medium and small ones are not all... But you can never be one hundred percent ready for betrayal within an organization, regardless of the size of the bank,” notes Elman Mehdiyev from ARB . Roman Chaplygin, director of cybersecurity risk analysis and control at PwC, draws attention to the lack of funding: “In Russia there are many banks that do not have sufficient financial resources to build a cybersecurity system within an organization and repel attacks."

However, there is another problem. “Some banks in Russia and abroad don’t believe that computer crime exists,” says Ilya Sachkov, CEO of Group-IB. “Even in respected government agencies there are people who don’t believe in it either.”

Penetration tests also indicate the weak readiness of credit institutions for cyber attacks. information system companies and banks, conducted in 2015 by Positive Technologies. 17 institutions were inspected in Russia and abroad, a third of which were banks and financial institutions.

In 82% of systems it was possible to get into the network, in every second case it was possible to gain control over critical company resources, and in 28% complete control over the entire infrastructure of the organization was obtained.

According to Elmar Nabigaev, the situation has not changed significantly to date: “In the banking industry, from a security point of view, everything is not very good. Most attackers have no difficulty obtaining full privileges on the network. The results of our investigations of incidents in banks show that in most cases the attacks ended in complete compromise of the network and theft of funds."

Weakness of banks

Lending institutions seem to be investing in cybersecurity. Even despite the crisis. “According to our data, in 2017 the budget for cybersecurity in Russia increased by 18%,” says Roman Chaplygin from PwC.

Increasing the budget, however, does not always help. “Many banks limit themselves to investing in security at the level of compliance with standards,” explains Elmar Nabigaev. “If you put a check mark in the document, you bought the right security measure, then everything is fine. But you can’t just buy a piece of hardware and forget it, information security is a process, an infrastructure banking organization is changing, cybercriminals are updating tools and attack patterns, so security must constantly improve.”

Those who provided cyber protection that did not help found themselves in a very sticky situation. “Unfortunately, many information security employees hid the problem from bank management, and this could last until 2013-2014,” says Ilya Sachkov. “You spent a lot of money, but it didn’t solve the problem. And you have to spend more. With us There were even conflicts with some banks when, through the monitoring system, we were able to identify crimes at the stage of their preparation, we knew from whom money could be stolen, we reported this to the employees of the information security service, but they did not use this information in any way, they were afraid to show it to management. theft."

Those to whom the bank management did not allocate funds for cyber protection use this as a reason to abdicate responsibility: they say, we asked for money, but you did not give it, says a top manager from the banking sector who wished to remain anonymous. “In those banks where IT security is part of a service that has grown out of the physical security service, this happens most often,” our interlocutor is sure.

Sergey Golovanov, a leading anti-virus expert at Kaspersky Lab, who participated in the investigation of cyber thefts in financial organizations, agrees: “Most often, banks have problems not with budgets, but with awareness of incidents.

Most attacks happen due to stupidity, oversight, accident, if you like. And so it is all over the world.

If a bank formally follows the letter of the law (so-called paper cybersecurity), then it will still become a victim of an attacker."

“It’s not enough to buy expensive systems,” notes Elmar Nabigaev. “For their effective operation and configuration, highly qualified and very expensive personnel are needed, and not every bank can afford to keep such professionals on staff. And there are very few of them.”

There are few knowledgeable specialists not only in banks, but also in law enforcement agencies, says Denga’s source in the Department of the Ministry of Internal Affairs: “There are almost no operatives or investigators who are able to understand the technical side of cases, combine the episodes and explain their essence to the prosecutor and the judge.”

Thief from a thief

Using exclusively inside information, they steal money in Russia from cashing banks that accept funds and receive instructions on where to transfer them. “There are groups of attackers - they gain access to such mail from a cash-out bank or money sender,” says Dmitry Volkov from Group-IB. “The fraudsters see the correspondence and from the hacked mail they themselves send these instructions to the bank.

For example, today money should go to China - attackers intercept such a letter and replace it: yes, also China, but a different legal entity. And $200 million goes to the wrong company.

They control the mail. The bank asks: “Should I send it there exactly?” Hackers answer: “Yes, there.” That's all. The amounts of theft here are large, and a lot of things are done based on tips."

And who admits to the Central Bank, clients or partners that gray money was stolen, that a laundering or cash-out, essentially criminal, scheme was affected?

How banks are robbed

Have your employees stopped subscribing to a paper newspaper or a popular weekly magazine? Wait for hackers and robbers.

Human factor

An attack on a bank is primarily an attack on a person.

First, it is important for attackers to penetrate the computer of a bank employee.

From there, access to local networks is opened, hackers receive administrator privileges, which allows them to attack systems responsible for financial transactions: CBD workstations, ATM networks, stock exchange terminals, electronic settlements and interbank transfers, SWIFT and processing systems. Which makes it possible to steal funds.

This is exactly how the theft most likely occurred at Metallinvestbank: payment terminals and the corporate network were combined here, which played into the hands of the hackers. “It’s really difficult to say what was the initial entry point into the banking system,” says Mikhail Okunev. “But we have closed all the vulnerabilities and are constantly improving in this regard. We have physically separated the common banking network and those machines that are responsible for sending any payments. The bank carried out a complete restructuring of the information security system."

Mail hack

There are several ways to penetrate a bank employee’s computer. The most common is via email. Specific employees are sent a letter containing a document containing a malicious program with so-called exploits. Using vulnerabilities in the software, they find a back door to the employee's computer. In order for a malicious file to be opened, attackers send it on behalf of bank clients, or from the Central Bank (as the Buhtrap group did), or from government agencies.

The letter can also be confirmed by a telephone call: they say, check the details of the contract, the reconciliation report, the latest orders. And it won’t necessarily be a letter from a fake address: hackers can send infected files from real, but hacked addresses. In addition, it could be a genuine email from partners, but with malware.

“Criminals have additional opportunities to carry out attacks through numerous banking counterparties, whose defense systems against cyber threats are often not at all developed,” -

says Roman Chaplygin.

What happens next? An employee opens a document, for example, in .pdf format, and a malicious program embedded in it checks whether there are vulnerabilities in the reader. They often exist because updates that patch the software are not done regularly. However, updates are not a panacea; they only reduce risks: programs, to the delight of hackers, have vulnerabilities unknown to developers.

Using these vulnerabilities, using exploits embedded in the sent document, cybercriminals enter the victim's computer through the back door. “The attacker installs a program that will allow him to obtain the passwords of the network administrator, then he goes to different computers and gains full access,” says Ilya Sachkov. “We investigated a case where attackers controlled the entire banking network, stealing a large amount from a correspondent account, which they then dispersed throughout different accounts and cashed out. They had access to the mail server, the main servers, and they read how the bank responded to the investigation."

Meanness through the newspaper

Another way to get onto a bank employee’s computer is mass, which, as experts say, is a thing of the past. Fraudsters carry out so-called scams on popular sites, such as business and news publications, legal or government directories. Unbeknownst to their owners, hackers embed a small program into the site that checks all visitors to see what browser, operating system, flash player, pdf reader they have, their update versions, etc. “In this way, vulnerable software is found - on average, 13-15% of visitors,” says Dmitry Volkov. By the way, now this method, according to Group-IB, is actively used to infect with Trojans and steal money from Android smartphones. Then, through the detected back doors, programs are downloaded onto the computer that check, in particular, whether it has connections with banking or accounting programs, what kind of antivirus it costs, etc. Some of these computers may end up in a bank.

But the attackers do not know which computer they hit. To cope with the problem, they, for example, downloaded a modified malicious program that found out whether there were traces of work with banking or accounting applications. "In some cases it works: if you're lucky,

One in a thousand of those hacked will be an accountant’s computer, the antivirus on it is bad, and there is an opportunity to steal money,”—

Volkov explains. When it comes to penetrating a banking network, scammers have recently infiltrated a computer often using legitimate or free remote control tools. Previously, it was necessary to write Trojans, now the system of theft in banks is highly automated and cheaper, penetration into the banking network, notes Group-IB, “does not require special experience or hard-to-find software.”

Steal and Cash

According to a source in the department of the Ministry of Internal Affairs, cybercriminals paid 30-60% of the stolen money for cashing, depending on the “purity” of the money and the complexity of the schemes. If the amount is large, the money is scattered: say, the so-called salary project, when 50 million rubles are withdrawn through a legal entity to 50 bank cards.

Or money flows, for example, to two thousand Qiwi wallets and 100 thousand SIM cards, and from them to bank cards. To withdraw money, they hire people who have to “be visible” at ATMs; they are paid about 5% of what is withdrawn.

If you need to get a lot at once, the person is sent to a bank branch with certified documents from the director of a shell company, and he receives everything through the cash desk. When cashing groups break up or go under, the thefts temporarily stop. However, you can cash out money anywhere, says Elmar Nabigaev: hackers successfully use foreign accounts.

ATM attack

New technologies are changing the scheme. By penetrating a bank's network, you can steal money from ATMs. “Now hackers are penetrating the bank’s corporate network, finding the ATM network, that is, they are infiltrating the computers of the employees who service these ATMs, and downloading malware to the ATMs,” says Nabigaev. The hackers' cash-out accomplices approach the ATMs, and the hacker remotely commands the device to dispense cash. This money theft scheme, he said, is gaining popularity. Cases of such thefts were reported in the media, but the amounts of thefts and the owners of ATMs were not specified.

The scheme is convenient for hackers because a small number of cashers allows them to rob many ATMs. "Banks may not immediately notice this, since ATM collections are not daily, but banking systems they may report that there is still money in ATMs,” says Nabigaev. “It may take a week until it turns out that the money was stolen. It is difficult to find attackers, since time has already been lost, and the traces of their crime are usually covered up - for example, hackers turn off cameras on ATMs."

Having penetrated the computer system of a financial organization, in July 2016, a group of masked youths organized an attack on 34 ATMs of one of the largest Taiwanese banks, First Bank, taking away 83.27 million Taiwan dollars (more than $2 million).

In August, 12 million baht (about $350 thousand) were stolen from 21 Government Savings Banks ATMs in Thailand using a similar scheme. In September, similar attacks, Group-IB notes, were recorded in Europe, but they were not made public.

"Stages of cyber theft of money from banks"

Stage Method of action Penetration The main one is sending a phishing email with an attachment in the form of a document with an exploit/macro, an executable file, or a password-protected archive with an executable file. You can create an attachment with an exploit using ready-made tools. No special tools are required to send an executable file. Remote access After successful infection, all groups use various remote control tools. Typically, these are legitimate and free tools. Obtaining privileges Having gained remote access to a bank’s network, attackers often use a free tool that allows them to extract logins and passwords in clear text from the RAM of an infected computer. The source code of this utility is available to everyone without restrictions. Search for targets Having domain administrator privileges, fraudsters begin to explore the bank's internal network in search of systems of interest. The targets may be interbank transfer systems, instant transfers For individuals, ATM control networks, payment gateways, card processing. The search is carried out manually and does not require special tools. Working with target systems Having discovered systems of interest, attackers, using the same remote control tools, monitor the actions of legal operators in order to subsequently repeat their steps and send money to controlled accounts. More advanced groups use ready-made tools for modifying payment documents - simple scripts or executable files that replicate the work of scripts that automate the generation of fraudulent payments. Cashing out If the first five stages are accessible to many hackers and each of them can be implemented at minimal cost, then to cash out large amounts of money you need people with experience and resources. Therefore, when professional groups involved in cashing disintegrate or go to the bottom, thefts stop.

Banks have built fairly effective barriers to protect against external attacks, but are not ready to resist violators on the internal network. By overcoming the perimeter using social engineering, web application vulnerabilities or insiders, attackers find themselves in a comfortable environment, the level of security of which is no different from companies in other areas.

With access to the bank's internal network, Positive Technologies specialists were able to gain access to financial applications in 58% of cases. In 25% of banks, the nodes from which ATMs are controlled were compromised, which means that followers of the Cobalt group using similar hacking methods could withdraw money from these banks. Transferring funds to your own accounts through interbank transfer systems, which are targeted by the Lazarus and MoneyTaker groups, would be possible in 17% of banks.

In 17% of banks, card processing systems are not sufficiently protected, which allows attackers to manipulate the balance on their card accounts, as we saw in early 2017 in attacks on banks in Eastern Europe. The Carbanak group, distinguished by its ability to successfully carry out attacks on any banking application, could steal funds from more than half of the banks tested by experts. On average, an attacker who has penetrated a bank's internal network requires only four steps to gain access to bank systems.

The report notes that the level of network perimeter protection in banks is significantly higher than in other companies: over three years, as part of external penetration testing, access to the internal network was obtained in 58% of systems, and for banks this figure was only 22%. However, this level is very far from ideal, given the high financial motivation of attackers and the lack of practice in many banks of analyzing the security of online service code at the design and development stages. During penetration tests, in all cases, access was facilitated by vulnerabilities in web applications (social engineering methods were not used). Such methods of penetration were used in their activities, for example, by the ATMitch and Lazarus groups.

Remote access and management interfaces, which are often accessible to any external user, also pose a great danger to banks. Among the most common are the SSH and Telnet protocols, which are found on the network perimeter of more than half of banks, as well as access protocols for file servers (in 42% of banks).

But the weakest link is bank employees. Attackers can easily bypass network perimeter protection systems using a simple and effective method— phishing, which delivers malware to the corporate network. Phishing emails are sent to bank employees both at work and personal addresses. This method to overcome the perimeter was used by almost every criminal group, including Cobalt, Lazarus, Carbanak, Metel, GCMAN. According to Positive Technologies, on average, about 8% of users in banks clicked on a phishing link and 2% launched an attached file. The study also provides examples of advertisements from hacker forums offering services from internal attackers in banks. According to experts, in some cases, for a successful attack, the privileges of an employee with only physical access to network outlets (cleaner, security guard) are sufficient. Another option for the primary spread of malware is hacking. third party companies, which are not as serious about protecting their resources, and infecting sites frequently visited by employees of the target bank, as in the case of Lazarus and Lurk.

Once criminals gain access to the bank’s local network, they need to gain local administrator privileges on employee computers and servers to further develop the attack. Typical attack vectors are based on two main shortcomings - weak password policies and insufficient protection against recovering passwords from OS memory.

If on the network perimeter dictionary passwords are found in almost half of the banks, then on the internal network every system studied suffers from a weak password policy. In approximately half of the systems, weak passwords are set by users, but even more often we come across standard accounts that administrators leave when installing a DBMS, web servers, OS, or when creating service accounts. A quarter of the banks set the password to P@ssw0rd; common passwords include admin, combinations like Qwerty123, blank and standard passwords (for example, sa or postgres).

Inside the network, attackers move freely undetected using known vulnerabilities and legitimate software that does not arouse suspicion among administrators. Taking advantage of security flaws in the corporate network, attackers gain complete control over the entire bank infrastructure in a short time.

“You need to understand that an attacker will not be able to achieve his goal and steal money if the attack is detected and stopped in time, and this is possible at any stage if appropriate protection measures are taken,” says Positive Technologies analyst Ekaterina Kilyusheva. — It is necessary to scan email attachments in an isolated environment, without relying solely on antivirus solutions installed on user workstations. It is extremely important to receive notifications from security systems in a timely manner and respond immediately to them using continuous monitoring of security events by an internal or external SOC unit, as well as SIEM solutions, which can significantly facilitate and increase the efficiency of processing information security events.”

22 Sep 2013, 19:18

Very often you read in the news that hackers stole several million from clients of such and such banks. How exactly does this happen?
I didn’t understand this issue, and the interest is purely theoretical, but only one thing comes to mind: clients leave their data credit cards on the Internet (for example, when paying in various online stores), and hackers hack into store databases and gain access to card data (number + PIN code), then cash out, or sell for cash to other people.
It turns out that when we read about the theft of 2 million dollars from Bank N, then in reality hundreds and thousands of clients are being robbed (from people credit lines not hundreds of thousands of dollars).
How else can hackers steal bank money?

22 Sep 2013, 22:48

In fact, everything is much simpler and more banal. Nowadays, it is not at all necessary to be a hacker in order to carry out a “hacking” attack. Everything is done by employees of banks or payment systems. Someone somewhere can copy the required database and give it to the right people who will start churning out fake cards. Stealing data from the inside is a million times easier than obtaining it by breaking into the Internet, because the technical issue has long been brought to perfection.

All that hackers do now is a primitive DDOS, which is more like the work of a manager organizing groups of people for attacks than the work of programmers. If someone tells you about the work of hackers, then this first of all means that someone wants to hide your money or blame some higher powers for their mistakes. Banks are obliged to be responsible for such mistakes themselves, but if this happens in some small payment system, then consider that you were simply scammed.

How exactly do hackers steal money from bank accounts?

23 Sep 2013, 13:51

It seems that small banks have imperfections in the field of data protection, large banks most likely check their employees up to the 7th level, so there is no need to talk about espionage here. When paying online, no PIN is entered, so this information can only be calculated by algorithms. If a person in a bank has a good position, then he is unlikely to risk his job and freedom for the sake of a few thousand rubles.

How exactly do hackers steal money from bank accounts?

23 Sep 2013, 15:55

nsergienko wrote: It seems that small banks have imperfections in the field of data protection, large banks most likely check their employees up to the 7th generation, so there is no need to talk about espionage here. When paying online, no PIN is entered, so this information can only be calculated by algorithms. If a person in a bank has a good position, then he is unlikely to risk his job and freedom for the sake of a few thousand rubles.
The carelessness of people themselves destroys all defense systems.

We are not talking about one card with several thousand rubles, but about databases with thousands of cards. It's easy to risk your job for this. Even those people who check employees “up to the 7th generation” can commit such a crime. However, among Russian banks you will not find a single large bank; even Sberbank employees work in such conditions under which it is simply ridiculous to talk about security. This is not even espionage, but a simple scam among employees who have access to money.

You see, in order to install a security system you don’t have to be big bank- even a simple person can do this on his home computer. The days when expensive house-sized computers were used to process data are long gone. Technically, everyone is protected equally. There is no need to blame people for carelessness. It is simply impossible for hackers to hack into the accounts of each person separately (and it is not profitable) and, as a result, rob the entire bank of large sums.

How exactly do hackers steal money from bank accounts?

23 Sep 2013, 17:19

It’s easy, they go to the bank, find out the access passwords personal accounts and from there they transfer money somewhere. Or they do it even more brazenly, transferring from the bank without any reason (they simply give an order on behalf of the bank to transfer from its correspondent account to the Central Bank or another bank). The main thing here is to withdraw it in time before the bank discovers the loss, that’s all.

On banking equipment software and attempts to steal cash.” This is the first case of a hacker attack of this scale on a bank in our country, which became known to the public. Citizens' money, fortunately, was not damaged. FINANCE.TUT.BY recalled the five most high-profile and largest cyber bank robberies in history.

Image: cbsnews.com

One step away from a billion

In February 2016, a group of hackers tried to gain access to funds from the central bank of Bangladesh, which maintains an account with the Federal Reserve Bank of New York (part of the US Federal Reserve System). The criminals tried to withdraw about $1 billion from the account, but they only managed to steal a little more than $80 million.

The hackers successfully completed only four transactions out of several dozen requested. On the fifth transaction of $20 million, the bankers became suspicious. The hackers were given away by a typo: in the name of the organization for which the translation was intended, instead of “Shalika Foundation” they wrote “Shalika Fandation”. An employee of Deutsche Bank, through which the transaction took place, noticed this and contacted Bangladesh to confirm the transaction - and this is how the scam was revealed.

The Fed says it found no signs of hacking. Bank representatives insist that the hackers knew the real credentials, and the payment order was confirmed by the SWIFT system. The Central Bank of Bangladesh managed to return part of the stolen funds. The Chairman of the Central Bank resigned after the incident.

ATMs going crazy

In 2013, a group of hackers from Russia, Japan and Europe managed to steal about $300 million. They stole from all over the world: from more than 100 banks in 30 countries - from Australia to Iceland. At the same time, as experts note, estimates of losses are very approximate and can be three times higher. The hackers call themselves the Carbanak group.

In Kyiv, for example, an ATM began dispensing money at completely random moments. No one inserted cards into it or touched the buttons. The cameras recorded that the money was taken by people who happened to be nearby at that moment. Bank employees could not understand what was happening until Kaspersky Lab got involved.

photo:Strong news

Programmers discovered that bank computers had malicious software installed that allowed cybercriminals to monitor every move of bank employees. The software was hidden on computers for months - cybercriminals were able to find out how the bank carried out its daily transactions. So they were able to reprogram ATMs and transfer millions of dollars to fake accounts.

The Carbanak group was not discovered and detained. She is still working, periodically disappearing before returning. For example, in 2015, hackers stole from Russian bank"Vanguard" about 60 million Russian rubles. The scheme is very similar - ATMs began to behave simply crazy: “The ATMs received a command to ‘give out money’, people approached the ATMs and stuffed their jackets with money, and in five minutes they could take away several million.”

Cheating move

Last year, a group of Russian hackers managed to steal 250 million Russian rubles from the country's five largest banks. The criminals withdrew money from ATMs. This scheme is called “ATM-reverse”, or “reverse reverse”.

Photo: Sergey Balai, TUT.BY

“The criminal received an unnamed card from the bank, deposited from 5 thousand to 30 thousand rubles into it through an ATM, and then withdrew them at the same ATM and received a receipt for the transaction. Next, the fraudster sent the check to his accomplice, who had remote access to virus-infected POS terminals, usually located outside of Russia. Using the terminals, using the transaction code specified in the receipt, the accomplice generated a command to cancel the cash withdrawal operation: on the terminal it looked, for example, like a return of goods. As a result of canceling the operation, the card balance was restored instantly, and the attacker had the issued cash in hand and the previous card balance. The criminals repeated these actions until the ATMs ran out of cash,” RBC describes the pattern of such crimes.

It was possible to stop the thefts only after they implemented a new security system together with the Visa and MasterCard payment systems.

Russian hackers also withdrew money from bank client accounts through Cell phones on the Android platform. They sent SMS messages with a Trojan program inside, which transferred money from the bank account to the hackers' accounts.

Taiwanese gang

This summer in Taiwan, hackers managed to steal more than $2 million from ATMs without using their cards. Criminals approached ATMs and launched a special malicious program - the machines willingly gave out all the cash that was stored in them. After that, the robbers hid the evidence: no traces of malware could be found in the hacked devices. It took about 10 minutes to hack the ATM.

In total, the attackers hacked about 30 ATMs that belonged to the country's largest bank, First Bank. To stop the criminals, the bank was banned from withdrawing money through its ATMs for several days. Out of caution, several banks in Taiwan have also introduced a similar ban.

Hacker #1

Photo from stock website. xchng

In 1994, when computers and the Internet were not so common, Russian programmer Vladimir Levin stole more than ten million dollars from an American bank. Sitting in his room on Malaya Morskaya Street in St. Petersburg, he hacked the funds management system of New York's Citibank, one of the largest banks on the planet. Over five months, Levin managed to steal about $12 million from the bank.

Arriving at work on the morning of June 30, 1994, an employee of the Hong Kong Philippe National Bank Int. Finance Ltd. discovered that $144,000 was missing from their accounts. He saw that this money, through Citibank, had been transferred to another account, but it was unclear where exactly. In New York they said that the problem was not theirs, since all transactions were recorded, and they did not transfer any money. A couple of weeks later, the money mysteriously disappeared from accounts in Uruguay. Citibank then contacted the FBI to begin an investigation.

Levin transferred money to accounts in Finland, Germany, Israel, the USA and the Netherlands. At first, the FBI arrested his assistants who tried to cash out the accounts. All of them were found with fake passports and tickets to St. Petersburg. Levin himself was arrested in March 1995, and in 1998 he was sentenced to three years in prison.

It is still unknown how Levin penetrated the Citibank computer network. The hacker himself refused to disclose the details of the hack at the trial. There is a version that a certain group of Russian hackers initially gained access to the systems, after which one of them sold the technique to Levin for $100.

The name of the bank and the amount stolen are not disclosed, but this way hackers can deprive banks of all their money. Swift's clients include about 11 thousand institutions...

The name of the bank and the amount stolen are not disclosed, but this way hackers can deprive banks of all their money. Swift's clients include about 11 thousand institutions, and their payment system processes billions of dollars.

According to experts, the Cobalt organization, which is now the main threat to financial organizations, is related to this robbery.

©

The attack took place on December 15 via malware. Dmitry Volkov, head of the cyber intelligence department at Group-IB, says this incident shows what the hackers have discovered reliable methods for money laundering.

Volkov explains that the Swift system itself is completely invulnerable. The problem lies in the insufficient security of the banks that use this system.

As is known, Swift has not been used for such thefts before. This is due to the fact that this requires professionals, since if the ATM maximum amount will not exceed several hundred thousand dollars, then through the system of interbank transfers you can get millions, and this requires great skills. The record so far is half a billion rubles. At first, the suspected group successfully robbed ATMs in the CIS countries, but now switched to card processing. Perhaps because specialists were found who were able to support and implement such actions.

It is believed that this was done using malware. It is sent in an email, it is opened by a bank employee, and the program runs and gives the fraudster access to this computer. Then the hacker begins to study the bank's internal network. Of course, there are ways to monitor such attacks, but not all departments have sufficiently modern means to do this. Conventional firewalls and antiviruses will not be able to provide complete protection against such situations.

It is reported that the affected bank recently underwent an inspection from the Central Bank, which indicated that its information security level was insufficient. They received recommendations to improve it, but apparently did not implement them.

Experts say others could be used payment systems. Usually there are two options: either gaining access to a specific terminal, for example, Visa or Mastercard, and then attacking it; or access is obtained to whatever comes first, in this case, Swift. And then they act according to the situation.

In recent years, attacks on banks have become more advanced, as more and more advanced Trojan horses appear, from which it is increasingly difficult to find protection against. Now you just need to find out the email addresses of some employees, send them letters in the form of financial monitoring, which contain virus programs that are launched when the letter is opened.

In the spring of 2016, Swift already warned its employees about the increasing attempts at cyber attacks, but they did not disclose details then.

Group-IB also does not say which bank was affected and how much was stolen. Swift supported this position and reported that all threats were thoroughly checked and eliminated.

Some experts think it was attacked small bank. They explain this by saying that it is more profitable to “attack” banks that do not have enough funds to improve protection against cyber attacks. The first bank to suffer from such a robbery was in Bangladesh, so apparently it was a small institution in Russia.

In Bangladesh, this incident occurred the previous year. Then the hackers gained access to several accounts at the Bangladesh Central Bank and requested the transfer of a certain amount. The Federal Bank of New York approved these requests and $80 million was transferred to the accounts of Philippine casinos. Doubts were raised only by the incorrectly spelled word “fund” in one of the documents.