A million in a couple of minutes. How hackers are robbing banks around the world
This spring, two of the organizers of the hacker group Carberp were sentenced to five and eight years in prison. More than a thousand Russian citizens became their victims, and the total amount of theft amounted to about $ 10 million, despite the fact that not all episodes were proved. The hackers created a botnet using the Carberp banking Trojan, which accounts for 72% of financial institution infections worldwide. The virus entered users' computers when visiting infected sites, among which were popular financial portals. A special loader program determined the type of remote banking system used on the computer and selected the appropriate virus module.
Although the organizers of the group were caught and prosecuted, the source code of the malicious Carperp was published on the Internet in the public domain, and its various modifications for banks in Europe and Latin America are already appearing.
remote banking service(RBS) is the most attractive target for hackers to attack. They carefully select banks with a large turnover of funds in RBS and attack their systems.
According to Group-IB, about 28 thefts are committed daily in Russian banks, while the average amount of theft from legal entities is 1.6 million rubles, from individuals- 75,000 rubles.
When the keys electronic signature were stored on flash drives or computers, thefts were committed instantly and very simply. Then banks began to switch to tokens - compact USB key fobs that serve for user authorization and secure remote access to data. But they did not become a panacea either - the developers of the Carberp hacker group did not need much time to create a suitable virus to bypass the protection system and imperceptibly replace the details of a legal payment order.
In an attempt to protect their customers, banks began to introduce one-time passwords that are sent to the owner of the card or account via SMS. However, attackers successfully oppose them with social engineering and phishing pages similar to real Internet banking pages. It was the one-time SMS passwords that caused the recent incident with the RBS of a large Russian bank. Fraudsters simply hacked subscribers' personal accounts on the websites of mobile operators and set up an sms forwarding service. By redirecting clients' SMS messages to their own numbers, they gained access to their accounts in the Internet bank and transferred funds to the accounts of nominees - clients of the bank.
As for the thefts committed by company employees, the scheme is quite simple: an attacker withdraws funds for cashing out, infects a computer with a virus and writes off the theft as a virus.
The presence of a large number of services for cashing out funds in Russia greatly facilitates the economic part of the crime. Nevertheless, it is quite simple for a professional to investigate such incidents - usually even a primary examination determines the absence of a banking virus, and if there is one, it turns out that it was not used.
The main direction of protection against fraud in RBS today is the creation of such systems that are able to determine that the client's workstation is infected, and the operation being carried out is a hacker attack.
Over the past two years, the segment of TrustScreen class solutions has also been developing very actively in Russia. They allow you to display the details of the payment order on the screen of the device that is installed between the workstation and the token and block the signature operation until the client checks their correctness and presses the confirmation button. This architecture does not allow a legitimate user to change any document in the Internet banking system without being noticed. In the West, solutions with similar functionality have been used for several years and have proven themselves quite well.
Although, if we take into account the inattention and gullibility of many users of RBS systems, banks still do not have 100% protection against attacks. Hacker work is becoming more and more thoughtful, not only technical means are being used everywhere, but also social engineering. In addition, data can be stolen through no fault of the bank, but it will still suffer losses. So, in the US, hackers stole data about plastic cards almost 70 million customers in the American retail network Target, and the banks had to spend $200 million to reissue them. However, with the right approach to the process, it is relatively easy to reduce risks to an acceptable level and build a system that, in the event of an attack, will help to quickly investigate the incident and minimize the damage from it.
On the software bank equipment and attempts to steal cash”. This is the first case of a hacker attack of this magnitude on a bank in our country, which became known to the public. The money of citizens, fortunately, did not suffer. FINANCE.TUT.BY recalled five of the most high-profile and largest cyber-robbery of banks in history.
Image: cbsnews.com
One step away from a billion
In February 2016, a group of hackers tried to access the funds of the Central Bank of Bangladesh, which holds an account with the Federal Reserve Bank of New York (part of the US Federal Reserve System). The criminals tried to withdraw about $ 1 billion from the account, but they managed to steal only a little more than 80 million.
Hackers successfully completed only four transactions out of several dozen requested. On the fifth transaction of $20 million, the bankers became suspicious. The hackers were given a typo: in the name of the organization to which the translation was intended, they wrote “Shalika Fandation” instead of “Shalika Foundation”. The employee of Deutsche Bank, through which the transaction was going on, drew attention to this and contacted Bangladesh to confirm the transaction - this is how the scam was revealed.
The Fed says there were no signs of a hack. Bank representatives insist that the hackers knew the real credentials, and the payment order was confirmed SWIFT system. The Central Bank of Bangladesh managed to return part of the stolen funds. The chairman of the Central Bank after the incident resigned.
Crazed ATMs
In 2013, a group of hackers from Russia, Japan and Europe managed to steal about $300 million. They stole all over the world: from more than 100 banks in 30 countries - from Australia to Iceland. At the same time, as experts note, the estimates of losses are very approximate and can be three times higher. The hackers call themselves the "Carbanak group".
In Kyiv, for example, an ATM began dispensing money at completely random times. No one inserted cards into it or touched the buttons. The cameras recorded that the money was taken by people who happened to be nearby at that moment. Bank employees could not understand what was happening until Kaspersky Lab got down to business.
photo: Strong news
The programmers found out that malicious software was installed on bank computers, which allowed cybercriminals to monitor every step of bank employees. The software was hidden on computers for months - cybercriminals were able to find out how the bank performs its daily operations. So they were able to reprogram ATMs and transfer millions of dollars to fake accounts.
The Carbanak grouping failed to be discovered and detained. She is still working, then periodically disappearing, before returning. For example, in 2015, hackers stole about 60 million dollars from the Russian bank Avangard. Russian rubles. The scheme is very similar - ATMs began to behave simply insanely: “The ATMs received a command to“ give out money ”, people approached the ATMs and stuffed their jackets with money, they could carry away several million in five minutes.”
cheating move
Last year, a group of Russian hackers managed to steal 250 million Russian rubles from the five largest banks in the country. Money criminals withdrawn from ATMs. Such a scheme was called "ATM-reverse", or "reverse reverse".
Photo: Sergey Balai, TUT.BY
"The criminal received in the bank unnamed card, deposited from 5 thousand to 30 thousand rubles through an ATM, and then withdrew them at the same ATM and received a check on the operation. The scammer then sent the check to his accomplice, who had remote access to virus-infected POS terminals, usually located outside of Russia. Through the terminals, using the transaction code indicated on the check, the accomplice formed a command to cancel the cash withdrawal operation: on the terminal it looked, for example, as a return of goods. As a result of the cancellation of the operation, the card balance was restored instantly, and the attacker had the cash on hand and the previous card balance. The criminals repeated these actions until the cash machines ran out of cash, ”RBC describes the scheme of such crimes.
It was possible to stop the theft only after they introduced a new protection system together with payment Visa systems and MasterCard.
Also, Russian hackers withdrew money from the accounts of bank customers through mobile phones on the Android platform. They sent SMS with a Trojan program inside, which transferred money from a bank account to the accounts of hackers.
Taiwan gang
This summer in Taiwan, hackers managed to steal more than $2 million from ATMs without using cards. Criminals approached ATMs and launched a special malicious program - the machines willingly gave out all the cash that was stored in them. After that, the robbers hid the evidence: no traces of malware could be found in the hacked devices. It took about 10 minutes to hack the ATM.
In total, the attackers hacked about 30 ATMs that belonged to the largest bank First Bank countries. To stop the criminals, the bank was banned from withdrawing money through its ATMs for several days. As a precautionary measure, several banks in Taiwan have also introduced a similar ban.
Hacker #1
Photo from stock site. xchng
In 1994, when computers and the Internet weren't so common, Russian programmer Vladimir Levin stole over ten million dollars from a US bank. Sitting in his room on Malaya Morskaya Street in St. Petersburg, he hacked into the money management system of New York's Citibank, one of the world's largest banks. In five months, Levin managed to steal about $12 million from the bank.
Arriving at work on the morning of June 30, 1994, an employee of the Hong Kong Philippe National Bank Int. Finance Ltd., discovered that $144,000 was missing from the accounts. He saw that this money, through the mediation of Citibank, was transferred to another account, but it is not clear where exactly. In New York, they said that the problem is not with them, since all transactions are recorded, and they did not transfer any money. A couple of weeks later, the money mysteriously disappeared from accounts in Uruguay. Then Citibank contacted the FBI to start an investigation.
Levin transferred money to accounts in Finland, Germany, Israel, the USA and the Netherlands. First, the FBI arrested his assistants who tried to cash out the accounts. They all had fake passports and tickets to St. Petersburg. Levin himself was arrested in March 1995, and in 1998 he was sentenced to three years in prison.
It is still unknown how Levin got into the Citibank computer network. The hacker himself at the trial refused to disclose the details of the hack. There is a version that a certain group of Russian hackers initially gained access to the systems, after which one of them sold the technique to Levin for $100.
There is a lot of malware on the network, which, if handled correctly, brings very good money. In particular, when a user becomes infected with a virus, the N-th amount of money is stolen from him from WebMoney and transferred to another wallet.The theme of a Trojan that sends SMS to paid numbers from usb modems is also slowly infecting the network.
Such a business can easily bring from 1500$ per day at minimal cost.
Bays on various props
Let's say you have a botnet, a lot of bots poured from business traffic. Accordingly, there are a lot of accounts for payment systems, but it will take a lot of time to drain money yourself, and besides, not many people know how to do it. Basically, in such situations, people are looking for a partner who is engaged in the withdrawal of funds. This is called a bay - for a certain percentage, a person cashes out an amount of money and transfers most of it to the filler.You can also see ads on the bays, it should be taken a little differently. A person simply transfers funds to your account for 50% of their value. You pay before depositing funds.
virus making
Virusmaker- a person who writes malware (trojans, rootkit hats, cryptors, etc.). Earnings of such specialists of the order 4.000$-10.000$ 21:56:36 8MyP3uk Passive hacking
I refer to the following topics as passive hacking:
All this little things can bring up 2000$
monthly!
Moreover, such people are mostly resellers and it is not possible to track them. Thus, they often remain in the shadows. Selling experience
Lots of people online selling courses/manuals, hosting webinars on various topics, etc. These people are selling you their experience. Let's say you want to learn something, self-education will take too much time, and by participating in a webinar you will immediately reach a level no lower than average. I will not name the cost of webinars, it is different everywhere.
10:01:45
5
MyP3uk docker
Dockers
- sellers who sell documents. An advanced docker will easily issue you an IP \ PE, can make a visa to any country, provide an offshore account in a foreign bank, or even be able to provide an entire offshore company!
It all depends on your wallet size. How much they earn only they know. For example, a scan of a set of docks ( main page passports and residence permits, income statement, TIN, honey. policy, water right) is worth the order 200-250$
.
Offshore company in the Seychelles is worth 50.000r. And IP / PE will cost you 400$
.
Dockery is quite a profitable business, but you need a lot of documents to start, and you need channels to build them...
As soon as an extra 15 minutes appears, I will write about the types of throwing. I think this also applies to business.
18:41:13
5
oeyii Drop farming
Dropovd
- a person or woman who breeds drops (values)
Drop - a person who either in a clear mind becomes a drop to take part in not entirely legal affairs, or plunges into it by means of SI, divorce, or hiding some details of what he will be involved in.
Droppers are usually smart people, and have excellent skills in espionage, communication psychology, seduction and brainwashing. They breed drops under some of the following themes:
- Service of nominee directors (nominal)
- Bays, accepting staff, opening bank accounts
- Registration of any property, bank cards, accounts
- Hanging loans, auto loans and mortgages
Drop guides station wagons (those who breed drops for any purpose, and who have more than 1000 drops in their database)- to find such a drop guide is a rarity. As a rule, they work with a certain circle of frequent "buyers"
A good drop breeder, who has, say, 30 non-adjustable and 20 adjustable drops in his collection, will be able to earn from $3000 minimum (with a good market, and only providing them for a specific direction)
A universal drop guide that provides drops for any need in different countries earns about $ 30.000 per month or more. 20:19:36 6
MyP3uk Kidalovo online
Ripper(from English RIP- lazy, asshole) - a scammer who is trying in one way or another to deceive his / his partners, thereby luring them out of any things useful to him.
I threw a lot on the network, I think they can be divided into several groups:
Now about each group in more detail.
Carding scammers- often pretend to be cool carders or entire carding offices, by any means they try to shove you " plastic for cash", cardboard, equipment and all other related tools, which, of course, they do not have and never had. Basically, in carding, they are only familiar with general terms and then according to the articles, the authors of which are those who are not involved in carding, therefore they are eliminated when using slang. They are also very driven by money, for example, by offering 50% of the price for their goods - they will gladly agree. Be careful - there are enough such individuals in the network!
Backbiters- these are such fucked-up guys who often ask decent sellers for something "For verification", and then dump them with another portion of freebies. For ordinary users, they are not dangerous in any way, but for sellers they represent a threat, even if not a serious one, but still a threat, one might even say not a threat, but an uncleanness, because it’s not very nice to distribute goods either ...
Homeless people- a special person! This species is dangerous because they "represent" a wide range of "services", so they can throw it without looking back. They don’t give a damn about their reputation, there were cases when on Achat a type threw ~ 17 people for a ridiculous amount - 1 ruble ! It is precisely such individuals that are the moral leaders of the Homeless.
To avoid a kidnap, you should work through guarantors and with trusted sellers. 23:35:57 4
With the ubiquity of smartphones, free public Wi-Fi, and mobile banking, we are increasingly at risk of being targeted by cunning intruders. The methods of hackers are constantly changing - now you can lose money during a trip to work or after an SMS from a bank. Lenta.ru found out what new dangers await citizens every day and what needs to be done to protect their savings.
Behavior Engineers
Mid March Russian banks sounded the alarm: over the past six months they have lost almost 2 billion rubles due to hacker attacks. Moreover, if earlier criminals mainly tried to hack into computer systems, now they have adopted the human factor.
Employees financial institutions letters were sent on behalf of the Central Bank with an attached document, which allegedly contained work instructions. In fact, the file contained the Buhtrap program, which checked links in the browser to pages with already completed transactions. Since in most cases all logins, passwords and account numbers are stored on them, hackers freely withdraw and transfer money to themselves.
Moreover, a letter with a virus also came to a private chat for members of the bank security service - already on behalf of Gazprombank. The Buhtrap virus was disguised as a table with the data of "drops" - people in whose name fake credit cards.
The criminals tried to impersonate the Central Bank again on March 15, when they sent letters with malicious files to dozens of banks on behalf of FinCERT, a special department in the Central Bank structure created to inform financial institutions about cyber attacks. The mailing was carried out according to a specially compiled database, and each letter began with an appeal by last name, first name and patronymic. True, this time no one fell for the trick of hackers.
Cybersecurity experts call this method of hacking "social engineering", because the emphasis is not on infecting a computer system with a virus, but on the predictability of human reactions. Although the case of bank employees can rather be considered an exception. Ordinary plastic card holders usually suffer from such psychological experiments.
Most often, scammers find out the names and contacts of future victims on the Internet, send them a message about blocking their account, and then call on behalf of bank employees and try to find out the card number, as well as the CVV2 code located on the back. This data is then used to withdraw funds or make a large purchase in an online store. In the fight against this type of fraud, most Russian banks have already introduced SMS confirmation of any payments and transfers.
But the hackers tried new scheme- calls from automated programs that users trust more than real people. Robots report a system failure in the bank, after which they ask for the card number and login data for the Internet bank. Over the past year, this method has brought the attackers more than 6 million rubles.
When making such calls, it is worth remembering that bank employees never require you to give any logins and passwords, as well as the CVV2 code and pin from the card. In addition, banks in principle rarely call their customers, so any incoming call on behalf of the bank should immediately be treated with suspicion.
Network pranksters
At the end of March, several Wi-Fi users in the Moscow metro encountered an unusual problem - when connecting to the network, instead of the authorization page, the flag of the terrorist group "Islamic State" (IS) banned in Russia. A similar thing happened in November 2015 - then inscriptions in Arabic and a black flag were displayed with the caption: “Yesterday - Paris, today - Moscow!”
In both episodes, the metropolitan subway network itself was not hacked, and its users were not affected. Demonstration of symbols of terrorists was someone's cruel joke, for which, however, criminal punishment is provided. "MaximaTelecom" filed relevant statements with the police. As the technical director of the company, Mikhail Minkovsky, explained to Lente.ru, users could encounter a network substitution in a single car. Unknown attackers allegedly used the Man in the middle technique (“man in the middle”).
Photo: Safron Golikov / Kommersant
In one of the cars, there was a passenger with a laptop and a USB modem, giving his access point the same name as the Wi-Fi network in the subway. Since most modern smartphones and tablets automatically connect to points they already know with the highest signal quality, passengers could unwittingly take advantage of the network of intruders where the IS flag was placed.
In some cases, clone networks can be very dangerous, because through unsecured Wi-Fi channels, attackers often gain access to all information stored on the device, including personal correspondence, photos, and applications that cards or electronic wallets are usually linked to. Today, most social networks, email services and mobile banking automatically encrypt all data between the user and a specific application. By default, all iPhone models with iOS 8 and higher installed, as well as smartphones with the sixth version of the Android operating system, received encryption by default.
However, in order not to mistakenly connect to a malicious access point, you should be more careful about the URL of the start page and all used sites. You also need to make sure that the resource works on the secure https protocol - this ensures effective protection of the transmitted data. Finally, it is necessary to update the operating system of the device in time, since attackers find most of the vulnerabilities in outdated software versions.