Eight online banking scammers arrested in Russia
Hackers mainly targeted Russian, Eastern European and Dutch banks
IDG News Service - The Russian Federal Security Service (FSB) arrested eight hackers who allegedly stole $4.5 million in the last quarter alone using an online banking Trojan, security analyst firm Group-IB said Tuesday.
Seven Russians and one person in Abkhazia, an independent republic in a territory claimed by Georgia, comprised the group. The group was first noticed in the beginning of 2010 and used a Trojan to compromise systems, said Michael Sandee, security specialist at the Dutch security firm Fox IT, which assisted in many stages of the investigation.
Apart from Fox IT, Group-IB and the FSB, the Russian Ministry of the Interior (MVD) also worked on the investigation. The hackers were arrested Monday, said Aleksey Kuzmin, head of Group-IB's U.S. office.
The criminals used the Caberb Trojan, aimed at wide range of Windows OSes -- Windows 2000 through Windows 7 -- according to Sandee. "That Trojan gathers an alarming amount of data," he explained in a phone interview. Caberb logged a wide variety of passwords and log-in data once it installed itself on a system.
Caberb would nestle itself in computers using various browser vulnerabilities, including Java and Flash browser plug-in flaws. Once inside, the Trojan would launch a so-called man-in-the-browser attack. Caberb placed itself in the browser, and was used to run a protocol sniffer, detecting passwords and log-in credentials. The Trojan was also able to manipulate traffic to serve phishing sites without users knowing they were visiting one.
Together with the Caberb Trojan, Rdpdor malware was used to manipulate systems. According to Sandee, the Rdpor program established a full Remote Desktop Protocol (RDP), which allowed the criminals to see what the users saw on the screen, or even take over the whole machine.
When the group obtained log-in credentials for online banking sites they were used for fraudulent transactions that were sent to a specially prepared account. The scammers hacked popular news media websites and online stores, among other methods, to spread the malicious software, said Group-IB in a press release.
The eight hackers mainly targeted electronic banking systems in Russia, Eastern Europe and the Netherlands, Sandee said. They were active in the Netherlands until November 2010 and then shifted their focus to Eastern Europe, mainly because there are six authentication systems used in that area while every Netherlands bank uses its own authentication system.
"The Eastern European authentication systems are not bad," said Sandee, but emphasized that the small number of systems gave the cybercriminals "more value for their money."
Both Group-IB and Fox IT noted that it is fairly uncommon to be able to arrest an entire criminal chain. In typical actions against cybercriminals, only part of a group gets arrested, Sandee noted. Some people, like the leaders, are often not arrested because they are difficult to identify, he said. Usually the criminal who operates the botnet is the easiest to find.
The effort to take down the whole group is why the investigation took about a year and a half to complete. Group-IB said that the group's leader was identified in January 2010. The investigators put a vast amount of effort in documenting his activities, which was complicated because he was constantly on the move, traveling often outside of the Russian Federation.
Loek covers all things tech for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to firstname.lastname@example.org
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts