Group-IB, an international cybersecurity firm, recently uncovered a gang of cyberthieves who have hijacked more than $10 million from U.S. and Russian banks in less than two years, according to the firm’s new report.
The Russian-speaking hackers, dubbed by Group-IB as MoneyTaker, successfully attacked at least 20 financial institutions, legal firms, and financial software vendors in the U.S., United Kingdom, and Russia, the report said.
In 2016, there were 10 known attacks. Among those, six attacks were on U.S. banks; one on a U.S. service provider; one on a United Kingdom IT-company; and two on Russian banks. Ten more attacks have taken place this year. The targets were eight U.S. banks, one law firm, and one bank in Russia.
“Criminals have changed tactics and are now focusing on banks rather than their clients, as was [the] standard operating procedure in the past,” Dmitry Volkov, Group-IB co-founder and head of intelligence, told Bloomberg.
How did they do it?
MoneyTaker’s first known scheme was a debit card-processing attack that took place in May 2016, which Group-IB says is relatively simple to carry out.
The attackers take over the bank’s network and connect to its card-processing system. Next, they legally open or buy bank cards for the system they just hacked. The hackers then remove or increase the bank card withdrawal limits.
Money mules, criminals who make the cash withdrawals, take the activated cards and start withdrawing money from ATMs once the operation is activated.
“They understand that banks — especially community banks with limited resources — are the easiest marks,” Volkov told Bloomberg.
The average loss from one attack was about $500,000, Group-IB said in its report. The hackers also removed overdraft limits, which made it easier to overdraw even on debit card accounts.
How does MoneyTaker go undetected?
MoneyTaker continually changes its tools and tactics that bypass antivirus software. But most importantly, according to Group-IB, once it completes an operation, it carefully eliminates all traces of the transaction using malware that destroys itself after reboot.
In some of the cases, the Moscow-based hackers used the infamous Citadel and Kronos banking trojans. The latter was used to deliver point-of-sale malware dubbed ScanPOS, which obtains credit card and debit card information by reading the device memory from the retail checkout system.
“MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise. In addition, incidents occur in different regions worldwide and at least one of the U.S. Banks targeted had documents successfully exfiltrated from their networks, twice,” Volkov said in the report.
The hackers also created fake certificates using well-known brands such as Bank of America Corp. and Microsoft Corp. to cover their tracks.
It’s not immediately clear whether any person or persons have been identified as being part of MoneyTaker’s criminal group.
“The more we dig, the more we’ll find,” Group-IB’s Volkov said. “This report doesn’t represent the full picture, and I can say with 100 percent certainty that there are more victims that haven’t been identified yet.”