>

Hackers have created their own payment system to steal money from all banks. A million in a couple of minutes. How hackers rob banks around the world How hackers steal money from legal entities

Computer terrorists [The latest technologies in the service of the underworld] Revyako Tatiana Ivanovna

How a hacker rob a bank

How a hacker rob a bank

Through the efforts of the press, many readers have heard a lot about the methods of work of Russian computer hackers. Due to the closed nature of this community, the correspondent had to spend more than six months to reach one of the participants in the computer hacking and find out all the intricacies of the work of real hackers.

PREPARATION. After reading articles, for example, about the case of Vladimir Levin, who siphoned off $ 400,000 to $ 3 million through a computer from the American City Bank, one might think that it’s easier for a hacker to work: he sat down at the keyboard, tapped on it, and the trick was done. In fact, the hacking operation is extremely complex, as a rule, several dozen people in different countries are involved in it.

None of the professionals do burglary from their home or office. For this, an apartment is rented somewhere in a quiet place under a false name and usually for a month. Such a period is necessary to find out who is who of those living in the entrance. If it turns out that, for example, employees of FAPSI, FSB or MGTS live in the entrance or even in a house (small, like "Khrushchev"), they leave the apartment and rent another one. Along the way, agents are selected, or, in other words, bought from the bank, which they are going to hack. They must name the time when electronic payments, the so-called book-time, pass, report the main serial number of the local PBX, if possible, find out the bank's network password, as well as the server password (the main computer of the bank's internal network). A person is also needed in the bank, where the money will be transferred, in order to ensure unhindered reception and transfer to a special account. You must also have an agent in MGTS. If a hack is detected by the security service, a request may follow to MGTS to determine the burglar's phone number. The agent must inform the service of the fake number. That is, you need a safety net at all possible levels.

The aforementioned Vladimir Levin, whose trial has not yet been completed, is not even included in the unofficial rating of even the first hundred hackers in Russia, according to experts, neglected the safety rules and made a bunch of mistakes worthy of a beginner. Firstly, he made all the hacks from one computer from one place, which turned out to be the office of his own company. Secondly, he hacked into the bank's network via an absolutely prosaic computer network, the Internet. Finally, he didn’t even bother to introduce a trail-sweeping program after the break-in. It would be a shame not to catch such a dilettante to such a giant of anti-hacker struggle as the FBI. Which they did with noisy fanfare, however, with a lot of help from the St. Petersburg RUOP. But then Levin could not be judged in Russia: the article of the Criminal Code on computer crimes has been in effect only since 1997, and the United States and Russia do not have an extradition treaty, that is, the mutual extradition of criminals. But then the Russians called the FBI and advised them to invite the hacker to England for a computer exhibition. There Levin was arrested right at the plane's ladder, for England and the United States have had an extradition treaty for a long time.

Along with the usual precautions, the apartment from where the break-in will take place is equipped with the latest technology. An "anti-bug" is installed on the telephone line, blocking wiretapping, number connection. Computers, spare processors, powerful batteries in case of a power outage (the time "H" cannot be changed), an army radio station and a host of other exotic equipment such as mirror monitors are brought into the apartment. After everything is ready, day X is appointed.

Only after several meetings in a relaxed atmosphere, I finally managed to persuade my new acquaintance to tell in detail about the operation related to the computer hacking, in which he himself was directly involved.

On the appointed day, around 8 pm, all the "stakeholders" gathered at the main headquarters. The main hacker read the instructions to the guards, after which they were given body armor and walkie-talkies. Everyone got their own callsign. The hacker and his assistant began to establish radio communication with the operators of the resource support group (in total, nine computers in different parts of Moscow were involved in the operation).

On the opposite side of the street, in the twilight, the silhouettes of two police cars were visible - the main guard, who, doing their job, did not even know who hired her and for what purposes. Downstairs, at the entrance, there was a foreign car with an antenna, where two men were sitting - representatives of the customer, one of the largest Moscow gangster groups. The performers had to solve an unusual problem. One European bank "threw" a commercial structure to a friendly grouping for a substantial amount. They decided to punish him by launching a virus into the internal computer network. The latter was supposed to disable the entire network for at least a day. This is not an easy task, so work began at ten in the evening with a search for login passwords.

A major network hack is usually done in the early morning, when the computer security officer on duty at the bank is either asleep or unresponsive. At six o'clock, readiness number one was announced over the radio. "The first is ready, the second is ready, the third is ready," it raced in response. The guards were ordered to take positions in the corners of the house and not let out of sight of anyone entering it, as well as each other. Meanwhile, in the apartment among the empty beer cans head hacker gave the command to the assistants over the radio: "Let's go!"

Nine "poisoned" programs immediately raced across three borders to attack the main server of the bank.

An automatic electronic security program tried to stop them, but was bound by a blocking program and then generally crushed by overwhelming enemy forces.

The rest of the programs that burst out into the open space caused a pogrom in the banking network. As a result, having received a signal about the penetration of viruses, the main server simply turned off the entire network and blocked it.

Almost a day passed while urgently called bank specialists were catching malicious viruses from the network. In such cases, only direct damage from non-passage of payments is at least 100 thousand dollars. And the moral damage in the form of a tarnished reputation, which is very dear in the West, will naturally turn out to be even more significant.

The operation was not cheap for the customers themselves. Their guards received 400 thousand rubles each, the police, which were fulfilling an agreement with an "ordinary commercial firm" - respectively $ 200 each, the main hacker earned 5,000, assistants, most of whom did not even know what operation they were involved in, got where less. But the technical support cost customers over 20 thousand dollars. Thus, the operation paid off quite well.

P.S. Recently, the first trial of an employee of the Rossiyskiy Kredit Bank began in Moscow. This hacker opened an account in his own bank, where he managed to transfer 14 thousand dollars, after which he was discovered - this time by the vigilant security service of the bank.

According to a study published by Positive Technologies, banks have built quite effective barriers to protect against external attacks, but are not ready to resist intruders on the internal network. Overcoming the perimeter using social engineering, web application vulnerabilities or insiders, attackers find themselves in a comfortable environment, the level of security of which is no different from that of companies from other industries.

With access to the bank's internal network, Positive Technologies specialists managed to get access to financial applications in 58% of cases. In 25% of banks, the nodes from which ATMs are controlled were compromised, which means that followers of the Cobalt group using similar hacking methods could withdraw money from these banks. It would be possible to transfer funds to their own accounts through the interbank transfer systems targeted by the Lazarus and MoneyTaker groups in 17% of banks.

In 17% of banks, card processing systems are not sufficiently protected, which allows attackers to manipulate the balance on their card accounts, as we saw at the beginning of 2017 in attacks on banks. of Eastern Europe... The Carbanak group, which is distinguished for its ability to successfully carry out attacks on any banking application, could steal funds from more than half of the banks tested by experts. On average, an attacker who penetrates a bank's internal network takes only four steps to gain access to banking systems.

The report notes that the level of protection of the network perimeter in banks is significantly higher than in other companies: in three years, as part of external penetration testing, access to the internal network was obtained in 58% of systems, while for banks this figure was only 22%. However, even this level is far from ideal, given the high financial motivation of the attackers and the absence in many banks of the practice of analyzing the security of the code of online services at the design and development stages. In all penetration tests, vulnerabilities in web applications contributed to gaining access (social engineering techniques were not used). Similar methods of penetration were used in their activities, for example, by the ATMitch and Lazarus groups.

Remote access and control interfaces, which are often available for connection to any external user, also pose a great danger to banks. Among the most common are SSH and Telnet protocols, which are found on the network perimeter of over half of banks, as well as protocols for accessing file servers (in 42% of banks).

But the weakest link is bank employees. Attackers can easily bypass network perimeter protection systems using a simple and effective method - phishing, which delivers malware to the corporate network. Phishing emails are sent to bank employees both to work addresses and to personal ones. Almost every criminal group used this method to overcome the perimeter, including Cobalt, Lazarus, Carbanak, Metel, GCMAN. According to Positive Technologies estimates, on average, about 8% of users in banks followed a phishing link and 2% launched an attached file. The study also provides examples of advertisements from hacker forums offering services from internal attackers in banks. According to experts, in some cases, for a successful attack, the privileges of an employee with only physical access to power outlets (cleaner, security guard) are sufficient. Another option for the primary distribution of malware is hacking third-party companies that are not so serious about protecting their resources, and infecting sites that are frequently visited by employees of the target bank, as in the case of Lazarus and Lurk.

After the criminals gain access to the local network of the bank, they need to seize the privileges of a local administrator on employees' computers and servers in order to further develop the attack. Typical attack vectors are based on two main drawbacks - weak password policy and insufficient protection against password recovery from OS memory.

If on the network perimeter, dictionary passwords are found in almost half of the banks, then on the internal network, every system studied suffers from a weak password policy. In about half of the systems, weak passwords are set by users, but even more often we come across standard accounts that administrators leave when installing DBMS, web servers, OS or when creating service accounts. A quarter of banks have set the use of a password [email protected], also common passwords include admin, combinations like Qwerty123, blank and standard passwords (like sa or postgres).

Inside the network, attackers roam freely unnoticed using known vulnerabilities and legitimate software that does not arouse suspicion among administrators. Taking advantage of the flaws in the protection of the corporate network, cybercriminals gain full control over the entire infrastructure of the bank in a short time.

“You need to understand that an attacker will not be able to achieve his goal and steal money if the attack is detected and stopped in time, and this is possible at any stage if appropriate protection measures are taken,” said Yekaterina Kilyusheva, an analyst at Positive Technologies. - It is necessary to scan mail attachments in an isolated environment, not relying solely on antivirus solutions installed on users' workstations. It is extremely important to receive timely notifications of security systems and immediately respond to them with the help of constant monitoring of security events by the internal or external SOC department, as well as SIEM solutions that can significantly facilitate and increase the efficiency of information security events processing ”.

Hackers tried to steal 1.5 billion rubles, which is about 1% of all profits of Russian banks in 2015. To do this, they registered a payment system abroad.

The threat to banks

In 2015, law enforcement agencies managed to suppress an attempt at large-scale theft of money from almost all banks in Russia. This was stated by the head of the "K" department for combating crimes in the field of computer security of the Ministry of Internal Affairs of Russia Alexei Moshkov, reports "Interfax".

Management "K" prevented theft last year in the amount of 1.5 billion rubles., Said the head of the press service of the "K" management Alexander Vurasko. This is almost 1% of the total profit of banks in 2015 (192 billion rubles). The amount of real damage is estimated at 400-600 million rubles, but it may grow as new victims are announced, Vurasco added. Hackers have developed about a hundred different schemes to steal funds from the accounts of both banks themselves and their clients. “They compromised international payment systems - they found vulnerabilities in them and wrote software that would allow the formation of fake payment documents, but the use of this software was stopped,” says Vurasco.

The Visa payment system and its VisaNet processing network were not compromised, the press service said in a response. Visa at RBC's request. "It seems to us that the examples referred to by the representative of the Ministry of Internal Affairs of the Russian Federation relate to third-party processing non-Visa companies. Therefore, we cannot comment on them, ”the response says.

According to Vurasco, the hackers nearly paralyzed the banking system by compromising the interbank messaging system (the most used by Russian banks international system- SWIFT, but the Ministry of Internal Affairs does not disclose information, whether it is it or not).

To withdraw funds from accounts, hackers created and registered their own payment system. As Vurasco said, it was registered in a foreign jurisdiction and met all international standards. “It is quite possible that the hackers sent the documents necessary for registration by e-mail, in some countries such a registration regime is acceptable,” he notes.

RBC's source in one of the international payment systems suggests that the system could have been registered in one of the CIS countries. “The legislation of Europe and the United States does not provide for the registration of payment systems,” he adds. A source in another payment system says that there is no such regime in Asian countries either.

Interior Ministry officers detained a criminal group in November last year. However, in January of this year, two large Russian banks were again hacked. It was a new group, but it was connected with the detainee in November and consisted of 40-60 people. “Hackers attacked two banks out of the first hundred, bank processing centers gave commands to transfer funds from accounts, money began to leave in the millions, and the Central Bank even had to disconnect these banks from BESP,” says Vurasco. Members of this group were also detained.

The ideologist of the criminal group is a 30-year-old Muscovite with higher education, the Ministry of Internal Affairs does not disclose his name in the interests of the investigation.

Hackers are coming

Representatives of the Ministry of Internal Affairs say that if earlier hackers stole money mainly from bank customers, now they are developing such programs that allow you to write off money from the accounts of the banks themselves, which they have opened, for example, in other banks.

According to the Central Bank, in 2014, hackers wrote off RUB 3.5 billion from the accounts of citizens and companies. The scammers wrote off 1.58 billion rubles from the cards. Most of the amount (over 1 billion rubles) was stolen by fraudsters through the Internet bank and a mobile application. The volume of illegal transactions made through remote service channels increased by 44.8%. V at the end of 2015, Sberbank assessed the damage to Russia from cybercrimes in $ 1 billion, and, as the first deputy chairman of the bank Lev said Hasis , there is no reason to reduce the damage from such crimes.

Early this year Digital Security Company Review, in which experts predicted that in 2016 banks and their clients will face an increase in hacker attacks - the number of attacks on users using the so-called social engineering will increase, when fraudsters encourage users to install malicious software on their own. Also in 2016, the number of attacks on customer accounts through attacks on banks themselves will increase, the company predicts. Attackers can hijack various internal systems, including payment systems, platforms for paying for government services, mobile communications, and the Internet. “Capturing control over such a platform will allow customers to withdraw their money directly into electronic wallets,” Aleksey Tyurin, director of the security audit department at Digital Security, warned earlier.

The name of the bank and the stolen amount were not disclosed, but in this way hackers can rob the banks of all their money. Swift's clients include about 11 thousand institutions ...

The name of the bank and the stolen amount were not disclosed, but in this way hackers can rob the banks of all their money. Swift's clients include about 11,000 institutions, and their payment system processes billions of dollars.

This robbery, according to experts, is related to the Cobalt organization, which is now the main threat to financial institutions.

©

The attack took place on December 15th via malware. Dmitry Volkov, head of Group-IB's cyber intelligence department, says the incident shows that hackers have discovered reliable ways to launder money.

Volkov explains that Swift itself is completely invulnerable. The problem lies in the insufficient security of banks that use this system.

As you know, Swift was not used for such thefts before. This is due to the fact that this requires professionals, since if the maximum amount in an ATM does not exceed several hundred thousand dollars, then through the interbank transfer system you can get millions, and this requires great skills. The record so far is the amount of half a billion rubles. At first, the suspected group successfully robbed ATMs in the CIS countries, but has now switched to card processing. Perhaps because specialists were found who were able to support and carry out such actions.

This is believed to have been done by malware. It is sent in an email, it is opened by a bank employee, and the program is launched and gives the fraudster access to this computer. Then the hacker begins to study the bank's internal network. Of course, there are ways to track such attacks, but not all branches have a sufficiently modern means to do this. Conventional firewalls and antiviruses will not be able to provide complete protection against such situations.

It is reported that the affected bank recently passed a check from the Central Bank, which indicated an insufficient level of its information security... They received recommendations for improving it, but, apparently, did not follow them.

Experts say others could have been used. payment systems... Usually there are two options for action: either gaining access to a specific terminal, for example, Visa or Mastercard, and then attacking it; or it gets access to whichever comes first, in this case Swift. And then they act according to the situation.

In recent years, attacks on banks have become more advanced as more and more sophisticated Trojans emerge, from which it is more and more difficult to find protection. Now you just need to find out the email addresses of some employees, send them letters in the form of financial monitoring, which contain virus programs that are launched when the letter is opened.

In the spring of 2016, Swift had already warned its employees about the frequent cyberattack attempts, but details were not disclosed at the time.

Group-IB also does not say which bank was damaged and how much was stolen. Swift supported this position and reported on thorough review of all threats and their elimination.

Some experts think that a small bank was attacked. They explain this by the fact that it is more profitable to "attack" banks that do not have enough funds to improve protection against cyber attacks. The first to suffer from such a robbery was a bank in Bangladesh, so apparently in Russia it was a small institution.

In Bangladesh, this incident occurred in the previous year. Then the hackers seized access to several accounts in the Bangladeshi Central Bank and requested a transfer of a certain amount. The Federal Bank of New York approved these requests and $ 80 million was transferred to the accounts of Philippine casinos. Doubts were raised only by the incorrectly spelled word "fund" in one of the documents.

Fraudsters come up with new ways to steal money from bank cards every day. CCTV cameras reduce the interest of criminals in ATMs, but cybercriminals are looking for ways to bypass them.

Theft on the territory of the Russian Federation is a criminal offense, depending on the severity, punishment can be applied under different parts of Art. 158 of the Criminal Code of the Russian Federation: imprisonment from a year to 10 years, forced labor, a fine from 80 to a million rubles.

Is ATM security questionable?

There are two widespread types of theft of money from payment terminals:

  • skimming - an overlay on the card capture reader for reading the pin code;
  • "Lebanese loop" - sealing a pocket for dispensing money, in which the ATM announces the withdrawal of money, while the notes remain inside the machine. The victim walks away from the device to complain to an employee of the institution or to call support, and the fraudster removes the sticky strip along with the money and leaves the scene.

The capital's law enforcers interrupted a series of robberies, when the criminals acted like this: they blew up ATMs or wound a chain on them and took them away to open them in an unknown place. This method turned out to be effective, despite the primitiveness.

Stealing money from ATMs: the old ways

The old way to steal money from ATMs is to steal the card after the victim has withdrawn funds. It is also considered a traditional method when an attacker opens the device or takes cash, taking the device away from a bank or supermarket.

Udmurt attackers installed several fake ATMs of a non-existent credit institution in Moscow, the Moscow region and Sochi. Citizens who tried to use payment terminals to carry out monetary transactions later turned to the police with statements about the theft of money. The criminals got hold of the passwords of more than a thousand bank cards.

New ways to steal money

Fraudsters in the Astrakhan region stole 4 million rubles by cutting and gluing banknotes: six five-thousandth bills and one thousandth. Each bill was cut into 6 parts and glued together so that the five-thousandth one was obtained, consisting of 1/6 of the thousandth. The updated, but insolvent money was credited to the cards through ATMs. After cashing out funds, criminals could again make a money cycle.

The Saratov fraudster pulled money out of the payment terminal using a strong thread attached to a five-thousandth bill. Many times he dropped the bill into the terminal for crediting to the account and retrieved it back. So, the offender pulled out 200 thousand rubles.

Hackers from Ufa penetrated into the computer system of the ATM, changed the service code, with the help of which the dollar rate was "raised" to 1.5 thousand rubles, then exchanged 800 dollars for 1.2 million rubles. One of the guilty persons was detained by law enforcement officers.

Kaspersky Lab specialists have uncovered yet another money theft scheme. Representatives of financial institutions complained that ATMs randomly dispensed money to people who did not take any action. Based on the results of the verification activities, it turned out that no virus programs were installed on the devices, but the virus was found on a computer connected to a single network with ATMs. The hackers gained access to employees' computers, then, through legal withdrawal methods, they transferred money using the SWIFT system or cashed out through ATMs. The burglars have not yet been caught, but more than 30 financial institutions in Russia, China, Canada, Ukraine and the United States have suffered from their actions. Some thefts amounted to $ 10 million, and the total financial losses of the affected banks approached $ 1 billion.

Sberbank of Russia announced a new method of stealing money from ATMs, called drilled box. It can only be used in certain types of devices. A small hole is drilled in the body of the payment terminal, and a special bus is connected to pump out money. Despite the disclosure of this fraudulent method, the ATM manufacturer does not respond to the problem.

Note!

The novelties of fraudulent devices include shimmers, produced openly and in large quantities, they are thinner than a human hair. The technology allows you to steal the rate of accounts, pin codes, and other information through an ATM. A flexible metal plate is inserted into the card reader and reads data from the cards. This method can be called advanced skimming.

From the bank's client card

For the purpose of theft Money With bank card scammers often use:

  • fake keyboard - a special overlay is installed on the ATM keyboard. She remembers all pressed buttons, including the pin code;
  • tiny video camera - installed by fraudsters near or above the keyboard for the same purpose: to find out the PIN-code and take possession of the card for withdrawing funds;
  • false money receivers - plastic envelopes that cover the ATM slot;
  • fake ATM - installed by criminals in crowded places to collect information about the cards of future victims;
  • viral software is an innovative way to steal money when payment terminals become infected with viruses. As a result, fraudulent programs transmit technical information and PIN codes plastic cards clients.

Today, another type of theft is actively developing - account hacking. Criminals gain access to electronic online banking services and electronic wallets from the comfort of their homes. Phishing is a method of fraud, the purpose of which is to seize other people's money by gaining access to confidential information - card number, password, login. For fraud, the distribution of emails, SMS messages from well-known brands and the banks and payment systems themselves is used, which contains a link to a site that looks like the original web resource. Opening the letter, the network user downloads a virus program to the computer that collects information about passwords, logins, payment card numbers and returns to the sender of the program, or automatically starts the transfer of money from all available wallets to the details of the fraudster.

One of the types of card fraud is vinoloker - malware that blocks or complicates the operation of the Windows operating system. A message appears on the victim's screen stating that the functioning of the computer is impossible until a special password is entered, for which it is necessary to send a certain amount to the cybercriminals. After receiving the money, the criminals send a code that permanently or temporarily removes the restrictions, but the problem may arise again.

Note!

It is also possible that after receiving the money, the scammers steal information about the card number, pin code, CVV and withdraw all the money on the account, card, in the wallet.

At the bank

The way to instantly pump money out of an ATM is called a drilled box. Scammers drill a hole in a specific configuration of ATM machines and plug in the bus, instantly pumping money out. Modern ATMs are quite well protected from hacking and viruses, it is necessary to put them into a safe mode, when the dispenser and the computer exchange information through cryptographic protocols. Then the fraudster will not be able to do anything with the information bus of the device.

Certain problems arise for banks that have not updated their software to the required level, which operate without protected mode. Some credit institutions require a hardware upgrade.

Independent manufacturers have long invented a device that helps protect against fraudulent attacks, since it controls the connection to the ATM information bus. When connected externally, the ATM dispenser turns off, it stops responding to commands from fraudsters. Banks are working hard to prevent such crimes.

In 2017, Russian ATMs were attacked by a new dangerous virus - contactless hacking of the external circuit of the bank's network, then - the device administration server in the closed network and the direct attack on ATMs. Experts explain that reliable protection is needed, otherwise the network of credit institutions will be compromised. It is necessary to implement specialized information security programs, attract third-party contractors to reduce the risk of security gaps.

If the fraudsters have received the bank card details, it is considered compromised, the data of its owner, logins and passwords for accessing the Internet bank or mobile application become known to the attackers.

How to protect yourself from theft?

  • withdraw money from ATMs located inside branches, avoid supermarket areas where there are many people and gunners crowd;
  • if the ATM does not see the card that you inserted, or does not return it, urgently call the support service and block the card. Tell the employee the number of the device so that they can check it;
  • use SMS-informing about movements on the card account. If you have not performed any transaction with money on the account, immediately inform the bank;
  • in case of special problems after blocking the card, you need to come to the office to write a statement of disagreement with the transaction.

More than 80 thousand sites distribute malicious browser extensions through which bank card data is stolen. Be vigilant and don't click on suspicious links.