You are here

Russian Hackers Infected 1 Million Bank Customer Smartphones

For all the accusations that Russian hacking only focuses outside the country - most notably to allegedly impact the outcome of democratic elections by exposing politicians' dirty laundry - a Reuters report overnight revealed that Russian cyber criminals were just as eager to focus on their fellow countymen, using malware planted on Android mobile devices to steal from domestic bank customers and were planning to target European lenders before their arrest. The enterprising hackers targeted customers of state lender Sberbank, and also stole money from accounts at Alfa Bank and online payments company Qiwi, exploiting weaknesses in the companies' SMS text message transfer services.

Russia's Interior Ministry said a number of people had been arrested, including the alleged gang leader. This was a 30-year-old man living in Ivanovo, an industrial city 300 km (185 miles) northeast of Moscow, from where he had commanded a team of 20 people across six different regions. Four people remain in detention while the others are under house arrest, the ministry said in a statement.

"In the course of 20 searches across six regions, police seized computers, hundreds of bank cards and SIM cards registered under fake names," it said.

The gang got their malware on to victims' devices by setting up applications designed to mimic banks' genuine apps. When users searched online, the results would suggest the fake app, which they would then download. The hackers also inserted malware into fake mobile apps for well-known pornography sites. After infecting a customer's phone, the hackers were able to send a text message to the bank initiating a transfer of up to $120 to one of 6,000 bank accounts set up to receive the fraudulent payments.

While the hacking campaign raised a modest sum by cyber-crime standards, just over 50 million roubles ($892,000), the hacking group also obtained more sophisticated malicious software for a modest monthly fee to go after the clients of banks in France and possibly a range of other western nations.

According to Reuters, members of the cyber-gang tricked Russian banks' customers into downloading malware via fake mobile banking applications, as well as via pornography and e-commerce programs, according to a report compiled by cyber security firm Group-IB which investigated the attack with the Russian Interior Ministry. The criminals, 16 suspects were arrested by Russian law enforcement authorities in November last year, infected more than a million smartphones in Russia, on average compromising 3,500 devices a day, Group-IB said.

* * *

Russia was just the beginning: despite having operated only in Russia before their arrest, the hackers had developed plans to target large European banks including French lenders Credit Agricole, BNP Paribas and Societe General, Group-IB said. A BNP Paribas spokeswoman said the bank could not confirm this information, but added that it "has a significant set of measures in place aimed at fighting cyber attacks on a daily basis". Societe General and Credit Agricole declined comment.

The gang, which was called "Cron" after the malware it used, did not steal any funds from customers of the three French banks. However, it exploited the bank service in Russia that allows users to transfer small sums to other accounts by sending an SMS message. Having infected the users' phones, the gang sent SMS messages from those devices instructing the banks to transfer money to the hackers' own accounts.

The findings illustrate the dangers of using SMS messages for mobile banking, a method favored in emerging countries with less advanced internet infrastructure, said Lukas Stefanko, a malware researcher at cyber security firm ESET in Slovakia.

 

"It's becoming popular among developing nations or in the countryside where access to conventional banking is difficult for people," he said. "For them it is quick, easy and they don't need to visit a bank... But security always has to outweigh consumer convenience."

The success of the Cron gang was facilitated by the popularity of SMS-banking services in Russia, said Dmitry Volkov, head of investigations at Group-IB. "Cron's success was due to two main factors," Volkov said. "First, the large-scale use of partner programs to distribute the malware in different ways. Second, the automation of many (mobile) functions which allowed them to carry out the thefts without direct involvement."

The cyber security group said that the existence of the Cron malware was first detected in mid-2015, and by the time of the arrests the hackers had been using it for under a year. The core members of the group were detained on Nov. 22 last year in Ivanovo. Photographs of the operation released by Group-IB showed one suspect face down in the snow as police in ski masks handcuffed him. The "Cron" hackers were arrested before they could mount attacks outside Russia, but plans to do that were at an advanced stage, said the investigators.

Group-IB said that in June 2016 they had rented a piece of malware designed to attack mobile banking systems, called "Tiny.z" for $2,000 a month. The creators of the "Tiny.z" malware had adapted it to attack banks in Britain, Germany, France, the United States and Turkey, among other countries.

 

The "Cron" gang developed software designed to attack lenders including the three French groups, it said, adding it had notified these and other European banks at risk. A spokeswoman for Sberbank said she had no information about the group involved. However, she said: "Several groups of cyber criminals are working against Sberbank. The number of groups and the methods they use to attack us change constantly." "It isn't clear which specific group is being referred to here because the fraudulent scheme involving Android OS (operating system) viruses is widespread in Russia and Sberbank has effectively combated it for an extensive period of time."

Why the public crackdown? Reuters speculates that the Russian authorities, bombarded with allegations of state-sponsored hacking, are keen to show Russia too is a frequent victim of cyber crime and that they are working hard to combat it. The interior and emergencies ministries, as well as Sberbank, said they were targeted in a global cyberattack earlier this month. Still, we very much doubt that this mass arrest of hackers will do anything to dent the media's favorite hacking narrative, the one in which the Kremlin "hacked" and convinced several hundred thousand middle class Americans to vote for Trump instead of Hillary.