Since the beginning of the year, the Russian authorities have put a halt to the activities of three cybercrime groups involved in stealing money from remote banking systems (RBS). At least three similar groups are continuing to operate. CEO of Group-IB Ilya Sachkov tells RIA Novosti correspondent Ivan Shadrin how money is stolen online, cashed, where it is stored and why individual hackers get together to form traditional organized crime groups. Group-IB investigates cybercrimes in collaboration with the Federal Security Service and the Ministry of the Interior.
Q: According to the Interior Ministry, over the past few years hackers have stolen millions of dollars from customers of Russian banks. Why is this happening? What is wrong with the Russian banking system?
A: You have to understand that a system which is completely invulnerable to attack simply doesn't exist. Cyber criminals can break into virtually any system. Added to that is the fact that some banks are not using the most secure systems.
Online banking money theft schemes
For instance, banks might provide customers only with a login, a password and a digital signature to access their remote banking accounts. If they get hold of a copy of an insecure digital signature, a criminal can launch an attack from anywhere.
To counter this threat, banks are introducing ‘security tokens.’ It is almost impossible to retrieve a digital signature from these tokens. However, USB tokens are often left connected to a computer even when the user is not logged into the remote banking system. In this way hackers can gain remote access to computers and transfer money directly. This is how they avoid security systems that track IP addresses of customers to prevent suspicious transactions – for instance, from abroad. In the case I described above the transaction looks legitimate because the IP address and the token are the customer’s. There is no cause to doubt the user's identity.
An even more complicated system uses one-time passwords that are printed out by the bank or sent in a text message. Companies usually use printouts, whereas individuals prefer texts.
Q: Can one-time password systems be hacked?
A: Basically, what happens is that criminals replace bank orders. An accountant fills in a payment instruction with the bank details required. But moments before the one-time password is entered, hackers change a particular set of data. When the user presses ‘sign,’ the bank details are already different and the money goes into the hacker's account.
There is another way to do it. Malefactors inject a phony pop-up window for a one-time password into the victim’s web browser. The user enters their password. The password is ‘processed’ for an extended period of time, followed by a time-out error. The customer has to enter another one-time password because the previous transaction failed. The accountant enters another password. The scammers now have two valid one-time passwords that must be used in order, the first to access the system and the second to send the payment.
In this scenario it does not matter whether the password was sent in a text or printed out. You enter the data yourself.
The choice of which fraudulent scheme to use often depends on the available software. Replacing bank details or injecting phony pop-up windows requires special software. If it is not available, cyber criminals have to resort to using social trickery to phish for passwords.
We know of cases where exceptionally bold fraudsters have called people up posing as bank employees and asked for their passwords.
Q: So the hacker has gotten hold of the password. What happens now?
A: It depends on the scenario. There are several different options. For amounts of up to 1 to 1.5 million rubles, the money is whisked off straight to the cards of the ‘money mules’ (cardholders hired to cash the stolen money). Within 15 minutes of the transaction, the money mules withdraw the money from ATMs and hand it over to their employers.
Larger amounts require more complicated cashing schemes. These are used for sums of between one and five million. Firstly, the money arrives in the account of a legal entity. The sum is then divided and wired to other accounts to cover up their tracks.
The ‘cashers’ get at least half of the stolen money.
Q: That's a pretty big commission. Why is that?
A: First of all, any theft is preceded by a lengthy period of preparation. Cashers and plotters talk through every detail. By the time the theft actually takes place, the money mules are fully prepared. They have a fictitious company, a bank account and cash cards for the money mules.
The current banking system allows any legal entity to create a remote "salary project." Generally speaking, a representative of the fake company will report to the bank that, for instance, 15 employees need salary cards. The bank will then request the names and passport numbers of the ‘employees’ and issue the cards. The passport numbers are usually the real IDs of the money mules. Alternatively, they can be bought from hacker forums.
Q: How are the money mules hired?
A: There are ‘honest’ and ‘dishonest’ money mules. Dishonest money mules know about their role in the scam and can even cheat their employers and disappear with the money. That's why cashers usually hire only those dishonest money mules they know well and trust.
Honest money mules are not actually aware of their role. There are websites where you can hire a person to cash money at a certain moment in time for a fee. These websites include statistics of the money earned by the mules. Each user can see their current assignments.
Money mules are usually the first to be tracked down. But they are of little use. Both the honest and the dishonest drops claim they know nothing and only withdrew the money for a friend who gave them the card.
Q: Is there any relation between cyber fraud and other crimes?
A: This business has historically been under the protection of ordinary criminal gangs. In the very beginning, cashers worked in close cooperation with traditional organized crime groups and assisted with laundering the money from illegal sources. It is easier for cyber criminals to find these people instead of organizing a money mule project from scratch.
Obviously, when the leaders of organized crime groups see that the hackers don’t mind giving away half the stolen money they become curious. They are curious enough to include hackers in their ranks and organize thefts so that they can keep all the stolen money for themselves. We are aware of such cases.
Q: Who are the more frequent victims of cyber fraudsters, companies or individuals?
A: Until the second half of 2011 more crimes were committed against companies, but since then attacks on individual accounts have became more prevalent. This is due to companies becoming more careful about the security of their assets.
In fact, if we look at the statistics, there is no clear distinction. The criminals can steal from anyone, and any amount. So far, we have only seen one small group that targeted only individuals. The reason was that they used a very simple program that did not allow hacking into corporate systems.
Q: The Interior Ministry recently reported that a botnet of six million infected computers had been shut down. Are all ‘financial’ botnets so big?
A: It does not really matter how big a botnet is when it comes to stealing from remote banking systems. Hackers may control a network of 50,000 infected computers, or bots, but only a couple of them have banking software installed. Cyber criminals that attack remote banking systems usually buy targeted web traffic with high conversion rates. A botnet may have only 1,000 bots but the majority will have a remote banking system installed.
For instance, Carberp [the biggest cyber gang, which had stolen around $150 million by the time they were caught in March - editor] tried to hack into accounting websites to send out malware. The reason was obvious: nobody visits such specialist websites just out of curiosity. A similar tactic is being used against ordinary users when the most visited banking websites are attacked. So it is not about the number of bots. It is about the quality of traffic and conversion, just like in any other business.
Q: Do Russian hackers target only Russian banks?
A: Yes, in 99% of the cases that we know about. It is quite difficult to just wire the money to a foreign bank. You would probably even have to go to the bank in person to complete the transaction. Naturally, cyber criminals do not want to go down that road.
However, when it comes to stealing from electronic payment systems, wire transfers to foreign payment systems are more frequent – only because if hackers want to cover up their tracks they transfer money to, for example, Pakistan in order to send it back to their accounts afterward. Foreign banks and payment systems are not interested in reporting suspicious transactions to foreign security services.
Q: Are payment systems attacked?
A: Absolutely. Owners of accounts in various payment systems can lose their money, too. The scenarios used are similar but the money is transferred to either other e-wallets or cash cards.
The money can easily be lost. It is stolen from one payment system and transferred to another, then somewhere else; it is then cashed or sent back to the first system. It’s not easy to follow the trail! There are many scenarios. In addition, many payment systems are registered in offshore countries that do not provide any information about transactions.
Q: How big is this sector?
A: E-wallet thefts are as common as bank account thefts. Some people keep substantial funds in their e-wallets. Many companies have electronic accounts to pay for freelance services.
It is in fact easier to steal money from online payment systems as it does not involve money mules or dummy companies. Besides, if a bank account fraud is discovered, the money will be frozen and charged back to the victim’s account, whereas most online payment systems do no have this feature.
When online payment systems are hacked, the money can be converted into mobile phone credit. Some mobile networks allow phone balances to be cashed. Sometimes cashing involves purchasing rail tickets. Thieves buy an expensive ticket (for a Moscow to Vladivostok train, for example) online and then return it to reclaim most of the money.
Q: Do cyber criminals have any favorite web money systems? If hackers don’t cash the money where do they store it?
A: Hackers have a number of payment systems that they use more often than others. For example, Liberty Reserve.
The first payment system to be closely involved with hackers was eGold, which later came to the attention of the intelligence services. The system has stopped fraudulent transactions ever since. This was when Liberty Reserve (LR) came in.
The organization was set up in the early 2000s but the system has only been active since 2006 shortly after eGold was shut down. The system was registered in Costa Rica. For only $40, you can get a cash card with their account. The bank card is issued by a bank in Lebanon that, as well as being an offshore company, pays zero profit tax.
LR has very stringent security. Since its launch, the system has not been affected by anything more serious than phishing. At the same time, they have a very simple user agreement, no small print and only a few conditions. The onus lies on customers to protect their passwords. No chargebacks. The system is only responsible for the safety of the money and secure transactions. LR charges 1% but not more than $2.99. Paying just $3 to transfer a million dollars – that's pretty convenient!
Russian and foreign hackers really like this system. Russians call it Lyuba. They use LR mostly to wire payments to each other, probably because the system does not block transactions. LR does not care about what you are paying for and what you write in your comments.
LR is also popular because of its privacy. LR will never disclose any information about payment orders to the authorities. Nobody knows how much money LR actually stores and almost no one knows who runs it.
As far as chargebacks are concerned, LR explains it this way: it is not a bank and it does not care about its reputation. Privacy and reliability are its reputation.
Q: Does that mean users have no guarantees?
A: Apart from those stated in the user agreement – no. And it’s a big risk to use LR. What if it just disappears tomorrow? Everything is founded completely on trust.
Q: But with such strict privacy, can the fraudsters be caught at all?
A: There are two approaches. The first is the police approach to search for the money mules. They find the people who cash the money and the people who are responsible for the theft. But there are so many money mule services in Russia that one will easily replace another. Moreover, where big money is involved, cyber criminals will never confine themselves to only one money mule service. They use several because they deal with dozens of payment orders every day. The sums have to be broken down into smaller amounts, which takes time.
This is the reason why owners of botnets have to hire people to keep an eye on the victim’s account, transactions and other financial information – not just out of generosity but because one person can’t handle that much money. It is a complex scam. If the police try to untangle this knot starting from the money mules they will only find the intermediaries in the criminal chain, not the organizers.
We proceed from the assumption that it is the organizers of the scheme who need to be found first of all. Be it the botnet owner or the cyber criminal who does the stealing. Once the source is uncovered, the accomplices will follow. Our experience shows that only one or two people make up the core of any cyber crime gang. These are the ones at the top of our wanted list.
Q: What kinds of people are they?
A: They are ordinary people, IT specialists. Sometimes they are in employment but more often they are unemployed. They buy expensive cars for 3-5 million rubles, apartments and other luxury goods. They travel a lot. For instance, the Carberp developer wasn’t really based in Moscow. It was difficult to arrest him because he was blowing all the proceeds on traveling and living it up. Now he won’t be seeing much of the world for a long time.
Q: The court ruling in the Carberp trial is pending. Do you think there is enough evidence against the gang leader?
A: We have been collecting evidence on the Carberp leader together with the police and the Federal Security Service since 2009. We examined the malicious software he used and discovered the servers managing the botnets and how they are connected. We tracked down phone calls and his movements across the country. We also got in touch with our colleagues abroad to obtain the data from the servers managing the botnets.
The investigation is not over yet. We are still compiling a full list of victims and identifying further incidents. We believe that this would make the evidence concerning the Carberp criminal cases complete. And we hope that the trial results in a verdict that is commensurate with the crimes committed and that the stolen funds are at least partially restored. At any rate, the court will have the final say.