Translated by
2020/02/20 16:01:57

Losses of banks from cyber crime



Main articles:

Directions of the attacks to banks

Telephone fraud

Fraud with bank cards

Cracking of ATMs


Central Bank: swindlers in 2019 stole 6.4 billion rubles from clients of banks

Swindlers in 2019 stole 6.4 billion rubles from clients of the Russian banks, and "average bill" at theft of money at citizens was 10 thousand rubles, reported on February 19 the 2020th in FINTSERT (FinCERT of the Bank of Russia).

Most of all transactions without the consent of clients — individuals were the share of operations on payment of goods and services on the Internet (CNP transaction), the study says.

In 2019 banks compensated only affected 15% of the stolen means — about 1 billion rubles. Online banks and  mobile applications were exposed to the hacker attacks of 160.8 thousand times, here the damage was 2.27 billion rubles. In 877 cases in a year it is about stealing which were committed by bank employees.

69% of the transactions made without the consent of clients were carried out using methods of social engineering — as a result of motivation of the client to carry out transaction or because of confidence abuse. The previous year the share of these transactions reached 97%.

The highest share of social engineering (88%) is recorded in remote banking: clients lost 2.22 billion rubles (on average 14,000 rubles for transaction) and returned every 14th stolen ruble. Citizens became most rare a target of swindlers when using ATMs and terminals — 40,000 cases for 525 million rubles (13,000 rubles for transaction). From them only in a quarter of cases card owners independently disclosed confidential payment information to swindlers therefore the amount of return is higher here — 10%.

Due to the high share of social engineering in the total amount of the transactions made without the consent of clients, the Bank of Russia intends to consider the possibility of change of the procedure of return of the stolen means, said in the overview of FINTSERT.[1]

The damage of the Russian banks from cyber attacks was reduced by 85%

According to the results of the 12-month period which end fell on June, 2019 the damage of the Russian banks from cyber attacks was 510 million rubles that for 85% of rather similar interval of time the previous year. At the end of November, 2019 reported about it in Group-IB company.

And in the first half of the year of the 2019th damage amount from all types of cybercrimes using the malware directed as directly to banks, and to their clients  in the amount was measured in the second half of 2018 by 3.2 billion rubles.

Group-IB: the damage from cybercrimes in the financial sphere in a year was reduced by 85%

At the same time experts noted the growing quantity of cases of a komprometirovaniye of these bank cards. For the studied period it is about the amount of 56 billion rubles that on a third exceeds an indicator of year prescription.

The number of the compromised cards which are laid out on specialized forums increased by 38%, up to 43.8 million. Contents of magnetic bands of cards — dump — make 80% of the market of karting, they became 46% more.

Besides, plunder and sales of text these maps — number, CVV, validity period even more often meet. The price of them began to grow, at the same time the cost of dump fell. The cheapest in the market are data of the American banks, the most expensive — data of cards of European Banks.

The Russian maps are on average a price segment and are still not so distributed. The new trend working for increase in volume of text these bank cards on sale became JS снифферы which become more, than bank trojans. The threat will be relevant first of all for the countries where the 3D Secure system is not widespread. And so far the phishing remains also widespread by the most "long-playing" method of data acquisition of cards.

According to the operating officer of the Center of monitoring and response to cyber attacks of Solar JSOC of Rostelecom Anton Yudakov, it is more profitable to malefactors to attack not banks, but their clients as bank infrastructure is not bad protected and capable to reveal the attacks at early stages.

Belorus stole 630 thousand euros from banks and returned money bitcoins

On November 12, 2019 the Investigative Committee of Belarus announced investigation of criminal case about plunder of money from accounts of foreign banks. the 28-year-old resident of Grodno involved in crimes was arrested with assistance of the American FBI.

According to the investigation, the man got access to someone else's accounts and transferred money to the accounts under control of it registered on figureheads then cashed them. On the money received by an illegal method the defendant purchased bitcoins.

The Investigative Committee of Belarus announced investigation of criminal case about plunder of money from accounts of foreign banks

Besides, the hacker on stolen money purchased the car, the real estate and invested in own business — cafe. Cases when the man bought goods and services using details of someone else's bank payment cards are also recorded, the press service of Investigative Committee reports.

Investigators know about more than 60 criminal episodes. The defendant provided access to cryptopurses for performing transactions on an output of bitcoins and seizures of the received amount — more than 630 thousand euros.

Also other money, property and the real estate of the man in the general size exceeding 100 thousand euros were arrested.

Charge by Part 4 of Article 212 (plunder using the computer equipment to him of especially large size) the Criminal code of Republic of Belarus was brought. The defendant is taken into custody where will wait for court.

The hacker completely admitted the guilt and at a stage of pretrial investigation signed the pre-trial agreement about cooperation and also took measures for compensation of the caused damage and return of illegally gained income. On cryptocurrency wallets under control of the 28-year-old Belarusian 94 bitcoins are revealed. By November 12, 2019 investigation of criminal case continues.[2]

Android trojan Fanta stole 35 million rubles from bank cards of Russians

On September 17, 2019 the company Group-IB reported that her specialists recorded a campaign Android-trojan FANTA attacking clients 70 banks payment systems, web purses in Russia and the CIS countries. Troyan is aimed at the users placing declarations of purchase and sale on Internet service Avito. Only since the beginning of 2019 the potential damage from FANTA in Russia was not less than 35 million rubles. In more detail here.

The sentence is pronounced to the cybercriminals who stole 1 billion rubles at the Russian banks

On February 8, 2019 it became known that the sentence was pronounced to twelve cybercriminals who stole about 1 billion rubles at the Russian banks. According to the decision of Meshchansky Court of Moscow, depending on severity of the committed crime defendants were sentenced to imprisonment in colonies of the general and strictly the modes and also to the conditional conclusion.

According to the role executed in criminal community defendants were accused of establishing a criminal organization and participation in it (Article 210 UK), fraud in the field of computer information (Part 4 of Article 159.6 UK) and theft in especially large sizes (Part 4 of Article 158 UK). The prosecutor's office requested for them terms from 6.5 years in standard regime penal colony and up to 12 years in maximum security penal colony. For the founder of community, the Ukrainian programmer Yury Lysenko, charge required term for 15 years.

According to a sentence, criminals received from 5 of the general to 13 years of a high security. Two persons were sentenced to 6 years conditionally.

Cybercriminal grouping began the activity in 2014. According to the investigators, criminals modified the legal software for carrying out payment orders so that to withdraw funds from customer accounts of banks, and then to recover balance at the expense of banks.

According to charge, grouping represented difficult arranged criminal community consisting of three isolated groups. uchastnik of community did not contact among themselves for the purpose of security. Especially for needs of grouping of Lysenko rented apartment in Moscow where there was all necessary equipment and information exchange was performed. From each transaction of Lysenko took away to itself 80% of "earnings", and other 20% were received by accomplices[3].


Central Bank: swindlers stole over 1 billion rubles from cards of natural persons

On March 29, 2019 it became known that in recent months the Central Bank recorded surge in unauthorized transactions with customer accounts of banks. In most cases plunders happen using calls from substitution numbers, and swindlers use methods of social engineering to mislead people.

Total amount of plunders from cards of natural persons in 2018 was 1.4 billion rubles that is 1.4 times more than an indicator of the 2017th, statistics of the Central Bank says. Nearly a third of plunders fell on the last quarter years, and 97% of the attacks were carried out using social engineering - it is the method of obtaining information based on features of psychology and sociology.

In the 2019th swindlers became more active even stronger, and they began to use technology of substitution of the phone number of bank (so-called A-number) when using calls on the Internet. On the screen of phone of the potential victim number of real bank is highlighted, and the client is told about allegedly attempt of unauthorized write-off of means, the Full Name, the passport number, the account balance and even the last transaction call it.

Further criminals offer the scheme of "protection of means" – they need to be transferred to the special account, to give the complete information according to the card, a code word or data from the SMS. Quite often the client confused by information which only the bank can know tells the stranger from the handset everything about what it is asked. And after that there is a plunder.

A January attack on clients of Sberbank when malefactors knew already passport data and the account balances, was more productive. And it became possible only thanks to access for malefactors to a bank secrecy, – the founder of DeviceLock company (specializes in personal data protection) Ashot Oganesyan told the edition - "punched hole" of data on the specific person is available in the black market and it is possible for little money by the phone number or a complete name of the card holder to obtain information on a remaining balance on his accounts or transaction.

Swindlers can find out information on an account balance of the client and the last transaction, including having called under the guise of the client (using the same technology of substitution of A-number) on an answerphone of bank.

The phone number of the client allows to pass primary level of identification at a call in many banks and to get access to similar information, – the head of department of information security of OTP-bank Sergey Chernokozinsky confirms.

Judging by official warnings of banks (Sberbank, Raiffeisenbank, Unicreditbank and others), the problem is relevant. Bankers want to separate responsibility and efforts on change of a situation with telecom operators. MTS told that the solution on protection against substitution of 800 numbers is already implemented. VimpelCom (a brand Beeline) also prepares the technical solution by substitution numbers. MegaFon assured that not one year assists banks in protection against the fraud connected with substitution of number on official numbering of bank at calls to clients. But so far to citizens recommend to anybody to call by CVV2 from a reverse side of the card if including suggest to enter or dictate digits through an answerphone. The same concerns a code word or the password[4] from the SMS[5].

Cybercriminals stole 25 million rubles from B&N Bank

The prosecutor's office of Zasviyazhsky district approved the indictment on the case of large cyberfraud in B&N Bank. During pretrial investigation it was established that the jobless resident of Ulyanovsk I., 1988 of year of birth, in May, 2018 by means of the unidentified employee of B&N Bank got access to computer information of bank, illegally increased a limit of money on the payment plastic card and removed from it more than 25 million rubles. On January 10, 2019 the portal with reference to the words of the senior assistant of the prosecutor of the Zasviyazhsky district of Ulyanovsk Larisa Ignatyeva reported about it. Read more here.

Cybercriminals stole several tens of million dollars at 8 European Banks

In 2017-2018 experts of Kaspersky Lab were involved in investigation of several cyberbank robberies during which the malware got into corporate network from the unknown device, in literal sense thrown by malefactors what became known on December 5, 2018. Afterwards the similar type of the attacks received the name DarkVishnya. For December, 2018 it is known at least of eight banks in Eastern Europe which were robbed thus, and the approximate damage from the occurred incidents was several tens of millions of dollars.

In each recorded case to begin the attack, cybercriminals "threw" the device to the building of the organization and physically connected to corporate network of the company. According to specialists of Kaspersky Lab, malefactors used three types of gadgets: the notebook, Raspberry Pi (the single board computer of the size of the credit card) and Bash Bunny (specially developed tool for automation and carrying out the USB attacks). These devices could be also in addition equipped with GPRS-, 3G-or the LTE modem to provide remote penetration into corporate network of the organization.

During the attacks cybercriminals tried to get access to the shared network folders, Web servers and so on. They used the stolen data for connection to the servers and workstations intended for implementation of payments or containing other information, useful to malefactors. After successful fixing in infrastructure of financial institution malefactors used legitimate software for remote control. As cybercriminals applied besfaylovy methods and PowerShell, they bypassed white lists and domain politicians. Other tools used by malefactors is Impacket and also winexesvc.exe or psexec.exe for remote start of executable files. Daley money was displaid, for example, via ATMs.

In the last one and a half years we observed essentially other type of the attacks to banks – rather sophisticated and difficult in respect of detection of cybercriminals. As a rule, the point of entry in corporate network in the transactions DarkVishnya long time remained the unknown as it could be in any of the offices located in different regions and even the countries. And the unknown device thrown and hidden by malefactors could not be found far off in any way. Search became complicated the fact that during the attacks standard utilities were used. To be protected from this unusual scheme of digital robberies, we advise financial institutions extremely responsibly to approach cyber security, in particular to pay special attention to control of the connected devices and access to corporate network.
Sergey Golovanov, the leading anti-virus expert of Kaspersky Lab[6]

Sberbank saved 32 billion rubles of means of clients from cyberswindlers

On November 29, 2018 it became known that Sberbank summed up the preliminary results of 2018 in the field of cyber security. According to the company, Sberbank saved 32 billion rubles of means of clients from cyberswindlers. For November, 2018 the social engineering became the most widespread type of cyberfraud  — more than 80% of the cases recorded by Sberbank in 2018 were the share of this method of receiving unauthorized access to information based on use of weaknesses of the person. At the same time for November, 2018 86% from all cases of social engineering made "self-transfers" of money under the influence of swindlers. Read more here.

Plunder over 21 million rubles from the Yakut bank

On November 20, 2018 it became known that specialists of the Central Bank of Russian Federation and Investigative department of the Ministry of Internal Affairs completed preliminary inquiry of case of plunder of 21.5 million rubles at one of banks in Yakutia.

The press center of the Ministry of Internal Affairs did not open the name of affected financial institution. According to department, in July, 2017 two citizens of the neighboring state with unidentified accomplices using the malware got remote access to the systems of bank and its ATMs and stole 21.5 million rubles. Means were converted into cryptocurrency and taken out abroad.

Concerning two participants of criminal grouping criminal case under Part 3 of Article 272, Part 2 of Article 273 and Part 4 of Article 159.6 of the Criminal Code of the Russian Federation is opened. The case is submitted to the Yakut city court of the Sakha Republic for consideration on the merits.

As of November 20 together with law enforcement agencies of a number of the European countries and the Interpol preliminary inquiry concerning other participants of criminal grouping continues. [7]

Cracking of a system of payment cards in Bank Islami and plunder of $6.5 million

On October 8, 2018 the Pakistani bank Bank Islami announced cracking of the system of payment cards. As a result of an incident malefactors managed to steal $6.5 million, however the financial organization denies this information. Cracking of Bank Islami is large cyber attack in Pakistan. Read more here.

As swindlers under the guise of "ethic hackers" extorted money from banks in Russia

Experts of Group-IB together with representatives of Management "K" of the Ministry of Internal Affairs of the Russian Federation and a security service of Post Bank exposed group of speculators who, issuing itself for "ethic hackers", traded in access to accounts of clients of banks, online stores and insurance companies. Malefactors were delayed, says Group-IB company of October 26, 2018.

As it became clear according to the results of investigation, swindlers actively were engaged in cracking of accounts of end users in these or those services. Having got access to them, malefactors sent to a security service of the organization whose clients were victims, letters on detection of vulnerability in corporate infrastructure. Hackers provided information on the accounts compromised with them as proofs and asked (or rather required) remuneration in the amount of 40 up to 250 thousand rubles.

Example of the letter of the malefactors issuing themselves for "ethic hackers" (White Hat)

But not enough this money therefore hackers also sold the data stolen by them for access to accounts at hacker forums was it, probably, emphasized in Group-IB.

Only on the confirmed data, not less than ten companies became the victims of group, however the real number of the affected organizations are much more — it is specified in the message of Group-IB.

Investigation began after in Post Bank the letter with request for payment of remuneration for disclosure of information on allegedly present vulnerabilities in the system of remote banking arrived.

In fact these vulnerabilities in infrastructure of bank were absent. Other organizations which confirmed a receipt of letters from this grouping did not have them and.

During the investigation experts of Group-IB and Post Bank studied "digital traces" and found out that participants of grouping of swindlers live in different regions of the Russian Federation. All information on them was reported to law enforcement agencies.

As a result police officers delayed several young people at the age of 18-21. On materials of investigation criminal cases according to Article 272 of the Criminal Code of the Russian Federation (Illegal access to computer information) are brought. As of October 26 detainees give evidences.

For "ethic hackers" (White Hat) search of vulnerabilities in public infrastructure of digital services or software packages and receiving remunerations for informing developers on the found errors is absolutely legitimate method of earnings: many large developers even specially allocate funds under programs of search of vulnerabilities (Bug Bounty) — Oleg Galushkin, the Chief information security officer of SEC Consult Services company noted. — But in this case, however, notorious fraud took place. It was talked not of vulnerabilities in infrastructure of the affected companies, and of weak protection of the user devices. It is possible that these malefactors had experience of carrying out penetration tests or well imagine how such tests are carried out, but they applied this knowledge not in the ethic purposes at all.

The expert noted also that the companies receiving letters on detection of vulnerabilities risk to suffer from activity of swindlers much stronger, than it seems at first sight: sale of these their clients at hacker forums can lead to severe financial losses.

Group-IB: The damage of the financial sphere of Russia from the hacker attacks was 2.96 billion rubles

On October 10, 2018 it became known that for 2017-2018 hackers caused to the financial sphere of Russia damage in  2.96 billion rubles. It is said in the annual report  of Group-IB "Hi-Tech Crime Trends 2018" . According to a research, for October, 2018, every month hackers manage to steal money in 1-2 banks, at the same time  the damage from one successful plunder averages 2 million US dollars.

The financial motivation still prevails among the cybercriminals attacking banks, however plunder of money — not the most terrible that can happen to financial institution. As in many countries of the world banks are objects of critical infrastructure, they were among targets for the pro-state hacker groups, specializing in diversions and sabotage. One successful cyber attack can lead as to liquidation of the most credit and financial organization, and collapse of a financial system of the state. With respect thereto banks should review approach to the system of protection against cyberthreats: defensive strategy already sputtered out. It is time to become the hunter, but not a target for the attacks.

Ilya Sachkov, CEO and founder of Group-IB

Group-IB selects four criminal hacker groups posing a real threat for the financial sector: they are capable not only to get into network of bank, to reach the isolated financial systems, but also to successfully withdraw money through SWIFT, the automated workplace of KBR, card processing and ATMs. It is about the groups Cobalt, MoneyTaker, Silence consisting of Russian-speaking hackers and also about North Korean Lazarus.

For the system of interbank transfers of SWIFT only two criminal groups pose a threat: Lazarus and Cobalt, and last at the end of 2017 for the first time in the history Russian the financial sphere carried out a successful target attack to bank using SWIFT. By Group-IB estimates, the number of the purposeful attacks to banks for the purpose of plunder through SWIFT for the reporting period increased three times. If for the last period only three similar attacks were recorded: in Hong Kong, in Ukraine and in Turkey, in it is underwent already 9 successful attacks in Nepal, Taiwan, Russia, Mexico, India, Bulgaria and Chile. Good news is that in a case from SWIFT, it is possible to stop and return the most part of unauthorized transactions to affected banks in time.

Attacks on card processing are still one of the main methods of plunders and it is actively used by hackers from Cobalt, MoneyTaker, Silence. In February, 2018 participants of Silence carried out a successful attack to bank and plunder of money through card processing: they managed to remove from cards via ATMs of the partner of bank 35 million rubles. Focusing of the attacks on ATMs and card processing led from one attack to reduction of average damage. However it allows attacking to carry out these attacks more safely for the "thick woolen clothes" cashing the stolen money. Attacking are in one ̆ to the country, their victim (bank) in another, and cashing in happens in the third.

Via the automated workplace of KBR (the automated workplace of the client of the Bank of Russia) the MoneyTaker group actively uses withdrawal of money — if in November, 2017 they managed to display only 7 million rubles, then in the summer of 2018 they successfully stole 58 million rubles from the FEAST bank. Let's remind that for October, 2018 on the account of MoneyTaker of 16 attacks in the USA, 5 – on Banks of Russia and 1 – in Great Britain. In the USA the average damage from one attack is 500,000 dollars. In Russia the average volume of the displaid means – 72 million rubles. In December, 2017 Group-IB published the first report on this group: "MoneyTaker: one and a half years are lower than radars".

Attacks on payment gateways for a specified period were carried out only by the Cobalt group. At the same time in 2017 they stole thus money at two companies, and in 2018 did not make any attempt. At the same time participants from the Anunak group which did not carry out the similar attacks since 2014 assisted them in carrying out one of the attacks. Despite arrest in Spain of the leader of group in the spring of 2018, Cobalt still remains one of the most active and aggressive groupings, it is stable — 2-3 times a month attacking financial institutions in Russia and abroad.[8]

Hackers brought out of Zhilfinance Bank $100 thousand via gateways of payment systems

In September, 2018 Housing Finance Bank (HFB) fell a victim of the Cobalt grouping. As the Kommersant newspaper reported on October 3, 2018, malefactors managed to bring out of bank about $100 thousand via gateways of payment systems. According to information provided to Kommersant by law enforcement agencies, three more credit institutions which names are not disclosed are infected. In all affected banks law enforcement authorities revealed "the low level of information security, lack of the Russian antiviruses, the licensed software, updates". Read more here.

The Ekaterinburg hackers stole 1.2 billion rubles at banks

Residents of Yekaterinburg Constantine M. and Igor M. are accused of participation in the criminal grouping turning large fraudulent transactions in the field of computer information.

According to the investigation, together with accomplices criminals developed and distributed the malware using which they managed to get unauthorized access to customer accounts of different credit institutions on the Internet. In total grouping stole 1.2 billion rubles.

In addition to someone else's bank accounts, malefactors also managed to get access to the database of the Ekaterinburg Koltsovo Airport, the website reports.

The Prosecutor General's Office brought against men charges of participation in criminal community, large scale fraud, illegal access to computer information and also of creation, use and distribution of harmful computer programs.

Criminal case against Constantine M. and Igor M. is sent to the Kirov district court of Yekaterinburg. As a measure of restraint for defendants detention is selected.

Hackers stole 58 million rubles from the FEAST bank

PIR-BANK lost more than 58 million rubles as a result of the hacker attack, Kommersant with reference to sources reports in July, 2018. The edition calls it the first cyber attack to the Russian banks in 2018.

Hackers withdrew money from the correspondent account the FEAST bank in the Central Bank, having got access to the automated workplace of the client of the Bank of Russia (the automated workplace of KBR). Earlier the Central Bank assured that the successful attacks automated workplace KBR bigger will not be, Kommersant notes.

In the FEAST bank the attacks confirmed the fact. The head of bank Olga Kolosova said that the stolen means were brought to plastic cards of natural persons in 22 largest Russian banks and are cashed in different regions of the country. According to her, the exact extent of damage is still unknown.

Learn more: Group-IB: PIR Bank was attacked by the hacker MoneyTaker group

Cyberswindlers stole more than 9 million rubles from banks of Khabarovsk Krai

In Khabarovsk Krai law enforcement agencies delayed the resident of Komsomolsk-on-Amur and two of his accomplices on a charge of plunder more than 9 million rubles using special technical means. Reports about it[9] the press service of Regional Office of the Ministry of Internal Affairs on the region[10] [11] [12].

As it appears from case papers, malefactors abducted money using special devices for data reading of bank cards. In addition, using access to cards of foreign bank, criminals tried to steal over 23 million rubles from accounts of their holders.

During searches at the place of residence of defendants police officers withdrew printings, different documents, the computer equipment, the device for reading of bank cards, 15 cell phones, 200 bank cards from which about 100 — duplicates.

Now investigation is complete. Concerning malefactors criminal case on signs of the crimes provided by Part 3 of Article 30 of Part 4 of Article 159 "Attempt at Fraud", Part 3 and Part 4 of Article 158 "Theft" is brought. Case is taken to court for consideration on the merits.

Sberbank: losses of the Russian Federation from cyber crime in 2018 can reach 1 trillion rubles

Now GDP of Russia is estimated approximately at 92 trillion rubles. Thus, losses of economy from cybercrimes can exceed 1% of GDP.

Losses of economy of Russia from cyber crime in 2018 can significantly grow — to 1 trillion rubles, the vice chairman of the board of Sberbank Stanislav Kuznetsov reported on May 24 in an interview of RIA Novosti on the sidelines of the St. Petersburg International Economic Forum (SPIEF).

In 2017 Sberbank estimated losses of economy at 600 — 650 billion rubles.

"We prepare an analytical research for the International congress now on cyber security which will pass in July, it will be devoted to the analysis of cyberrisks in the different countries of the world. By our estimates, the economy of Russia can lose not less than 1 trillion rubles at the end of 2018" — Kuznetsov told.

According to him, such digit quite real, but it can be changed downward if the breakthrough in questions of information protection of the personality and business is made. The number of crimes of fraudulent character using methods of social engineering in Russia does not decrease.

The fake banking application allowed to steal up to 500 thousand rubles daily

Management "K" Ministry of Internal Affairs of the Russian Federation with active assistance Group-IB, the international company, specializing in prevention cyber attacks and product development for information security, the 32-year-old inhabitant Volgograd region accused of plunders at clients of the Russian banks with the help is delayed Android-trojan. Daily at users abducted from 100 thousand to 500 thousand rubles a day, at the same time a part of the stolen money for further cashing in and concealment of criminal activity it was translated in cryptocurrency, reported on May 24, 2018 in Group-IB.

Analyzing "digital traces" of perfect thefts specialists of Group-IB found out that the bank trojan used in the criminal scheme was disguised under the finance application "Banks on a Palm" executing a role of "aggregator" of the systems of mobile banking of the leading banks of the country. It was possible to load all the bank cards into the application not to carry them with itself, but at the same time to have an opportunity to browse balance of cards on the basis of the entering SMS on all transactions, to transfer money from the card to the card, to pay online services and purchases in online stores. The application extended through spam mailing, at forums and through official shop Google Play. For the first time the activity of this malware was recorded in 2016. Presumably behind "aggregator" there was a group of malefactors.

Attacking worked as follows. Having become interested in opportunities of the financial aggregator, clients of banks downloaded the Banks on a Palm application and entered data of the cards. The started trojan sent data of bank cards or logins \passwords for an input to Internet banking to the server to malefactors. After that the malefactor transferred money to in advance prepared bank accounts the amounts from 12 to 30 thousand rubles for one transfer, entering the transaction SMS confirmation code intercepted from phone of the victim. Users did not suspect that they became the victims of cybercriminals — all SMS confirmations of transactions were blocked. It was on average abducted from 100 thousand to 300 thousand daily, and by the beginning of 2018 of the amount of damage grew to 500 thousand rubles a day.

In the course of investigation field investigators of Administration "K" of the MIA of Russia contacted "pourer", one of participants of the criminal scheme who directly transfered money from accounts of users to cards of malefactors. The previously convicted according to Article 222 of the Criminal Code of the Russian Federation (arms trafficking) the 32-year-old unemployed from the city of Volzhsky was him. In May, 2018 the suspect was delayed. During a search 130 thousand rubles, SIM cards and bank cards to which the stolen money came were withdrawn from him. The suspect gave confession. Charges under the Articles 159 and 174 of the Criminal Code of the Russian Federation are brought to him. The investigation is carried on.

Hackers stole hundreds of millions at banks of Mexico

Within the last several weeks a number of the Mexican banks became the victims of the hackers who stole huge amounts of money. According to in the spring of 2018 of Reuters, using counterfeit requests malefactors transferred funds to false accounts, and then quickly cashed them. Hackers sent hundreds of counterfeit translation requests of the amounts from tens of thousands to hundreds of thousands of peso from accounts of the Mexican banks for false accounts in other banks then in tens of bank branches[13] quickly cashed them[14].

According to one of sources of Reuters, cybercriminals stole more than 300 million peso (about $15.4 million), however the El Financiero edition brings digit into 400 million peso. Also not clearly, what amount malefactors managed to cash as some fraudulent transactions were blocked, notes a source.

According to the head of the Central Bank of Mexico Alejandro Diaz de León (Alejandro Diaz de Leon), Mexico faced so large-scale attack to payment system for the first time. Speak about the termination of the attacks so far early, marks out Diaz de León, however banks do everything possible on their reflection and prevention.

And the amount of the stolen amounts the head of the Mexican Central Bank does not specify the name of the affected financial organizations. The data obtained today demonstrate that banks became the victims of cyber attacks. According to one of sources, illegal transfer of such large amounts could not do without participation of insiders in bank branches. The interbank message exchange system [15] remained untouched, and hackers probably attacked banking software for connection to a payment system developed by the organizations or third-party contractors.


Central Bank: hackers could steal from the Russian banks 16 kopeks for one thousand rubles in 2017

In 2017 hackers stole from the Russian banks only 16 kopeks for one thousand rubles. The deputy chief of head department of security and data protection of the Bank of Russia Sychev Artem Mikhaylovich in an interview of RIA Novosti reported about it in February, 2018. 

Artem Sychev also advised banks  "really, but not formally to fulfill the requirements of the Bank of Russia to cyber security". At the same time he called last year positive as the downward tendency of volumes of the lost money clients and banks amplified." "This indicator was 28 kopeks for one thousand rubles, according to the results of last year — only 16 kopeks" — he told. Also the deputy chief of management of the Central Bank noted that the Russian banks last year revealed cyber attacks more often. "We cannot say that for the last year the number of the attacks increased, but we can tell absolutely precisely that the detectability of the attacks increased" — Sychev told.

Day of idle time because of cyber attack can cost bank 50 million rubles

Cost of day of idle time

Day of idle time because of cyber attack can cost bank 50 million rubles — estimate losses of 30% of the Russian credit institutions polled by Positive Technologies during the research "How Much Is Security" at such amount.

Other banks participating in poll assessed possible damages from failure of corporate infrastructure within one day in the amount: from 10 to 50 million rubles — 7% of respondents, from 2 to 10 million rubles — 25%, and from 0.5 to 2 million rubles — 38%.

Costs for recovery

In addition to real financial loss from a cyberincident, also brought cost estimations on recovery of corporate infrastructure after inactivation of all resources of the domain into Positive Technologies. 12% of banks estimate recovery at the amount from 10 to 50 million rubles, and every third bank (33%) is ready to spend from 2 to 10 million rubles for these actions.

Damage from cyber attacks

Web applications play an important role for modern financial institutions. The impossibility to make transfer or payment through online bank even within one day will cause discontent among clients. Most banks (52%) consider that unavailability of the key web application within one day can cause damage in the amount of 2‒10 million rubles. At the same time the malefactor will spend much less funds for such attack. As authors of a research note, the cost of the attack on web resources within an hour in the Darknet is estimated approximately at $5, within a day — at $300.

Not the smaller concern in banks is caused by threat of theft of the database. More than a half of survey participants (53%) estimated expected losses from theft of the database of clients by the competitor at the amount more than 50 million rubles.

Budget and means of protecting

Some banks which participated in a research were selected against the background of other companies on budget volume for providing Information Security which averaged 80‒150 million rubles. For comparison, most financial institutions are limited to the amounts of 20-40 million rubles.

The research showed that, the bank industry — only in which 100% of the companies train employees in fundamentals of cybersecurity. Besides, work on increase in awareness in questions cybersecurity needs to be carried out according to the recommendations of the Bank of Russia and requirements of the international standard PCI DSS.

In financial institutions from top-10 (on the selected budget on cybersecurity) modern approaches to protection, but in other banks a situation not so iridescent are used. So, firewalls of the application layer (Web Application Firewall) apply to protection of web applications only 70% from top-10 on the cybersecurity budget and only 13% among the others. At the same time own situational Information Security Centers (Secutiry Operation Center) have all banks from top-10 and only 40% — among the others. 37% of all financial institutions which participated in a research sometimes involve experts of the third-party companies to investigation of incidents, and most of them at the same time have internal division of SOC. SIEM systems apply 65% of financial companies (among banks from top-10 on the budget on cybersecurity this indicator — 100%). 25% of banks respondents have no control of installation of software updatings, 8% do not monitor emergence of information on new vulnerabilities (0-day). Besides, 10% of financial institutions never carried out works on testing for penetration or a complex information security audit, despite the requirement of the PCI DSS 3.2 standard and the recommendation of the Bank of Russia.

Six components of protection

Positive Technologies selected six components of protection which in addition to standard means of protecting will allow not only to conform to requirements of regulators, but also to surely resist to cybercriminals. Among them: regular carrying out penetration tests, readiness for response to incidents, control of network perimeter, existence of WAF and SIEM, training of employees in fundamentals of cybersecurity. It turned out that only 13% of the polled banks apply similar complex approach to protection against cyberthreats. However in other industries the result is even worse — such companies are absent at all.

In the bank industry it is better than others understand possible losses from the insufficient level of security — Evgeny Gnedin, the head of the analytical department of information security of Positive Technologies noted. — Otherwise also cannot be — each notorious incident connected with thefts of databases of clients or logical attacks on ATMs and processing is damage in tens and hundreds of millions rubles. Quickly work of FINSERT thanks to which, for example, the Russian banks on the whole avoided epidemic of viruses encoders helps to react to threats. On the other hand, the number of steps towards real security strongly correlates with the budget selected for information security. Only banks with the enormous budget on cybersecurity follow all best practices of ensuring protection of the IT infrastructure. Unfortunately, a set of financial institutions are not ready to resist effectively to the target attacks therefore in 2018 it is possible to predict the another notorious incidents, for example, connected with the Cobalt grouping.

The first cyber attack to the Russian bank through SWIFT

The Globex subsidiary bank under control of Vnesheconombank (VEB) was the first bank affected by cyber attack with withdrawal of funds via the SWIFT system, Kommersant with reference to a source reports. Read more here.

Barclays: losses from holiday cyberfraud can exceed 1.3 billion pounds

According to forecasts of Barclays bank, holiday cyberfraud in December, 2017 will reach the pica, at the same time losses of buyers can exceed 1.3 billion pounds. Representatives of Barclays came to such conclusion on the basis of poll more than 2 thousand buyers in September, 2017. The research showed what against the background of increase in the amounts of purchases in online stores of growth of awareness of buyers on cyber security is not observed.

So, for example, 38% of respondents reported to Barclays that they do not know how to define that the website reliable. The research also showed that on average as a result of cyberfraud one buyer loses 893 euros that is equivalent to the total amount of 1.3 billion pounds if to extrapolate this digit to the population of the country.

Barclays also published a series of holiday councils for buyers of Christmas gifts how not to become the victims of swindlers. The purpose pursued by Barclays — to reduce probable losses most of which part large banks are forced to cover.

In particular, experts of bank recommend to check existence of the character of the lock and an abbreviation of "https" in an address bar on websites of retail; never to use public Wi-Fi for transactions; never to open the bank PIN code on other websites and to regularly check a remaining balance on the bank account.[16]

The swindler tried to steal 1.4 billion rubles at the Russian bank

The Kirov district court of Yekaterinburg sentenced the entrepreneur Alexander Kempel to 3 years and 6 months of imprisonment for plunder attempt about 1.4 billion rubles at Ring of the Urals bank, the prosecutor's office of Sverdlovsk region[17] reported[18].

In November-December, 2014 the swindler entered into the collusion with the unspecified investigation by the person directed to plunder of money in especially large size by connection to the computer of payment terminals and their subsequent cracking.

Through the acquaintances the swindler found two legal entities having checking accounts in LLC CB Koltso Urala. The swindler leased at entrepreneurs PoS-terminals allegedly for cashing in of money.

In January, 2015 Kempel with the accomplice, using the received PoS-terminals and payment cards which are available at their order issued on persons not identified by the investigation made a number of financial transactions on payment of goods and return of money to the accounts allegedly on the basis of failure from services. At first they, having cracked the terminal using the computer, tried "return" 1.4 billion rubles, however the security service of bank noticed suspicious activity and cancelled transaction.

Several months later malefactors tried to steal money according to the same scheme again. This time they managed to bring 29 million rubles to accounts of the phony companies registered in Kazakhstan.

The malefactor was recognized by court guilty under the Article 159.6 of the Criminal Code of the Russian Federation (attempt at the fraud in the field of computer information committed by a group of persons by previous concert in especially large size). Kempel was not on a court session and was put on the wanted list[19].

The average cumulative damage from one incident reached $926 thousand

According to results of a research of Kaspersky Lab ("Financial cyberthreats in 2016", it is carried out among 800 representatives of financial institutions from 15 countries of the world), losses of financial institutions from cyber attacks become more and more notable: the average cumulative damage from one incident reached $926 thousand. In addition to direct loss this digit includes additional personnel salary expenditure, involvement of external specialists, reputation costs, a lost profit and also insurance payments and compensations to clients.

Attacks on POS terminals became the most ruinous: the average loss from them made $2.1 million. Follow the threats connected with cracking of mobile devices ($1.6 million damage) and the target attacks ($1.3 million).

Growth of losses forces financial institutions to increase expenses on cyber security. Though need to observe requirements of regulators remains a basic reason, 63% of respondents consider such compliance only a starting point in creation of a system of protection. Other factor which forces the companies to increase expenses in this area — complication of infrastructure. At last, expenses on security can increase when the company realizes insufficiency of own knowledge in this area and also according to the indication of the management or because of business expansion. Summarizing, one may say, that the amount of funds, selected for information security, will grow and further: 83% of respondents are sure of it.

Results of a research showed that financial institutions concentrate on studying of cyberthreats and carrying out audits of a security system: 73% of respondents consider such measures effective.

Experts of Kaspersky Lab when developing strategy of cyber security advise to take also following recommendations into account:

  • Be careful of the target attacks. They can be carried out through the third parties or your contractors. Such companies are often poorly protected that can become your problem.
  • Consider a human factor: malefactors very often and inventively apply methods of social engineering to penetration into infrastructure of the company.
  • Remember that only one compliance to security requirements does not give the guaranteed protection. It is not less important to apply complex approach to security.
  • You carry out regular penetration tests. Vulnerabilities of infrastructure should be known to you earlier, than malefactors will reach them.
  • Take threat of insiders into account. Malefactors can bribe the staff of the company to bypass the system of protection. It is possible to resist to it application the politician cybersecurity, competent access isolation and supplementary methods for detection of abnormal activities in the organization.

Banks are forced to spend for cyber security 3 times bigger, than other companies

According to results of a research of Kaspersky Lab, the average annual budget of banks on cyber security reaches $58 million: it is three times more, than at the non-financial organizations. In most cases similar expenditure come true: representatives of banks announce much smaller number of computer crimes, than the company of the same size in other industries. Moreover, 64% of respondents said that they will put in improvement of protection irrespective of payback of these investments.

Growth of investments in cyber defense has strong reasons: in the last several years the number of threats for the financial industry steadily grows, they become harder and harder and are fraught with serious effects, specified in the company. So, 70% of banks announced that for the last year they suffered monetary losses as a result of cyberfraud. Most of all concerns are caused by the risks connected with mobile banking: 42% of respondents consider that in the next three years the overwhelming number of clients while the level of cyberliteracy of users will remain low will use it. It threatens with increase in number of the incidents connected with theft of money via mobile devices.

Among other relevant threats for users banks selected a phishing: clients of 46% of the companies faced it in 2016. One more sphere of the increased risk — ATMs. And only 19% of banks are concerned by threat of the attacks on them while in 2016 malware volume for ATMs grew by 20% in comparison with 2015.

According to Kaspersky Lab, imprudence of users and the increasing number of the attacks force banks to review priorities on security: 61% of participants of a research called improvement of protection of applications and the websites by one of the main priorities. On the second place (52%) there was implementation of more reliable systems of authorization.

The hackers who stole more than 1 billion rubles from the Russian banks are caught

The Russian police delayed nine hackers who are creators of a trojan of Lurk intended for embezzlement from banking systems. The fact of detention was confirmed by the official representative of the Ministry of Internal Affairs Irina Volk. With reference to a source in police announced CNews TASS news agency communication of criminals with Lurk[20].

All nine criminals were delayed on January 25, 2017 in five different regions of Russia: Moscow, St. Petersburg, Krasnodar Krai, Tver and Sverdlovsk regions. One hacker by a court decision was taken into custody, reported the Wolf.

It is the second wave of detentions on the case of embezzlement from banking systems – the first in May, 2016 jointly was carried out by the Ministry of Internal Affairs and FSB. After the first detention law enforcement agencies several months found the remained members of grouping that was made by the beginning of 2017.

Charges under the articles "Creation and Participation in Criminal Community" and "Fraud in the field of Computer Information Committed by Organized Group or in Especially Large Size" will be brought to the criminals delayed during both transactions.

The first wave of detentions

The hackers delayed in May, 2016 were suspected of stealing of more p1 of one billion from bank accounts, according to some information – one billion p1.7. Also they, presumably, made attempts to display from accounts still of one billion p2.2. In addition, grouping was suspected of attacks on crucial infrastructure, in particular, on industrial enterprises of a strategic importance. Let's remind that recently the State Duma approved as a punishment measure for cyber attacks to critical infrastructure prison terms up to 10 years.

In total in 2016 27 criminals scattered on 17 regions of Russia were delayed. 19 of them were taken into custody. In total in grouping about 50 people consisted. The group carried out embezzlement from customer accounts of financial institutions since 2013. During operation on capture the police searched 34 addresses, confiscated 90 devices, including computers, drives and means of communication, withdrew cash for the amount of 4.5 million rub and cold weapon.

Ammyy Admin – software for remote PC control was one of programs under which Lurk was disguised. Troyan was posted on the official site by Ammyy Group from where it could be downloaded, for example, by the system administrator of the company victim. Activation of the Ammyy Admin installer led to start of the malware Trojan-Spy.Win32.Lurk. Besides, the PHP script on the Ammyy Group Web server was changed in such a way that checked whether the computer on which Ammyy Admin, to corporate network is downloaded belongs. If the computer was corporate, then on it also the virus was loaded, private devices of hackers did not interest. It is remarkable that in a number of banks Ammyy Admin use, as well as other programs for remote control, is forbidden. After detention of hackers in May, 2016 the website Ammyy Group ceased to extend Lurk, having replaced it with Trojan-PSW.Win32.Fareit – the malware for theft of personal data. Possibly, via the website of the company some certain person or a group of persons at which customers just exchanged is engaged in spread of different viruses, – experts of Kaspersky Lab came to such conclusion.


Plunder of nearly 2 billion rubles

In March, 2016 the Group-IB company which is engaged in investigation of cybercrimes published the report from which it became known of plunder by hackers of nearly 2 billion rubles at the Russian banks. Read more here.

Zecurion: Hackers in a year stole 650 million rubles from bank cards of Russians

In 2016 hackers stole  650 million rubles from bank cards of Russians. This indicator decreased by 15% in comparison with 2015. Reduction of quantity of cases of theft of money is connected with the fact that holders of cards studied the most popular schemes of fraud and learned not to react to them. It follows from calculations which were carried out by the Zecurion company specializing in safety of bank service.

According to forecasts of Zecurion, in 2017 the volume of plunders will increase to 750 million rubles. According to experts, cyberswindlers improve the schemes. So, malefactors call citizens, being represented by bank employees, and ask to report data of cards. Also hackers steal data of bank cards through the virus sent in letters which are focused on the interests of receivers.

The company emphasized that according to the results of the current year  increase in volume of plunders as swindlers entered the new scheme of deception is expected. They call the potential victims from an employee name of the Federal Tax Service and under the pretext of need of debt repayment learn necessary [21].

In 2016 the number of the thefts performed from bank cards on the Internet because of their owners increased by 78% and reached 107 thousand. At the same time, according to experts, in 70% of cases clients of banks realize by what method swindlers took control of their money — but draw conclusions too late.

In particular, the most widespread method of fraud with plastic cards is the attack of computers with user data using viruses trojans and gaining access to the account of the victim after illegal manufacture of the duplicate of its SIM card. In this case clients are guilty that they use Internet banking on working computers or integrate it with social networks.

The high risk is created also by use of mobile application on the smartphone for logging into the personal account of Internet bank — especially after the choice of the four-digit code instead of the full login and the password for authorization.

For protection of the money on bank cards experts recommend to use Internet bank from the separate computer, not to store large amounts of money on the plastic card, to refill card balance as required, not to come into Internet bank through open networks of Wi-fi.

14 hackers stole more than one billion from the Russian banks

Case of 14 hackers

Suspects on the case of plunder of more p1 of one billion at the Russian banks will appear before the court – the State Office of Public Prosecutor of the Russian Federation already directed their criminal case there. The indictment on case was approved by the Deputy Attorney-General Victor Grinem. Meshchansky district court of Moscow[22] will consider case[23].

As suspects 14 people are connected to the case. According to the prosecutor's office, is Yury Lysenko, Evgeny Vorobyov, Ivan Krylov, Artem Mazurenko, Mikhail Vorobyov, Anton Ekimenko, Denis Hryniv, Maxim Usatov, Sergey Makhnichev, Nikolay Milovidov, Mikhail Oreshkin, Oleg Rodin, Nikita Hadzhibekyan and Sergey Chistov.

The investigation believes that they were participants of the criminal grouping which was engaged in embezzlement at the Russian banks on the Internet. Charges are brought at once under several articles of the Criminal code of the Russian Federation which prescribe punishment for establishing a criminal organization and participation in it, fraud in the field of computer information and theft.

In the matter of the fifteenth member of the group, Anton Testov, the conviction is already pronounced, the prosecutor's office reports. Testov could receive the sentence out of turn as he agreed to cooperate with the investigation. In grouping also other persons which are already put on the international wanted list, investigation of their actions consisted proceeds. Arrests of suspects began in 2015.

Corpus delicti

Investigation into the case is conducted by Investigative department of the Ministry of Internal Affairs of the Russian Federation. As investigators believe, criminal hacker grouping was created by the citizen of Ukraine Yury Lysenko in July-November, 2014. At the suggestion of Lysenko more than 17 people, apart from him joined it. "Funds of financial institutions were abducted by input and modification of computer information using the Internet, execution of operations of transfer and money withdrawal on bank cards with their canceling and recovery of an account balance", – the prosecutor's office claims.

Grouping worked in Moscow. In total affected financial institutions lost more p1 of one billion. According to the Kommersant edition, their number included such banks as Promsvyazbank, Zenit, Trust, Uralsib and also credit institutions of small scale. From all stolen amount about p880 of one million it was revealed on Lysenko's account. The leader and the organizer of grouping have no higher or any other education in the field of IT or finance.

At first grouping was engaged in theft of money from ATMs. On ATMs special devices which influenced the procedure of issue of cash were installed. Thus it was stolen about one million p5.7. After that the group was engaged in withdrawal of funds on the Internet.

The prosecutor's office requires 15 years of prison for the leader of grouping

The prosecutor's office requested for Ukrainian Yury Lysenko accused in the organizations of cybercriminal grouping, punishment in the form of 15 years of imprisonment. For 13 accomplices of Lysenko charge requires from 6.5 to 12 years of imprisonment. It on Monday, December 10, 2018, the Kommersant newspaper reported.

According to charge, criminals could put the card of bank of 200 thousand rubles, and then transfer them to other card. Then using the malware transaction was cancelled. Having considered transfer unfortunate, banks returned money for the account of the sender, but already from own means. Thus cybercriminals doubled the money. Using this method malefactors stole more than 1 billion rubles.

As showed results of judicial examination, criminals developed for canceling of transactions own software on the basis of Montero and Software. However protection will insist on inaccuracy of results. According to lawyers, they took an interest at Montero and Software producers whether existence of the similar malware is possible, and received the negative answer.

Participants of RPE caught 5.7 more million rubles, installing on ATMs special devices for process control of issue of banknotes. The victims of cybercriminals became Promsvyazbank, banks "Zenith", Trust, "Uralsib" and so forth.

Hackers took under full control bank in Brazil

Hackers occupied management of all IT transactions of one Brazilian bank. Under control of malefactors each of 36 domains of bank, corporate e-mail and DNS got. Such situations remained within three months, till October, 2016 when it became obvious that via the website of bank to all his visitors malware — the Java file hidden in archive loaded into an index [24] are implemented.

Disclosing online attack details at the summit of analysts of security systems in the spring of 2017, researchers from Kaspersky Lab Fabio Assolini and Dmitry Bestuzhev reported that malefactors were active in nine other organizations of different regions of the world.

The bank which name is not disclosed, reports that it services five million clients in Brazil, the USA, Argentina and on Big to Kaimana and 25 billion tolars with forces of the network including 500 departments manage assets in the amount.

"Each visitor has a plug-in with the JAR file inside" — Bestuzhev explains, adding that hackers controlled the index file of the website. In the index iframe which redirected visitors on the website from which it also loaded the malware was loaded.

Hackers occupied control of DNS servers of bank, having moved all 36 domains of bank on the false websites which used free certificates of HTTPS from Let’s Encrypt.

"All domains, including corporate, were under control of "bad guys" — Assolini says, adding that malefactors were also implemented into infrastructure of corporate e-mail and blocked, without having allowed bank to inform clients on the attack or to contact to their registrar and DNS provider.

Researchers detected eight modules, including configuration files with URL bank addresses, updating modules, modules for theft of credentials for Microsoft Exchange, Thunderbird and the local address directory and also modules of management and decoding of Internet banking. All modules, according to researchers, conducted dialogue with the server of management in Canada.

One of modules, Avenger, is the legal testing tool of penetration which is used for removal of rootkits. But in this case it was changed for the purpose of removal of the products of security working on the infected computers. Avenger helped researchers to define that nine other banks worldwide the same way were attacked and occupied.

"Criminals wanted to use this opportunity to take transactions of initial bank and also to load the malware capable to abduct money at banks of other countries" — Bestuzhev says.

Researchers also announced that phishing pages were uploaded on bank domains to induce the victims to data entry of payment cards.

This swindle was revealed in five months prior to registration of the certificate of Let's Encrypt. The phishing letters with a name of the Brazilian registrar addressed to the local companies were also detected.

Bestuzhev and Assolini believe that it could be the method by means of which hackers used the DNS settings of bank.

"Provide that using the "got" data of one employee, malefactors get access to the tables DNS – it is very bad! — Bestuzhev emphasized. — If DNS under control of criminals – everything, you "got".

Researchers emphasized importance of security of infrastructure of DNS and need of use of advantages of such functions as two-factor authentication which are offered by most of registrars, but very few people from clients use them.

Hackers stole 100 million rubles from the Russian bank

On December 1, 2016 it became known of loss of 100 million rubles by the Russian bank as a result of cyber attack. Presumably, the automated banking system (ABS) was cracked.

According to Kommersant with reference to sources on information security market and the person close to the Central Bank, hackers brought more than 100 million rubles out of the Russian bank. The press service of the Central Bank confirmed to the edition this damage.

The Russian bank lost 100 million rubles because of cyber attack

At the same time the name of affected credit institution is not revealed. It is known only that the branch of regional bank underwent the attack, and malefactors displaid all means which were in this division.

Law enforcement agencies and FinCERT of FinCERT are engaged in an incident.

According to one of versions, hackers could crack the automated banking system developed by Diasoft company therefore quitted payment the system for the large amount with the false address. Kommersant notes that it can be the first attack of this kind.

Banks long time believed that the core banking system is in internal network and therefore malefactors will not be able to reach it. But today using social engineering does not represent big work to get to internal network of bank and from there successfully to attack the core banking system — the head of Digital Security Ilya Medvedovsky considers.

At the same time the interlocutor of the newspaper in  the Central Bank says that  to draw conclusions early as the investigation only  began the work. According to him if  a problem really in  the software product of Diasoft, then   bring this information for  elimination of vulnerabilities to the company. For  the last several weeks clients in  the financial sector on  any incidents  in the field of information security did not address to the company, the board member of Diasoft Alexander Gentsis said.

According to information published on the website of Diasoft, clients of the company is among more than 300 banks among which — Sberbank, Gazprombank and Alfa-Bank.[25]

FinCERT: In 12 months in Banks of Russia 1.37 billion rub are stolen

On July 19, 2016 FinCERT (FinCERT) created by the Bank of Russia summed up the results of the first year of activity.

According to FinCERT, from June, 2015 to May, 2016 more than 20 large cyber attacks to payment systems of credit institutions were recorded. Within these attacks criminals tried to steal 2.87 billion rubles. In cooperation with banks and law enforcement agencies of FinCERT more than 1.5 billion rubles were succeeded to prevent plunder. Thus, hackers could steal about 1.37 billion rubles at the Russian banks. For more details see article about FinCERT (FinCERT)

CCI: Damage from hacker attacks to banks in 2016 2.87 billion

On June 16, 2016 it became known of damage scales from hacker attacks to banks in Russia in 2016 - it reached 2.87 billion rub[26].

Such data are published at a public meeting of Committee on financial markets and credit institutions of Chamber of Commerce and Industry of the Russian Federation.

Total amount of damage to banks since January, 2016 is calculated in the amount of 2.87 billion rubles. However, malefactors managed to display only 1.2 billion, 570 million more managed to be stopped and to block 1.1 billion on accounts of credit institutions.

Alexander Chebar, consultant of FinCERT of the Bank of Russia (FinCERT)

In the last two years the explicit displacement vector of the attacks of cyberswindlers from clients of bank towards credit institutions directly is observed. It is connected, first of all, with the fact that as a result of a purposeful attack to bank criminals receive a large sum, and process of its output was rather simple in recent years. Chebar explained that cards of a premium segment (Visa Gold, Platinum) were generally used and the amount of an input was 2.5 thousand rubles.

There are technologies which allow to prevent plunder of money from bank cards of clients. In particular, the chips considerably reducing attack probability are implemented into bank cards. Swindlers place emphasis on user data of the client (the card number, the CV code, the PIN code) therefore when using the bank card the attentiveness is required.

Central Bank: swindlers stole 1.9 billion rubles from cards

According to the data provided by commercial banks in the Central Bank of the Russian Federation and also in FinCERT within interchange by information on incidents in the field of cybersecurity during 2016 / the total amount of unauthorized transfers of the money placed on bank accounts was in Russia 1.9 billion rubles (for comparison – in 2015 this indicator reached 3.8 billion rubles).

At the same time on card transactions 1.08 billion rubles were illegally transferred (in 2015 – 1.15 billion). Within last year 9 large attempts at total amount of 2.18 billion rubles from which criminals managed to steal 1.9 billion were revealed.

Data of AlphaInsurance and the Central Bank of the Russian Federation after losses of banks

According to experts of AlphaInsurance, from July, 2015 to June, 2016 the number of unauthorized money withdrawal from accounts of bank cards in our country grew by 5.5 times. Specialists of the Central Bank of Russian Federation note that during the first half of 2016 using cards in the territory of the Russian Federation and beyond its limits 8.2 billion transactions for the total amount of 23.4 trillion rubles were made.

Sberbank gave numbers of losses from cybercriminals

In June, 2016 experts announced the probability of growth of losses from cyberthreats around the world to $2 trillion by 2018[27]

In particular, such opinion of experts of Sberbank was expressed by the vice chairman of the board of bank Stanislav Kuznetsov.

Representation of a research of cyber attack, (2013)
Now in the world not less than 40 million cybercriminals work, and the damage of all countries is not less than $500 billion. I think that this digit is a little underestimated, and real - is much higher.

At the same time the number of the virus attacks grows in the world with a speed plus 3% a month, attacks to web services - 2.5%, thefts of money from different devices or e-wallets - not less than 3.5%.

In Russia, according to Sberbank, losses from cyberthreats were 550-600 billion rubles in 2015.

According to Kuznetsov, this digit exceeds damage from all other economic crimes approximately twice.

It also provided data of the Central Bank that last year in Russia 32 thousand attempts of unauthorized write-offs at clients of different banks for the total amount more than 5 billion rubles are recorded Specialists noted the 12-fold growth of number of incidents in this area for the last 2 years.

Kuznetsov said that for all 2015 Sberbank recorded 52 large hacker attacks on the systems, and since the beginning of 2016 ~ 57.

In 2015-2016 all services of Sberbank fix growth of the different centralized attacks to financial credit institutions of the Russian Federation, including to Sberbank. We note increase in such hacker attacks to all remote bank services which are provided on the Internet.

5 billion rubles tried to steal at the Russian banks since January 1, 2016

In total since January 1, 2016 cyberswindlers stole 2.7 billion rubles from a national financial system of Russia. At the same time criminals tried to display totally about 5 billion rubles, i.e. about a half of means is saved. Such data were read by Sychev Artem Mikhaylovich, the deputy chief of head department of security and data protection of the Bank of Russia[28] on November 8, 2016[29].

At the same time for the same period of the Central Bank of the Russian Federation revealed 21 large stealing for the amount of 2.5 billion rubles, from them on the amount about 1 billion rubles "there stepped the finality of money transfer".

Two basic reasons of the successful stealing are stated:

  • set of vulnerabilities in payment applications which are used by banks. Than also swindlers use;
  • inattention of the management of banks to questions of information security, its insufficient providing.

As a result the specific weight of unauthorized money transfers in Russia is 0.005%, or 5 kopeks for 1000 rub of transfers, according to the Central Bank of the Russian Federation. For comparison, according to the Bank of Russia, the specific weight of unauthorized transfers in MasterCard and Visa payment systems in a regional section – 0.06%, or 6 cents for $100. A universal indicator – 0.09%, or 9 cents for $100 of transfers.


Central Bank of the Russian Federation: Dynamics of quantity and volume of the unauthorized transactions made using the RBS systems

  • The fraud risk[30] remains the main risk which has direct financial effects]
  • The risk influences as on clients undermining confidence to remote means of service, and on financial institutions which began to sustain real loss from attacks on the automated workplace of KBR
  • Plus - Risk to become stop a factor in business development and/or IT

Unauthorized access in a payment system

  •  According to Power bank,  27.02. 2015   from 12:30 p.m. till 12:43 p.m. certain malefactors received control over the terminal of bank and  performed a number of unauthorized operations on   purchase and sale of currency at the Moscow Exchange. At  such unsuccessful rates that as a result of these transactions the bank as representatives of broker companies assure, lost about 370 million rubles
  • Other critical cases
  • Fifteen participating banks of an Integrated settlement system became the victims of large-scale fraud with payment cards. An incident, took place 8/16/2015 year, under blow there were ~ 500 million rubles
  • Cracking before new 2016 of automated workplaces of sending payments in several banks of the Russian Federation, each bank lost about USD 10 million
  • 2016 February: Metallinvestbank is plunder attempt, an attack on the automated workplace of KBR, possible losses ~ 200 million[31]

Kaspersky Lab: Cybercriminals stole $1 billion from 100 financial institutions worldwide

During joint investigation "Kaspersky (earlier Kaspersky Lab)", the Europol and the Interpol published unprecedented cybercriminal transaction within which malefactors stole 1 billion in February, 2015 dollars USA.

Cyberrobbery continued two years and affected about 100 financial institutions worldwide. Experts believe that behind this notorious incident there is the international grouping of cybercriminals from Russia, Ukraine, some other the European countries and also China.

The criminal grouping which received the name Carbanak used the methods characteristic of the target attacks. However unlike many other incidents this robbery marks a new stage: now cybercriminals can steal money directly from banks, but not from users. Activity of cybercriminals from gang of Carbanak affected about 100 banks, payment systems and other financial institutions from nearly 30 countries, in particular from Russia, the USA, Germany, China, Ukraine, Canada, Hong Kong, Taiwan, Romania, France, Spain, Norway, India, Great Britain, Poland, Pakistan, Nepal, Morocco, Iceland, Ireland, the Czech Republic, Switzerland, Brazil, Bulgaria and Australia. As experts found out, the largest amounts of money were abducted in the course of invasion into banking network: for each such raid cybercriminals stole up to 10 million dollars. On average robbery of one bank — from infection of the first computer in corporate network before theft of money and turning of activities — borrowed hackers from two to four months.

The criminal scheme began with penetration into the computer of one of the staff of the organization by means of phishing acceptances. After machine infection with the malware malefactors got access to internal network of bank, found computers of administrators of the systems of monetary transactions and developed video surveillance behind their screens. Thus, the gang of Carbanak knew each part in work of bank staff and could imitate usual actions of employees at money transfer to fraudulent accounts.

"These bank robberies differ from the others in the fact that cybercriminals applied such methods which allowed them not to depend on used in software bank even if it was unique. Hackers even had not to crack bank services. They just got into corporate network and studied as it is possible to disguise fraudulent activity under legitimate. This really professional robbery" — Sergey Golovanov, the leading anti-virus expert of Kaspersky Lab explains.
"These attacks serve as the next confirmation that malefactors will operate steadily any vulnerability in any system. In such conditions any sector cannot feel in absolute security therefore questions of protection should pay attention constantly. Identification of new trends in the field of cybercrimes — one of the main directions in which the Interpol cooperates with Kaspersky Lab, and the purpose of this interaction — to help the state and private companies to provide the best protection against these constantly changing threats" — Sanjay Virmani, the director of the center of the Interpol which is engaged in investigation of cybercrimes notes.

As there was an attack:

  • On average robbery of one bank — from infection of the first computer in corporate network before theft of money and concealment of traces — borrowed hackers from two to four months
  • Average amount of theft ~ 10,000,000 USD
  • Infection passed or through the letter with an investment, kind from the employee of the bank or the client or through a phishing – according to the link to a WWW resource in which it was offered to enter the login and the password; employees entered the login and the password in the false website the imitating corporate resource or a system
  • Further malefactors collected information on process of work of bank and found an opportunity for theft commission, including used for withdrawal of funds of S.W.I.F.T (which at first sight seems absolutely protected) or the system of remote banking
  • Iskazhalibalansa, what the writeoff amount would not be visible at once

2014: The Russian Federation stole about 1.6 billion from payment cards

On June 26, 2015 from the overview of the Central bank it became known - the volume of fraudulent transactions with the payment cards emitted in the Russian Federation in 2014 reached 1.58 billion rub[32].

Malefactors use more than 70 thousand payment cards from which 70% – settlement (debit). In total in ATMs, payment terminals, by means of Internet bank and mobile applications, in 2014 swindlers stole 3.5 billion rubles from bank accounts of citizens and the companies.

The central bank told: taking into account growth of a total quantity of cards by 28% and by 42% – volumes of payment card transactions, emitted in the territory of the Russian Federation, the share of quantity and volume of unauthorized transactions in 2014 slightly decreased.

The greatest number of unauthorized transactions is executed in the course of money transfers to territories of the Russian Federation (the share of in-Russian unauthorized transactions made 47% of volume and 41% of the number of all unauthorized transactions).

Most often swindlers used details of real bank cards (from 65% to 72%, depending on a quarter), then — counterfeit "plastic" (from 18% to 24%), and 10-11% — data of the lost or stolen cards.

Attack of ANUNAK
The beginning of the attack of Anunak – the letter with a harmful investment

The largest volume of unauthorized transactions is recorded in the territory of Moscow and the Moscow region, the Central, Northwest and Ural federal districts. The diagram of distribution of operations on regions as infrastructure is of interest. If on average in regions swindlers give approximately equal preference to the Internet (stationary and mobile) and to ATMs, then in the North Caucasian Federal District the share of unauthorized transactions in the Internet reached 81%. And the largest number of attempts of fraud in points of issue of cash (10%) is recorded in the Crimea.

According to bankers, as of June, 2015, for fishing of personal data of holders of cards and their credit cards (phishing) swindlers actively use methods of social engineering (management sciences behavior of the person without technical means, on the basis of psychology).

The standard phishing circuit begins with the SMS about blocking of the card. Trustful people call by telephone specified in the SMS and call to "security service specialists of bank" the card number for check, the CVV code and other data. If the card of the victim secure system 3D Secure, for completion of transaction the password which automatically arrives on phone is necessary. Therefore swindlers say that for unblocking of the card the test Sms and the client will send should call the code specified in it. Actually at this moment they make purchase through online store or[33] transfer funds to the card or account of the mobile phone[33].

Swindlers can be provided by security service specialists or contact center of bank and convince the client - to approach the next ATM, to execute under their control of operation on "rescue" of means. Following instructions on phone citizens own hands transfer funds for e-wallets, bank cards or phones of swindlers.

The number of the deceived clients of banks who were enticed on the false websites with very low prices of air tickets or home appliances grows. On the counterfeit website swindlers "build in" translation services of money from the card for the map with input of the one-time password which comes by the SMS a payment option. The client precipitately enters the password, having been sure of purchase payment. At the same time in the SMS it is specified - on what purposes there are means: if it is visible that it is transfer to the card, and the client makes purchase, he should not drive in and transfer someone this code at all.

Use of cards by swindlers, 2014

VTB 24 consider the most popular type of fraud a skimming (theft of data of the card by means of the reader device on ATMs and other public payment devices).

To be saved from this type of fraud, it is not necessary to use ATMs in badly lit and solitudes. It is necessary to use ATMs of the reliable and checked banks, not to allow detached onlookers at cash withdrawal, not to resort to the help of strangers.

Bankers ask clients to examine attentively the ATM before entering the PIN code, Vedomosti

Entering a PIN code, always cover the keyboard. It will not allow swindlers to see a PIN code or to write it on the video camera. The instruction on security of terms of use of Sberbank Cards, for example, is a part of the agreement and the client is obliged to follow the rules set in it. If the bank proves record of a PIN code by swindlers by means of the video camera because the client did not cover the keyboard with a hand, the court can quite refuse to the client compensation of a stolen property.

2012: Clients of RBS in Russia lost $446 million in a year (-9%)

In 2012 in the systems of remote banking in Russia about 9% less funds, than were stolen the previous year.In September, 2013 in the status report on cyber crime in the country the Group-IB company specializing in investigation of computer crimes reported about it.

Learn more: DBO safe system


  2. 94 bitcoins on account of compensation of damage: GSU investigates criminal case of plunder from accounts of banks
  3. the Court of Moscow pronounced a sentence to the cybercriminals who stole 1 billion rubles at banks
  4. [ More than 1 billion rubles stole
  5. from cards of natural persons in 2018]
  6. of laboratoriya kasperskogo zafiksirovala novyj Kaspersky Lab recorded a new type of the attacks to banks of Eastern Europe
  7. [ Cybercriminals stole more than 21 million rubles from the Yakut bank Learn more:]
  8. The Russian financial sphere lost about 3 billion rubles from cyber attacks
  9. In Khabarovsk Krai investigation of criminal case on the facts of the frauds committed by means of cybertechnologies
  10. [ Cyberswindlers
  11. is ended
  12. stole more than 9 million rubles from banks of Khabarovsk Krai]
  13. [ Hackers
  14. stole hundreds of millions at banks of Mexico]
  15. of SPEISPEI represents the Mexican message exchange system between banks like the notorious SWIFT which was repeatedly used by hackers for illegal transfer of money.
  16. Barclays predicts unprecedented scope of online fraud for Christmas
  17. [ 10/16/2017 In Yekaterinburg
  18. the sentence is pronounced to the local trying to steal over 1.4 billion rubles using the payment terminal]
  19. the Swindler tried to steal 1.4 billion rubles at the Russian bank
  20. : The hackers who stole more than 1 billion rubles from the Russian banks are caught
  21. dannyepo to materials of the Izvestia newspaper
  22. [ of CNews
  23.  : 14 hackers stole more than one billion from the Russian banks]
  24. faylpo to the materials,
  25. The core banking system did not work
  26. the General damage from hacker attacks to banks in the current year is 2.87 billion rubles
  27. Losses from cyberthreats in the world can grow four times to 2 trillion dollars by 2018.
  28. [ tried to steal
  29. 5 billion rubles at the Russian banks since January 1, 2016]
  31. Because of the hacker attack Metallinvestbank lost 200 million rubles
  32. Swindlers stole from plastic cards of Russians 1.58 billion rub in 2014
  33. 33,0 33,1 [ Card swindlers in a year