Bank losses from cybercrime

The main articles are:

• Information security in banks
• Central Bank policy in the field of information protection in the banking system

Directions of attacks on banks

The main types of threats are:

• Targeted attacks to gain access to the corporate network for further sale or use;
• Encryption programs that can lead to data loss and process shutdown;
• Theft of money from customers using malware and social engineering;
• Money laundering and terrorist financing;
• Misuse of the company's brand;
• Espionage, theft and publication of information, for example, about VIP clients, their transactions;
• Regulatory claims related to data and infrastructure security;
• Reputational threats

The main attack vectors are:

• SWIFT and local interbank systems;
• Card processing; Attackers penetrate the bank's system, gain access, for example, to managing withdrawal limits at ATMs and to the local fast transfer system
• Unprotected IT infrastructure;
• ATMs;
• AWS OF THE CBD.
• Social Engineering and Phishing

Telephone fraud

• Main article: Telephone fraud

Bank card fraud

• Main article: Bank card and payment fraud

Hacking ATMs

• Main article: ATM hacking

2023

The Central Bank estimated the amount of money stolen by cyber fraudsters at 4.5 billion rubles for six months

In the first half of 2023, attackers stole a total of 4.5 billion from bank accounts and cards of Russians. rubles Compared to the average values ​ ​ of 2022, the volume of stolen funds increased by almost 30%, said in early July 2023, the head of the Russian department information security CENTRAL BANK Vadim Uvarov.

He also noted that banks in the first three months of 2023 reflected 2.7 million attacks by cyber fraudsters on customer accounts, which made it possible to prevent the theft of more than 700 billion rubles. At the same time, in the first quarter of 2023, the Bank of Russia initiated the blocking of almost 97 thousand fraudulent phone numbers, and also sent information about about 7 thousand Internet resources to the General Prosecutor's Office.

On the one hand, these data show the unprecedented scale of fraud in our country, but on the other hand, they indicate that joint efforts with the industry have managed to build effective work. The vast majority of attacks were repulsed thanks to the built business processes and the work of anti-fraud systems in banks, Uvarov added.

Experts interviewed by Izvestia pointed to several reasons for the negative dynamics in the volume of fraud with bank accounts. The first is the explosive development of artificial intelligence technologies. With the help of AI, you can compose a competent text, replace a person when communicating with clients with voice assistants and, therefore, automate the activities of fraudsters, says Vitaly Fomin, an information security expert at the Digital Economy League. In addition, the number of attacks began to increase amid an increase in the number of online banking users and the launch of large fraudulent call centers outside Russia, said Dmitry Ovchinnikov, chief specialist of the department of integrated information protection systems at Gazinformservice.^[1]

Hackers stole millions of dollars from an Indian bank. He did not have any information security protection

In early July 2023, it became known that the Reserve Bank of India imposed a fine on Mahesh Bank for the fact that this financial institution has extremely poor cyber protection. Due to the lack of information security tools, criminals were able to steal millions of dollars from the bank. Read more here.

2022

Central Bank of the Russian Federation: Losses of banks from hacker attacks turned out to be insignificant

In 2022, there was a significant increase in hacker attacks on the infrastructure of Russian banks, but only isolated cases of theft of funds from credit institutions were identified, and Russian banks did not suffer significant losses. This was reported in February 2023 by the Central Bank of the Russian Federation.

Of course, there are losses, but they are small and do not affect the financial stability of [banks], - said the chairman of the regulator Elvira Nabiullina.

The representative of the Bank of Russia, in a conversation with Vedomosti, explained that cases of theft of funds in banks in 2022 were associated with vulnerabilities in informatization objects and imperfection of business processes.

In the Russian Federation in 2022, targeted attacks on banks with the withdrawal of money through an ATM network, card processing or SWIFT system almost completely stopped, a Group-IB employee told the newspaper. However, he warned that financial fraud and phishing remained at a fairly high level.

According to RTK-Solar, the main threat to the financial industry is highly qualified hacker groups, since the perimeter of banks and other large financial organizations is usually well protected and certain technical knowledge and large financial investments are needed to hack it.

The head of the cyber threat analytics department at RTK-Solar Darya Koshkina said that attacks by medium and low-skilled attackers are mainly aimed at bank customers - these attacks use social engineering to directly steal money from accounts. Attackers do not focus much on the scale of a financial organization, both small and large market participants are attacked, said Yana Yurakova, an analyst at the Positive Technologies research group.^[2]

Hackers stole almost 4 billion rubles from customers of Russian banks in the third quarter

Hackers stole almost 4 billion rubles from customers of Russian banks in the third quarter. This is about 24% more than a year earlier, the Central Bank said in November 2022.

Losses of banks in the United States amounted to $1.2 billion due to ransomware attacks

On November 1, 2022, the US Financial Crime Agency (FinCEN), part of the Treasury Department, revealed the scale of payments that the country's banks made as a result of ransomware attacks. The total amount exceeds $1.2 billion.

In 2021, US financial institutions recorded 1,489 incidents related to attacks in which cybercriminals tried to get a ransom from their victims. For comparison: in 2020, 487 similar incidents were recorded. Thus, the intensity of attacks of this type has tripled. FinCEN says ransomware continues to pose a serious threat to critical US infrastructure sectors, businesses and ordinary citizens.

In its study, FinCEN took into account the requested ransom amounts and attempted transactions. It is reported that the total amount of payments related to ransomware in 2021 amounted to almost $1.2 billion. Moreover, it is argued that from the second half of 2021, the five most profitable versions of ransomware were somehow associated with Russian cybercriminals. According to the released data, the damage from ransomware attacks allegedly related to Russian hackers in the last six months of 2021 amounted to more than $219 million.

In March 2022, U.S. President Joe Biden signed a cybersecurity law that obliges certain companies and organizations to report incidents to the Department of Homeland Security within 72 hours after an intrusion is detected and within 24 hours if a ransomware payment is made. Now it is said that the intensity and sophistication of ransomware attacks continue to grow. On the other hand, an increase in the number of reports of ransomware may indicate that institutions have become more effective in detecting such incidents.^[3]

2021

Fraudsters stole 13.5 billion rubles from bank customers, banks were able to return only 6.8%

On April 12, 2022, it became known that in 2021, fraudsters stole 13.5 billion rubles from bank clients, making more than 1 million unauthorized transfers from bank cards and accounts. Of these funds, banks were able to return only 6.8%, or 920 million rubles, to the affected citizens of the Russian Federation. According to RBC, referring to the Bank of Russia, the level of refund fell for the second year in a row against the background of an increase in theft.

The number and volume of fraudulent transfers last year increased by 33.8% and 38.8%, respectively, compared to the previous year. According to the regulator, this is due to the development of new remote payment services and an increase in the volume of money transfers.

The main method of theft of funds from fraudsters remains social engineering - psychological impact on the victim. Another 4.1 billion rubles were stolen by fraudsters when paying for goods and services on the Internet.

In 2021 Russia , it was proposed to introduce a mandatory refund amount for theft from accounts. This initiative was made by the Central Bank.^[4]

Fraudsters stole $35 million from a UAE bank with the help of a deepfake of the voice of its head

In mid-October 2021, it became known that the criminals took possession of a huge amount of $35 million from a bank in the UAE, imitating the voice of the head of the bank using advanced artificial intelligence. They reportedly used a deepfake to mimic a legitimate commercial transaction linked to the bank. Read more here.

In Spain, 16 fraudsters were arrested who stole about €276.5 thousand from bank customers.

the Spanish Law enforcement officials arrested 16 people linked to the use bank trojans of Mekotio and Grandoreiro as part of a harmful campaign targeting financial facilities in. To Europe It was reported on July 15, 2021.

Arrests were made in Ribeira (La Coruña), Madrid, Parla and Mostoles (Madrid), Seseña (Toledo), Villafranca de los Barros (Badajoz) and Aranda de Duero (Burgos) in Operation Aguas Vivas. Using malicious software installed on the victim's computer, criminals could transfer large amounts of money into their accounts, police said.

The police confiscated computer equipment, mobile phones and documents, and analyzed more than 1.8 thousand spam emails, which allowed law enforcement agencies to block transaction attempts totaling 3.5 million euros. The proceeds of the criminals amounted to 276,470 euros, of which 87 thousand euros were successfully returned.

Cyber fraudsters sent potential victims phishing emails allegedly on behalf of legitimate delivery services and government agencies such as the Spanish Treasury. In the letters, users were asked to follow a link that quietly downloaded malicious software to a computer system.

Mekotio and Grandoreiro malware allows operators to intercept transactions on the bank's website and unauthorized redirection of funds to accounts under the control of cybercriminals. To carry out fraudulent purposes, criminals hacked at least 68 email accounts belonging to official authorities.

Grandoreiro and Mekotio (also known as Melcoz) are part of the Brazilian banking Trojan family, which also includes Guildma and Javali malware. Operating since at least 2016, Grandoreiro has been used to attack users in Brazil, Mexico, Spain, Portugal and Turkey. Mekotio, on the other hand, was seen in attacks targeting Brazil starting in 2018, and then operators began attacking users in Chile, Mexico and Spain.

Mekotio allows you to steal passwords from browsers and device memory, providing remote access to Internet banking operations. The malware also contains functionality for stealing the addresses of bitcoin wallets^[5]

In the 1st quarter, 2.9 billion rubles (+ 57%) were stolen through unauthorized transfers

According to the Central Bank of the Russian Federation, in January - March 2021, fraudsters stole 2.9 billion rubles through unauthorized transfers. This is 57% more than in the first quarter of last year.

Of this amount, banks were able to return only 7.3% to customers. For comparison: in the first quarter of 2020, fraudsters stole 1.8 billion rubles, and banks returned - 11.3%.

2020

Cybercriminals stole 9.77 billion rubles from the accounts of Russians.

On April 12, 2021, the Bank of Russia reported an increase in losses of Russians from cyber fraudsters by 52% in 2020, to 9.77 billion rubles..

The return volume was 11.3%. In 2019, banks were able to reimburse customers 14.6% of the funds. Such data are provided in the annual review of the Information Security Department of the Bank of Russia.

As explained in the Central Bank of the Russian Federation, credit organizations do not return money if the client violated the terms of the agreement regarding the preservation of confidentiality of payment information.

At the same time, the total proportion of non-consensual operations performed using techniques and methods of social engineering decreased from 68.6 to 61.8%. The average amount of one operation without the consent of the client on the accounts of individuals in 2020 amounted to 11.4 thousand rubles, legal entities - 347.8 thousand rubles.

The total amount of damage to theft through ATMs and terminals increased by 40.3% compared to the same indicator in 2019 and amounted to over 740.4 million rubles, while banks returned 9% of the stolen funds to customers (66.4 million rubles), the Central Bank notes.

In 2019, legal entities reported 4.6 million transactions to banks without consent for a total amount of 701 million rubles. In 2020, the volume of such operations increased by 45.5% compared to 2019 and amounted to 1.02 billion rubles, and the number of operations decreased by 36.4% - to 2.9 million, the regulator said.

The Central Bank classifies as cyber fraud all operations performed without the consent of customers using electronic means of payment. The regulator emphasizes that often such crimes are committed using social engineering methods, when fraudsters on the phone convince their victims to deceive them to issue card or online bank data In ^[6].

Sverdlovsk scammers stole 1 million rubles from the bank

Sverdlovsk scammers stole 1 million rubles from the bank. using a unique scheme. This became known on 28 2020.

Three suspects in embezzlement of money were detained by overspending on loans.

Employees of the special unit "K" together with the Main Investigation Department of the Main Directorate of the MVDSverdlovsk Region detained three members of the cyber-fraud group born in 1991, 1997 and 1998.

According to the press service of the Ministry of Internal Affairs of the Russian Federation, the group was allegedly engaged in theft of funds from one of the Yekaterinburg banks by unauthorized write-off of funds to pay for gasoline at gas stations in Yekaterinburg and the Sverdlovsk region.

The fraudulent scheme was as follows. The attackers lowered the fuel gun into the refueling tank or into the fuel tank of the car, entered an amount on the terminal display that requires refueling equal to the amount of money on the card, and thus authorized the fuel filling process. When gasoline began to flow, through the personal account, fraudsters changed the account with a positive balance to an account without money. In this regard, the bank was forced to allow an overdraft (overspending of credited funds) on the card of fraudsters and pay for refueling at its own expense.

Drivers, most often taxi drivers, fraudsters sold gasoline for half the price. This happened at gas stations with automatic payment terminals. With the help of the above scheme, which had not previously been met by the police, the attackers stole more than 1 million rubles from the bank, committing 30 facts of theft.

The investigative unit of the Main Investigative Directorate of the Main Directorate of the Ministry of Internal Affairs of Russia in the Sverdlovsk Region initiated a criminal case on the grounds of corpus delicti under paragraph "d," part 3 of Art. 158 of the Criminal Code of the Russian Federation ("Theft from a bank account"). The sanction of the article provides for the maximum punishment in the form of imprisonment for up to 6 years.

The judge of the Verkh-Isetsky court chose the members of the criminal group a preventive measure in the form of house arrest for 2 months. At the end of October 2020, the investigation continues, additional episodes of theft are being established^[7].

In January-August, the number of thefts from bank accounts amounted to 107.2 thousand.

In January-August 2020, the number of thefts from bank accounts amounted to 107.2 thousand, which is twice as much as the indicators of the same period in 2019. This became known on October 14, 2020. Such incidents began to be recorded two or more times more often in 35 subjects, according to the data of the General Prosecutor's Office.

They note that every fifth fact of theft in Russia is associated with the theft of money from citizens' accounts. Also, for eight months of 2020, the number of cases of fraud committed using electronic means of payment doubled.

In total, 20.8 thousand such crimes were recorded, the growth of which is observed to varying degrees in 90% of the regions. In absolute terms, there are most of them in the Saratov (2.2 thousand) and Omsk (1.7 thousand) regions, follows from the report. The materials of the Prosecutor General's Office do not indicate how much funds were stolen by fraudsters.

The Central Bank announced to the publication an increase in the activity of hacker groups in 2020. But the effectiveness of attacks on banks did not increase compared to 2019. They did not answer the question about the total amount of damage caused by fraudsters to customers of banks and other financial services^[8].

Tens of millions stolen from Japanese postal bank through mobile operator app

At the end of September 2020, the Japan Post Bank announced that about 60 million yen ($570,000) was stolen from customer accounts, that is, three times more funds than originally estimated. The bank also warned that the damage could be even greater. Read more here.

2019

From March to May, attackers stole more than $837 thousand from 8 Belarusian banks

On August 3, 2020, it became known that employees of the "K" MINISTRY OF INTERNAL AFFAIRS Belarus department stopped the activities of four international cybercriminal groups. A total of 10 were detained. From hackers March to May 2019, attackers stole more than $837 thousand from 8 Belarusian banks. More. here

Prosecutor General: 232 billion rubles stolen from bank accounts and electronic wallets for the year

More than 232 billion rubles were stolen in 2019 from bank accounts and electronic wallets of Russians. This is stated in the analysis of the state of crime in the annual report of the Prosecutor General in June 2020. In 2018 - 171.4 billion rubles. The Bank of Russia previously stated that 6 billion rubles were stolen from accounts.

Central Bank: fraudsters in 2019 stole 6.4 billion rubles from bank customers

Fraudsters in 2019 stole 6.4 billion rubles from customers of Russian banks, and the "average check" when stealing money from citizens amounted to 10 thousand rubles, FinCERT (Center for Monitoring and Responding to Computer Attacks in the Credit and Financial Sector of the Bank of Russia) reported on February 19, 2020.

Most transactions without the consent of customers - individuals fell on transactions to pay for goods and services on the Internet (CNP transactions), the study says.

In 2019, banks reimbursed the victims only 15% of the stolen funds - about 1 billion rubles. Online banks and mobile applications were subjected to hacker attacks 160.8 thousand times, here the damage amounted to 2.27 billion rubles. In 877 cases per year, we are talking about abductions committed by bank employees.

69% of transactions performed without the consent of customers were carried out using social engineering methods - as a result of prompting the client to conduct a transaction or due to breach of trust. A year earlier, the share of these operations reached 97%.

The highest share of social engineering (88%) was recorded in remote banking: customers lost 2.22 billion rubles (an average of 14,000 rubles per transaction) and returned every 14th stolen ruble. Least often, citizens became the target of fraudsters when using ATMs and terminals - 40,000 cases per 525 million rubles (13,000 rubles per transaction). Of these, only in a quarter of cases, cardholders independently disclosed confidential payment information to fraudsters, so the return amount is higher here - 10%.

Due to the high share of social engineering in the total volume of operations performed without the consent of customers, the Bank of Russia intends to consider the possibility of changing the procedure for returning stolen funds, according to the FinCERT review.^[9]

Damage to Russian banks from cyber attacks decreased by 85%

According to the results of the 12-month period, the end of which fell on June 2019, the damage to Russian banks from cyber attacks amounted to 510 million rubles, which is 85% compared to the same period of time a year earlier. This was announced at the end of November 2019 by Group-IB.

In the second half of 2018 and in the first half of 2019, the amount of damage from all types of cybercrimes using malicious programs aimed both directly at banks and their customers was measured in the amount of 3.2 billion rubles.

At the same time, experts noted a growing number of cases of compromise of bank card data. During the study period, we are talking about an amount of 56 billion rubles, which is a third more than a year ago.

The number of compromised cards posted on specialized forums increased by 38%, to 43.8 million. The contents of magnetic strips of cards - dumps - make up 80% of the carding market, there are 46% more of them.

In addition, theft and sales of text card data are increasingly common - number, CVV, validity period. The price of them began to rise, while the cost of dumps decreased. The cheapest on the market are the data of American banks, the most expensive are the card data of European banks.

Russian cards are in the middle price segment and are not yet so common. JS sniffers, which are becoming more than banking Trojans, have become a new trend working to increase the volume of text data of bank cards on sale. The threat will be relevant primarily for countries where the 3D Secure system is not widespread. Phishing is also the common and so far the most "long-playing" method of obtaining card data.

According to Anton Yudakov, operational director of the Center for Monitoring and Responding to Cyber ​ ​ AttacksSolar JSOC of Rostelecom, it is more profitable for attackers to attack not the banks themselves, but their clients, since the banking infrastructure is well protected and capable of detecting attacks in the early stages.

Belarusian stole 630 thousand euros from banks and returned money with bitcoins

On November 12, 2019, the Investigative Committee of Belarus announced the investigation of a criminal case on embezzlement of funds from accounts of foreign banks. A 28-year-old resident of Grodno, involved in the crimes, was arrested with the assistance of the American FBI.

According to the investigation, the man gained access to other people's accounts and transferred money to accounts under his control, registered with dummies, after which he cashed them. With the money received illegally, the accused acquired bitcoins.

In addition, the hacker bought a car, real estate with the stolen money and invested in his own business - a cafe. There are also cases when a man bought goods and services using the details of other people's bank payment cards, the press service of the Investigative Committee reports.

Investigators are aware of more than 60 criminal episodes. The accused provided access to crypto wallets for conducting operations to withdraw bitcoins and seize the amount received - more than 630 thousand euros.

Other funds, property and real estate of the man in the total amount exceeding 100 thousand euros were also arrested.

He was charged under Part 4 of Article 212 (theft using computer equipment on an especially large scale) of the Criminal Code of the Republic of Belarus. The accused was taken into custody, where he will wait for the trial.

The hacker fully admitted his guilt and at the stage of the preliminary investigation concluded a pre-trial cooperation agreement, and also took measures to compensate for the damage caused and return the illegally received income. 94 bitcoins were found on cryptocurrency wallets controlled by the 28-year-old Belarusian. By November 12, 2019, the investigation of the criminal case continues.^[10]

Android-Trojan Fanta stole 35 million rubles. from bank cards of Russians

On September 17, 2019, the company Group-IB announced that its specialists had recorded a campaign - Androidtrojan FANTA, attacking 70 clients, banks payment systems web wallets Russia in the CIS countries. The Trojan targets users who post buy-sell ads on. Internet service Avito Since the beginning of 2019 alone, the potential damage from FANTA in Russia amounted to at least 35 million rubles. More. here

Sentenced cybercriminals who stole 1 billion rubles from Russian banks

On February 8, 2019, it became known that twelve, to cybercriminals who stole about 1 billion rubles the Russian. from banks, a verdict was passed. According to the decision, Meshchansky Court of Moscow depending on the severity of the crime committed, the accused were sentenced to imprisonment in the colonies of general and strictly regimes, as well as to conditional imprisonment.

In accordance with the role played in the criminal community, the defendants were accused of creating a criminal community and participating in it (Article 210 of the Criminal Code), information fraud computer (part 4 of Article 159.6 of the Criminal Code) and theft on an especially large scale (part 4 of Article 158 of the Criminal Code). The prosecutor's office requested for them terms from 6.5 years in a general regime colony and up to 12 years in a strict regime colony. For the creator of the community, Ukrainian programmer Yuri Lysenko, the prosecution demanded a term of 15 years.

According to the verdict, the criminals received from 5 years of general and up to 13 years of strict regime. Two people were sentenced to 6 years probation.

The cybercriminal group began operations in 2014. According to the investigation, the criminals modified the legal software for conducting payment orders in such a way as to withdraw funds from the accounts of bank customers, and then restore the balance at the expense of the banks themselves.

According to the prosecution, the group was a complex criminal community consisting of three separate groups. ​Uchastniki communities did not contact each other for security reasons. Especially for the needs of the group, Lysenko rented an apartment in Moscow, where all the necessary equipment was located and information was exchanged. From each operation, Lysenko took 80% of his "earnings," and the remaining 20% were received by accomplices^[11].

2018

Central Bank: fraudsters stole over 1 billion rubles from cards of individuals

On March 29, 2019, it became known that in recent months, the Central Bank recorded a surge in unauthorized transactions with bank customer accounts. In most cases, thefts occur through calls from replacement numbers, and scammers use social engineering methods to mislead people.

The total amount of theft cards from individuals in 2018 amounted to 1.4 billion rubles, which is 1.4 times more than in 2017, says the statistics of the Central Bank. Almost a third of thefts occurred in the last quarter of the year, and 97% of attacks were carried out using social engineering - this is a method of obtaining information based on the features of psychology and sociology.

In 2019, fraudsters became even more active, and they began to use the technology of changing the bank's telephone number (the so-called A-number) when using calls via the Internet. On the phone screen of the potential victim, the number of the real bank is displayed, and the client is told about the alleged attempt to unauthorized debiting of funds, their name, passport number, account balance and even the last transactions are called.

Then the criminals offer a scheme of "protecting funds" - they need to be transferred to a special account, provide complete information on the card, code word or data from SMS. Often, a client, confused by information that only the bank can know, tells an unfamiliar person from the handset everything they are asked for. And after that, theft occurs.

The January attack on Sberbank customers, when the attackers already knew passport data and account balances, was more effective. And it became possible only thanks to the access of cybercriminals to bank secrecy, "Ashot Hovhannisyan, founder of DeviceLock (specializing in protecting personal data), told the publication -" punching "data on a specific person is available on the black market and you can get information about the balances in his accounts or transactions for a little money by phone number or full name of the cardholder.

Fraudsters can find out information about the client's account balance and the latest transactions, including by calling the bank's auto informant under the guise of a client (using the same A-number substitution technology).

The client's phone number in many banks allows you to pass the primary level of identification when calling and gain access to such information, - confirms the head of the information security department of OTP-Bank Sergey Chernokozinsky.

Judging by the official warnings banks(Sberbank,, and Raiffeisen Bank Unicreditbank others), the problem is relevant. Bankers want to share responsibility and efforts to change the situation with telecom operators. MTS The statement said that the 800-number substitution protection solution has already been implemented. ""(VimpelCom brand "") Beeline is also preparing its technical solution for replacement numbers. "" Megaphone assured that for more than one year he has been assisting banks in protecting against fraud associated with changing the number to the official numbering of the bank when calling customers. But in the meantime, citizens are advised not to name CVV2 from the back of the card, if, among other things, they propose to enter or dictate numbers through an informant. The same applies to the code word or password from SMS^[12]

Cybercriminals stole 25 million rubles from Binbank

The prosecutor's office of the Zasviyazhsky district approved the indictment in the case of major cyber fraud in Binbank. During the preliminary investigation, it was found that an unemployed resident of Ulyanovsk I., born in 1988, in May 2018, with the help of an unidentified employee of Binbank, gained access to the bank's computer information, illegally increased the limit on funds on his payment plastic card and withdrew more than 25 million rubles from it. This was announced on January 10, 2019 by the mosaica.ru portal with reference to the words of the senior assistant to the prosecutor of the Zasviyazhsky district of Ulyanovsk Larisa Ignatieva. Read more here.

Cybercriminals stole several tens of millions of dollars from 8 European banks

In 2017-2018 Kaspersky Lab experts were involved in the investigation of several cyber attacks by banks, during which malware penetrated the corporate network from an unknown device, literally planted by cybercriminals, which became known on December 5, 2018. Subsequently, a similar type of attack was called DarkVishnya. As of December 2018, at least eight banks in Eastern Europe were known to have been robbed in this way, and the approximate damage from the incidents amounted to several tens of millions of dollars.

In each recorded case, in order to launch an attack, cybercriminals "threw" their device into the organization's building and physically connected to the company's corporate network. According to Kaspersky Lab specialists, the attackers used three types of gadgets: a laptop, Raspberry Pi A single-board microcomputer (a single-board computer the size of a credit card) and Bash Bunny (a specially developed tool for automating and conducting USB attacks). These devices could also be additionally equipped with a GPRS, 3G- or LTE modem to provide remote penetration into the organization's corporate network.

During the attacks, cybercriminals tried to gain access to shared network folders, web servers, and so on. They used the stolen data to connect to servers and workstations designed to make payments or containing other information useful to attackers. After successfully securing in the infrastructure of a financial institution, attackers used legitimate software for remote control. Since cybercriminals used file-free methods and PowerShell, they bypassed whitelists and domain policies. Other tools used by attackers are Impacket, as well as winexesvc.exe or psexec.exe to remotely run executables. Further, the funds were withdrawn, for example, through ATMs.

author '= Sergey Golovanov, Kaspersky Lab leading antivirus expert[13] ' Over the past year and a half, we have observed a fundamentally different type of attacks on banks - quite sophisticated and difficult in terms of detecting cybercriminals. As a rule, the entry point to the corporate network in DarkVishnya operations remained unknown for a long time, since it could be located in any of the offices located in different regions and even countries. And an unknown device planted and hidden by attackers could not be found remotely. The search was complicated by the fact that the attacks used standard utilities. To protect against this unusual pattern of digital robberies, we advise financial institutions to take an extremely responsible approach to cybersecurity, in particular, pay special attention to controlling connected devices and access to the corporate network.

Sberbank saved 32 billion rubles of customer funds from cyber fraudsters

On November 29, 2018, it became known that Sberbank summed up the preliminary results of 2018 in the field of cybersecurity. According to the company, Sberbank saved 32 billion rubles of customer funds from cyber fraudsters. In November 2018, social engineering became the most common type of cyber fraud - more than 80% of the cases recorded by Sberbank in 2018 fell on this method of obtaining unauthorized access to information, based on the use of human weaknesses. At the same time, as of November 2018, 86% of all cases of social engineering amounted to "self-transfers" of funds under the influence of fraudsters. Read more here.

Theft of over 21 million rubles from a Yakut bank

On November 20, 2018, it became known that specialists from the Central Bank of the Russian Federation and the Investigative Department of the Ministry of Internal Affairs completed a preliminary investigation into the embezzlement of 21.5 million rubles from one of the banks in Yakutia.

The press center of the Ministry of Internal Affairs did not disclose the name of the affected financial organization. According to the ministry, in July 2017, two citizens of a neighboring state with unidentified accomplices using malware received remote access to the bank's systems and its ATMs and stole 21.5 million rubles. The funds were converted into cryptocurrency and withdrawn abroad.

A criminal case has been instituted against two members of a criminal group under Part 3 of Art. 272, part 2 of Art. 273 and part 4 of Art. 159.6 of the Criminal Code. The case was transferred to the Yakutsk City Court of the Republic of Sakha for consideration on the merits.

As of November 20, together with law enforcement agencies of a number of European countries and Interpol, a preliminary investigation continues against other members of the criminal group. ^[14]

Hacking of payment card system at Bank Islami and theft of $6.5 million

On October 8, 2018 Pakistani , Bank Islami reported a hack of its own. As payment card systems a result of the incident, the attackers managed to steal $6.5 million, but the financial organization denies this information. The Bank Islami hack is a major one cyber attack in Pakistan. More. here

How scammers disguised as "ethical hackers" extorted money from banks in Russia

Group-IB experts, together with representatives of the Department "K" of the Ministry of Internal Affairs of the Russian Federation and the security service "Post Bank," exposed a group of swindlers who, posing as "ethical hackers," traded access to customer accounts of banks, online stores and insurance companies. The attackers were detained, Group-IB said in a statement on October 26, 2018.

As it turned out following the investigation, fraudsters were actively engaged in hacking end-user accounts in certain services. Having gained access to them, the attackers sent letters to the security service of the organization, whose clients were the victims, about the identification of a vulnerability in the corporate infrastructure. As evidence, the hackers presented information about the accounts they had compromised and asked (or rather, demanded) a reward in the amount of 40 to 250 thousand rubles.

But this money, apparently, was not enough for them, so the hackers also sold the information they stole to access accounts on hacker forums, Group-IB emphasized.

Only according to confirmed data, at least ten companies became victims of the group, but the real number of affected organizations is much more, - specified in the message of Group-IB.

The investigation began after Pochta Bank received a letter demanding payment of remuneration for disclosing information about alleged vulnerabilities in the remote banking system.

In fact, these vulnerabilities in the bank's infrastructure were absent. There were no other organizations that confirmed the receipt of letters from this group.

During the investigation, experts from Group-IB and Post Bank studied the "digital traces" and found out that the members of the group of fraudsters live in different regions of the Russian Federation. All information about them was transferred to law enforcement agencies.

As a result, the police detained several young people aged 18-21 years. Based on the materials of the investigation, criminal cases were initiated under Art. 272 of the Criminal Code of the Russian Federation (Illegal access to computer information). As of October 26, the detainees are testifying.

For "ethical hackers" (White Hat), searching for vulnerabilities in the public infrastructure of digital services or software packages and receiving rewards for informing developers about found errors is a completely legitimate way to make money: many large developers even specifically allocate funds for vulnerability search programs (Bug Bounty), - said Oleg Galushkin, director of information security at SEQ (formerly SEC Consult Services). - But in this case, however, there was a deliberate fraud. It was not about vulnerabilities in the infrastructure of affected companies, but about weak protection of user devices. It is possible that these attackers had experience in conducting penetration tests or have a good idea of ​ ​ how such tests are carried out, but they did not use this knowledge for ethical purposes.

The expert also noted that companies that received letters about identifying vulnerabilities risk suffering from the activities of fraudsters much more than it seems at first glance: the sale of their client data on hacker forums can lead to large financial losses.

Group-IB: Damage to the financial sector of Russia from hacker attacks amounted to 2.96 billion rubles

October 10, 2018 it became known that for 2017-2018. hackers caused damage to the financial sector of Russia in the amount of 2.96 billion rubles. This is stated in the annual  report of Group-IB "Hi-Tech Crime Trends 2018." According to the study, as of October 2018, every month hackers manage to steal money from 1-2 banks, with the damage from one successful theft averaging $2 million .

Financial motivation still prevails among cybercriminals who attack banks, but theft of money is not the worst thing that can happen to a financial institution. Since banks are critical infrastructure in many countries of the world, they have been among the targets for pro-state hacker groups specializing in sabotage and sabotage. One successful cyber attack can lead to both the liquidation of the credit and financial institution itself and the collapse of the state's financial system. In this regard, banks should reconsider the approach to the system of protection against cyber threats: the defensive strategy has already exhausted itself. It's time to become a hunter, not a target for attacks. Ilya Sachkov, CEO and Founder of Group-IB

Group-IB identifies four criminal hacker groups that pose a real threat to the financial sector: they are able not only to penetrate the bank's network, get to isolated financial systems, but also successfully withdraw money through SWIFT, CBD AWS, card processing and ATMs. We are talking about the groups Cobalt, MoneyTaker, Silence, consisting of Russian-speaking hackers, as well as the North Korean Lazarus.

Only two criminal groups pose a threat to the SWIFT interbank transfer system: Lazarus and Cobalt, the latter at the end of 2017 for the first time in the history of the Russian financial sector conducted a successful targeted attack on the bank using SWIFT. According to Group-IB estimates, the number of targeted attacks on banks for theft through SWIFT has tripled over the reporting period. If over the past period only three similar attacks were recorded: in Hong Kong, Ukraine and Turkey, then in this period there were already 9 successful attacks in Nepal, Taiwan, Russia, Mexico, India, Bulgaria and Chile. The good news is that in the case of SWIFT, most of the unauthorized transactions can be stopped in time and returned to the affected banks.

Attacks on card processing are still one of the main methods of theft and are actively used by hackers from Cobalt, MoneyTaker, Silence. In February 2018, Silence members successfully attacked the bank and stole money through card processing: they managed to withdraw 35 million rubles from cards through ATMs of a bank partner. Focusing attacks on ATMs and card processing has reduced the average damage from a single attack. However, this allows attackers to carry out these attacks more safely for "drops" cashing in stolen money. The attackers are in odnoy̆ country, their victim (bank) is in another, and cashing out takes place in the third.

The money withdrawal through the AWS of the CBD (automated workplace of the Bank of Russia client) is actively used by the MoneyTaker group - if in November 2017 they managed to withdraw only 7 million rubles, then in the summer of 2018 they successfully stole 58 million rubles from PIR-Bank. Recall that as of October 2018, MoneyTaker has 16 attacks in the United States, 5 on Russian banks and 1 in the UK. In the US, the average damage from a single attack is $500,000. In Russia, the average amount of funds withdrawn is 72 million rubles. In December 2017, Group-IB published the first report on this group: "MoneyTaker: a year and a half below the radar."

Attacks on payment gateways for the designated period were carried out only by the Cobalt group. At the same time, in 2017, they stole money from two companies in this way, and in 2018 they did not make a single attempt. At the same time, they were assisted in carrying out one of the attacks by members from the Anunak group, which has not carried out such attacks since 2014. Despite the arrest in Spain of the group's leader in the spring of 2018, Cobalt remains one of the most active and aggressive groups, consistently attacking financial institutions in Russia and abroad 2-3 times a month.^[15]

Hackers withdrew $100 thousand from ZhilFinance Bank through the gateways of payment systems

In September 2018, the Housing Finance Bank (BGF) became a victim of the Cobalt group. According to the Kommersant newspaper on October 3, 2018, the attackers managed to withdraw about $100 thousand from the bank through the gateways of payment systems. According to the information provided to Kommersant by law enforcement agencies, three more credit organizations have been infected, the names of which have not been disclosed. In all affected banks, law enforcement officers revealed "a low level of information security, the absence of Russian antiviruses, licensed software, updates." Read more here.

Yekaterinburg hackers stole 1.2 billion rubles from banks

Residents of Yekaterinburg Konstantin M. and Igor M. are accused of participating in a criminal group that carries out large fraudulent operations in the field of computer information.

According to the investigation, together with accomplices, the criminals developed and distributed through, with the Internet malware help of which they managed to gain unauthorized access to the accounts of clients of various credit institutions. In total, the group stole 1.2 billion rubles.

In addition to other people's bank accounts, the attackers also managed to gain access to the database of the Yekaterinburg Koltsovo airport, the website reports banki.ru.

The Prosecutor General's Office brought charges against the men of participation in a criminal community, fraud on an especially large scale, unlawful access to computer information, as well as the creation, use and distribution of malicious computer programs.

The criminal case against Konstantin M. and Igor M. was sent to the Kirovsky District Court of Yekaterinburg. Detention was chosen as a preventive measure for the accused.

Hackers stole 58 million rubles from PIR Bank

PIR Bank lost more than 58 million rubles as a result of a hacker attack, Kommersant reported in July 2018, citing sources. The publication calls this the first cyber attack on Russian banks in 2018.

Hackers withdrew money from the correspondent account of PIR-Bank in the Central Bank, gaining access to the automated workplace of the Bank of Russia client (AWS KBR). Earlier, the Central Bank assured that there would be no more successful attacks on the AWS of the CBD, Kommersant notes.

The PIR Bank confirmed the fact of the attack. The head of the bank, Olga Kolosova, said that the stolen funds were withdrawn to plastic cards of individuals in the 22 largest Russian banks and cashed out in different regions of the country. According to her, the exact amount of damage is still unknown.

Read more: Group-IB: PIR Bank was attacked by hacker group MoneyTaker

Cyber ​ ​ fraudsters stole more than 9 million rubles from banks in the Khabarovsk Territory

In the Khabarovsk Territory, law enforcement agencies detained a resident of Komsomolsk-on-Amur and two of his accomplices on charges of embezzling more than 9 million rubles with the help of special technical means. This was reported^[16] by the press service of the Ministry of Internal Affairs for^[17] region^[18].

As follows from the case file, the attackers stole money using special devices for reading bank card data. In addition, using access to cards of a foreign bank, the criminals tried to steal over 23 million rubles from the accounts of their holders.

During searches at the place of residence of the accused, police officers seized seals, various documents, computer equipment, a device for reading bank cards, 15 cell phones, 200 bank cards, of which about 100 are duplicates.

The investigation is now complete. A criminal case was initiated against the attackers on the grounds of crimes under Part 3 of Art. 30 part 4 of Art. 159 "Attempted fraud," part 3 and part 4 of Art. 158 "Theft." The case was sent to the court for consideration on the merits.

Sberbank: losses of the Russian Federation from cybercrime in 2018 may reach 1 trillion rubles

Currently, Russia's GDP is estimated at about 92 trillion rubles. Thus, the losses of the economy from cybercrime can exceed 1% of GDP.

Losses of the Russian economy from cybercrime in 2018 could grow significantly - up to 1 trillion rubles, Stanislav Kuznetsov, deputy chairman of the board of Sberbank, said in an interview with RIA Novosti on the sidelines of the St. Petersburg International Economic Forum (SPIEF) on May 24.

In 2017, Sberbank estimated economic losses at 600-650 billion rubles.

"We are now preparing an analytical study for the International Congress on Cybersecurity, which will be held in July, it will be devoted to the analysis of cyber risks in different countries of the world. According to our estimates, the Russian economy may lose at least 1 trillion rubles by the end of 2018, "Kuznetsov said.

According to him, such a figure is quite real, but it can be changed downward if a breakthrough is made in matters of information protection of individuals and businesses. The number of crimes of a fraudulent nature using social engineering methods in Russia is not decreasing.

Fake banking application allowed to steal up to 500 thousand rubles daily

Management "K" Ministry of Internal Affairs of Russia with the active assistance of Group-IB an international company specializing in the prevention cyber attacks and development of products for, a information security 32-year-old resident was detained, Volgograd region accused of embezzlement from customers of Russian banks with the help of -. Androidtrojan Every day, users were kidnapped from 100 thousand to 500 thousand a rubles day, while part of the stolen money for further cashing and hiding criminal activity was transferred to, cryptocurrency Group-IB reported on May 24, 2018.

Analyzing the "digital traces" of the committed thefts, Group-IB specialists found out that the banking Trojan used in the criminal scheme was disguised as the financial application "Banks in the palm of your hand," which acts as an "aggregator" of mobile banking systems of the country's leading banks. You could download all your bank cards into the application so as not to carry them with you, but at the same time be able to view the balance of cards based on incoming SMS for all transactions, transfer money from card to card, pay for online services and purchases in online stores. The application was distributed through spam mailings, on forums and through the official Google Play store. For the first time, the activity of this malicious program was recorded in 2016. Presumably, a group of intruders was behind the "aggregator."

The attackers acted as follows. Interested in the capabilities of the financial aggregator, bank customers downloaded the Banks in the Palm application and entered their card data. The running Trojan sent bank card details or logins\passwords to log into Internet banking on the server to cybercriminals. After that, the attacker transferred money to pre-prepared bank accounts in amounts from 12 to 30 thousand rubles per transfer, entering an SMS code for confirming the operation, intercepted from the victim's phone. The users themselves did not suspect that they had become victims of cybercriminals - all SMS confirmation of transactions were blocked. On average, from 100 thousand to 300 thousand were stolen daily, and by the beginning of 2018, the amount of damage increased to 500 thousand rubles a day.

During the investigation, operatives of the Department "K" of the Ministry of Internal Affairs of Russia went to the "filler," one of the participants in the criminal scheme, who directly transferred money from users' accounts to the cards of the attackers. It turned out to be previously convicted under Art. 222 of the Criminal Code of the Russian Federation (illegal arms trafficking) 32-year-old unemployed from the city of Volzhsky. In May 2018, the suspect was detained. During the search, 130 thousand rubles, SIM cards and bank cards were seized from him, to which the stolen funds came. The suspect confessed. He was charged under Articles 159 and 174 of the Criminal Code of the Russian Federation. An investigation is underway.

Hackers stole hundreds of millions from banks in Mexico

Over the past few weeks, a number of Mexican banks have been targeted by hackers who stole huge amounts of money. According to Reuters in the spring of 2018, using fake requests, the attackers transferred funds to fake accounts, and then quickly cashed them out. Hackers sent hundreds of fake requests to transfer amounts from tens of thousands to hundreds of thousands of pesos from Mexican banks to shell accounts in other banks, after which they quickly cashed them in dozens of bank branches^[19].

According to one Reuters source, cybercriminals stole more than 300 million pesos (about $15.4 million), but El Financiero cites a figure of 400 million pesos. It is also unclear how much the attackers managed to cash out, since some fraudulent transactions were blocked, the source said.

According to the head of the Central Bank of Mexico, Alejandro Diaz de Leon, Mexico faced such a large-scale attack on the payment system for the first time. It is too early to talk about stopping attacks, Diaz de Leon notes, but banks are doing everything possible to repel and prevent them.

The head of the Mexican Central Bank does not specify the names of the affected financial organizations and the amount of the stolen amounts. The data obtained to date indicate that banks have become victims of cyber attacks. According to one of the sources, the illegal transfer of such large amounts could not do without the participation of insiders in bank branches. The interbank messaging system ^[20] remained intact, and hackers probably attacked bank software for connecting to the payment system, developed by the organizations themselves or third-party contractors.

2017

Central Bank: hackers were able to steal 16 kopecks from Russian banks for one thousand rubles in 2017

In 2017, hackers stole only 16 kopecks for one thousand rubles from Russian banks. This was announced in February 2018 by Artem Mikhailovich, Deputy Head of the Main Directorate for Security and Information Protection of the Bank of Russia, in an interview with RIA Novosti. 

Artem Sychev also advised banks "to actually, and not formally comply with the Bank of Russia's cybersecurity requirements." At the same time, he called last year positive, as the trend towards a decrease in the volume of lost money by customers and banks has intensified. "" This figure was 28 kopecks per thousand rubles, according to the results of last year - only 16 kopecks, "he said. Also, the deputy head of the Central Bank department noted that Russian banks detected cyber attacks more often last year. "We cannot say that the number of attacks has increased over the past year, but we can say for sure that the detection rate of attacks has increased," Sychev

said.

A day of downtime due to a cyber attack can cost the bank 50 million rubles

Cost of downtime day

A day of downtime due to a cyber attack can cost the bank 50 million rubles - this amount is estimated by the losses of 30% of Russian credit institutions surveyed by Positive Technologies during the study "How much is security."

The remaining banks participating in the survey estimated the possible damage from the refusal to work of corporate infrastructure within one day in the amount of: from 10 to 50 million rubles - 7% of respondents, from 2 to 10 million rubles - 25%, and from 0.5 to 2 million rubles - 38%.

Recovery costs

In addition to direct financial losses from the cyber incident, Positive Technologies also cited estimates of the cost of restoring corporate infrastructure after all domain resources are disabled. 12% of banks estimate the recovery at 10 to 50 million rubles, and every third bank (33%) is ready to spend from 2 to 10 million rubles on these measures.

Damage from cyber attacks

Web applications play a critical role for today's financial institutions. The inability to make a transfer or payment through an online bank even within one day will cause discontent among customers. Most banks (52%) believe that the inaccessibility of a key web application within one day can cause damage in the amount of 2‒10 million rubles. At the same time, the attacker will spend much less money on such an attack. According to the authors of the study, the cost of an attack on web resources within an hour on the darknet is estimated at about $5, during the day - at $300.

No less concern among banks is the threat of database theft. More than half of the survey participants (53%) estimated the estimated losses from the theft of the customer database by a competitor at more than 50 million rubles.

Budget and Protective Equipment

Some banks that took part in the study stood out from the rest of the companies in terms of the budget for information security, which averaged 80‒150 million rubles. For comparison, most financial institutions are limited to amounts of 20-40 million rubles.

The study showed that the banking industry is the only one in which 100% of companies teach employees the basics of information security. In addition, information security awareness-raising should be carried out in accordance with the recommendations of the Bank of Russia and the requirements of the international PCI DSS standard.

In financial organizations from the top 10 (according to the allocated budget for information security), modern approaches to protection are used, but in other banks the situation is not so rosy. Thus, application-level firewalls (Web Application Firewall) are used to protect web applications only 70% of the top 10 according to the information security budget and only 13% among the rest. At the same time, all banks from the top 10 and only 40% of the rest have their own situation security centers (Secutiry Operation Center). 37% of all financial institutions that participated in the study sometimes involve third-party experts to investigate incidents, with most having an internal SOC unit. SIEM systems are used by 65% of financial companies (among banks from the top 10 in terms of information security budget, this figure is 100%). 25% of respondent banks do not have control over the installation of software updates, 8% do not track the emergence of information about new vulnerabilities (0-day). In addition, 10% of financial institutions have never conducted penetration testing or comprehensive information security audits, despite PCI DSS 3.2 requirements and Bank of Russia recommendations.

Six Protection Components

Positive Technologies has identified six security components that, in addition to standard protection tools, will not only comply with regulatory requirements, but also confidently resist cybercriminals. Among them: regular penetration tests, readiness to respond to incidents, control of the network perimeter, the presence of WAF and SIEM, training of employees in the basics of information security. It turned out that only 13% of the surveyed banks use a similar integrated approach to protection against cyber threats. However, in other industries the result is even worse - there are no such companies at all.

The banking industry understands better than others the possible losses from an insufficient level of security, - said Evgeny Gnedin, head of information security analytics at Positive Technologies. - It cannot be otherwise - every high-profile incident related to theft of customer databases or logical attacks on ATMs and processing is damage of tens and hundreds of millions of rubles. FinCERT's work helps to quickly respond to threats, thanks to which, for example, Russian banks for the most part escaped the epidemic of ransomware viruses. On the other hand, the number of steps towards real security is strongly correlated with the budget allocated for information security. Only banks with a colossal information security budget follow all the best practices to ensure the protection of their IT infrastructure. Unfortunately, many financial institutions are not ready to effectively withstand targeted attacks, so in 2018 it is possible to predict another high-profile incident, for example, related to the Cobalt group.

The first cyber attack on a Russian bank through SWIFT

The first bank affected by the cyber attack with the withdrawal of funds through the SWIFT system was the subsidiary bank Globex, controlled by Vnesheconombank (VEB), Kommersant reports citing a source. Read more here.

Barclays: Losses from pre-holiday cyber fraud could exceed £1.3bn

According to Barclays Bank forecasts, pre-holiday cyber fraud in December 2017 will reach its peak, with buyer losses likely to exceed 1.3 billion pounds. Barclays representatives came to this conclusion on the basis of a survey of more than 2 thousand buyers in September 2017. Amid an increase in online shopping amounts, there has been no increase in customer awareness of cyber security, the study found.

For example, 38% of respondents told Barclays that they did not know how to determine that the site was reliable. The study also found that, on average, as a result of cyber fraud, one buyer loses 893 euros, the equivalent of a total of 1.3 billion pounds, extrapolating this figure to the country's population.

Barclays has also published a series of pre-holiday tips for Christmas Present shoppers on how not to fall victim to scammers. The goal pursued by Barclays is to reduce likely losses, most of which are forced to cover large ones. banks

In particular, the bank's experts recommend checking for the presence of the lock symbol and the abbreviation "https" in the address bar on retail websites; never use public Wi-Fi to make transactions; never reveal your bank PIN on other websites and regularly check your bank account balance.^[21]

The fraudster tried to steal 1.4 billion rubles from a Russian bank

The Kirovsky District Court of Yekaterinburg sentenced businessman Alexander Kempel to 3 years and 6 months in prison for attempting to steal about 1.4 billion rubles from the Ring of the Urals bank, the prosecutor's office of the Sverdlovsk Region said^[22].

In November-December 2014, the fraudster entered into a criminal conspiracy with an unidentified person aimed at embezzlement of funds on an especially large scale by connecting payment terminals to a computer and their subsequent hacking.

Through his acquaintances, the fraudster found two legal entities with settlement accounts in LLC KB Ring of the Urals. The fraudster rented PoS terminals from entrepreneurs, allegedly to cash out money.

In January 2015, Kempel and his accomplice, using the PoS terminals received and the payment cards at their disposal, issued on persons not established by the investigation, made a number of financial transactions to pay for goods and return funds to their accounts, allegedly on the basis of refusal of services. At first, they, having hacked the terminal using a computer, tried to "return" 1.4 billion rubles, but the bank's security service noticed suspicious activity and canceled the operation.

A few months later, the attackers again tried to steal money according to the same scheme. This time they managed to withdraw 29 million rubles to the accounts of one-day firms registered in Kazakhstan.

The attacker was found guilty by the court under Article 159.6 of the Criminal Code of the Russian Federation (attempted fraud in the field of computer information committed by a group of persons by prior conspiracy, on an especially large scale). Kempel did not appear at the court session and was put on the wanted list^[23].

The average cumulative damage from one incident reached $926 thousand

According to a study by Kaspersky Lab (Financial Cyber ​ ​ Threats in 2016, conducted among 800 representatives of financial organizations from 15 countries of the world), the losses of financial organizations from cyber attacks are becoming more and more tangible: the average cumulative damage from one incident reached $926 thousand. In addition to direct damage, this figure includes additional costs for staff salaries, the involvement of external specialists, reputational costs, lost profits, as well as insurance payments and compensation to customers.

The most devastating were attacks on POS terminals: the average damage from them amounted to $2.1 million. This is followed by threats related to hacking mobile devices ($1.6 million in damage) and targeted attacks ($1.3 million).

Rising losses are forcing financial institutions to increase spending on cybersecurity. Although the main reason remains the need to comply with the requirements of regulators, 63% of respondents consider this compliance only as a starting point in building a protection system. Another factor that forces companies to increase spending in this area is the complication of infrastructure. Finally, security costs can increase when a company is aware of a lack of its own knowledge in this area, as well as at the direction of management or due to business expansion. Summarizing, we can say that the amount of funds allocated for information security will continue to grow in the future: 83% of respondents are sure of this.

The results of the study showed that financial institutions focus on studying cyber threats and conducting security audits: 73% of respondents consider such measures effective.

Kaspersky Lab experts advise taking the following recommendations into account when developing a cybersecurity strategy:

• Beware of targeted attacks. They can be conducted through third parties or your contractors. Such companies are often poorly protected, which can be your problem.
• Consider the human factor: attackers very often and ingeniously use social engineering methods to penetrate the company's infrastructure.
• Remember that security compliance alone does not provide guaranteed protection. It is equally important to take an integrated approach to safety.
• Conduct regular penetration tests. Infrastructure vulnerabilities should be known to you before attackers get to them.
• Consider the threat of insiders. Attackers can bribe company employees to bypass the security system. You can resist this by applying information security policies, competent access delimitation and auxiliary methods for detecting abnormal activities within the organization.

Banks are forced to spend 3 times more on cybersecurity than other companies

According to a Kaspersky Lab study, the average annual cybersecurity budget of banks reaches $58 million: this is three times more than that of non-financial organizations. In most cases, such spending is justified: bank representatives report significantly fewer computer crimes than companies of the same size in other industries. Moreover, 64% of those surveyed said they would invest in improving protection regardless of the return on those investments.

The growth of investments in cyber defense has good reason: in the past few years, the number of threats to the financial industry has been steadily growing, they are becoming more complex and fraught with serious consequences, the company said. Thus, 70% of banks reported that over the past year they suffered monetary losses as a result of cyber fraud. The risks associated with mobile banking cause the most concern: 42% of respondents believe that the overwhelming number of customers will use it in the next three years, while the level of cyber literacy of users will remain low. This threatens to increase the number of incidents related to the theft of money through mobile devices.

Among other current threats to users, banks identified phishing: in 2016, customers of 46% of companies faced it. Another area of ​ ​ increased risk is ATMs. Moreover, only 19% of banks are concerned about the threat of attacks on them, while in 2016 the volume of malware for ATMs increased by 20% compared to 2015.

According to Kaspersky Lab, the negligence of users and the increasing number of attacks force banks to reconsider their security priorities: 61% of the study participants called improving the protection of applications and sites one of the main priorities. In second place (52%) was the introduction of more reliable authorization systems.

Hackers who stole more than 1 billion rubles from Russian banks were caught

Russian police detained nine hackers who are the creators of the Lurk Trojan, designed to steal funds from banking systems. The fact of the detention was confirmed by the official representative of the Ministry of Internal Affairs Irina Volk. The connection of criminals with Lurk, citing a police source, was reported by the TASS news agency ^[24] were^[25].

All nine criminals were detained on January 25, 2017 in five different regions of Russia: Moscow, St. Petersburg, Krasnodar Territory, Tver and Sverdlovsk regions. One hacker was taken into custody by a court order, Volk said.

This is the second wave of detentions in the case of embezzlement of funds from banking systems - the first in May 2016 was jointly carried out by the Ministry of Internal Affairs and the FSB. After the first arrest, law enforcement agencies calculated the remaining members of the group for several months, which was done by early 2017.

Criminals detained during both operations will be charged under the articles "Creation and participation in a criminal community" and "Fraud in the field of computer information committed by an organized group or on an especially large scale."

The first wave of detentions

The hackers detained in May 2016 were suspected of stealing more than p1 billion from bank accounts, according to some sources - p1.7 billion. They also allegedly made attempts to withdraw another p2.2 billion from accounts. In addition, the group was suspected of attacks on critical infrastructure, in particular, on industrial enterprises of strategic importance. Recall that recently the State Duma approved prison terms of up to 10 years as a punishment for cyber attacks on critical infrastructure.

In total, in 2016, 27 criminals were detained, scattered in 17 regions of Russia. 19 of them were taken into custody. In total, the group consisted of about 50 people. The group has been stealing funds from the accounts of clients of financial institutions since 2013. During the seizure operation, the police searched 34 addresses, confiscated 90 devices, including computers, drives and communications, seized cash worth 4.5 million rubles and edged weapons.

One of the programs that Lurk was disguised as was Ammyy Admin, a remote PC management software. The Trojan was posted on the official website of the Ammyy Group, from where it could be downloaded, for example, by the sysadmin of the victim company. Activation of the Ammyy Admin installer caused the Trojan-Spy.Win32.Lurk malware to run. In addition, the php script on the Ammyy Group web server was modified to check whether the computer to which Ammyy Admin is downloaded belongs to the corporate network. If the computer turned out to be corporate, then a virus was loaded onto it, the hackers were not interested in private devices. It is noteworthy that in a number of banks the use of Ammyy Admin, like other programs for remote control, is prohibited. After the hackers were detained in May 2016, the Ammyy Group website stopped distributing Lurk, replacing it with Trojan-PSW.Win32.Fareit, a malware for stealing personal data. Probably, a certain person or group of people who have simply changed customers is engaged in the spread of various viruses through the company's website - Kaspersky Lab experts came to this conclusion.

2016

Theft of almost 2 billion rubles

In March 2016, the cybercrime investigation company Group-IB released a report from which it became known that hackers had stolen almost 2 billion rubles from Russian banks. Read more here.

Zecurion: Hackers stole 650 million rubles from Russian bank cards in a year

In 2016, hackers stole 650 million rubles from Russian bank cards. This figure decreased by 15% compared to 2015. The decrease in the number of cases of theft of funds is due to the fact that cardholders have studied the most popular fraud schemes and learned not to respond to them. This follows from the calculations made by Zecurion, a banking security company.

According to Zecurion forecasts, in 2017 the volume of theft will increase to 750 million rubles. According to experts, cyber fraudsters are improving their schemes. So, attackers call citizens, posing as bank employees, and ask to provide card data. Also, hackers steal bank card data through a virus sent in letters that are focused on the interests of recipients.

The company stressed that at the end of this year , an increase in the volume of theft is expected, as fraudsters have introduced a new scheme of deception. They call potential victims on behalf of employees of the Federal Tax Service and, under the pretext of the need to pay off the debt, learn the necessary ^[26]

In 2016, the number of thefts carried out from bank cards via the Internet due to the fault of their owners increased by 78% and reached 107 thousand. At the same time, according to experts, in 70% of cases, bank customers themselves realize exactly how the fraudsters took possession of their money - but they draw conclusions too late.

In particular, the most common method of fraud with plastic cards is to attack computers with user data using Trojan viruses and gain access to the victim's account after illegally making a duplicate of her SIM card. In this case, customers are guilty of using internet banking on work computers or integrating it with social networks.

Also, a high degree of risk is created by the use of a mobile application on a smartphone to enter the personal account of an Internet bank - especially after choosing a four-digit code instead of a full-fledged login and password for authorization.

To protect their funds on bank cards, experts recommend using an Internet bank from a separate computer, not storing large amounts of money on a plastic card, replenishing the card balance as needed, not entering the Internet bank through open Wi-Fi networks.

14 hackers stole more than a billion from Russian banks

The case of 14 hackers

Suspects in the case of embezzlement of more than p1 billion from Russian banks will appear before the court - the Prosecutor General's Office of the Russian Federation has already sent their criminal case there. The indictment in the case was approved by Deputy Attorney General Victor Grin. The Meshchansky District Court of Moscow CNews will consider ^[27] case: ^[28].

14 people are suspects in the case. According to the prosecutor's office, these are Yuri Lysenko, Evgeny Vorobyov, Ivan Krylov, Artem Mazurenko, Mikhail Vorobyov, Anton Ekimenko, Denis Grinev, Maxim Usatov, Sergey Makhnichev, Nikolai Milovidov, Mikhail Oreshkin, Oleg Rodin, Nikita Khadzhibekyan and Sergey Chistov.

The investigation believes that they were members of a criminal group engaged in the theft of funds from Russian banks on the Internet. Charges are brought forward under several articles of the Criminal Code of the Russian Federation at once, which provide for punishment for organizing a criminal community and participating in it, fraud in the field of computer information and theft.

In the case of the fifteenth member of the group, Anton Testov, a conviction has already been passed, the prosecutor's office reports. Testov was able to get his sentence out of turn, as he agreed to cooperate with the investigation. The group included other persons who have already been put on the international wanted list, the investigation of their actions continues. Arrests of suspects began in 2015.

Corpus delicti

Investigation into the case is conducted by Investigative department of the Ministry of Internal Affairs of the Russian Federation. According to investigators, the criminal hacker group was created by a citizen of Ukraine Yuri Lysenko in July-November 2014. At the suggestion of Lysenko, more than 17 people joined it, not counting him. "The funds of financial institutions were stolen by entering and modifying computer information using the Internet, performing transfer and withdrawal operations with bank cards with their cancellation and restoration of balance in accounts," the prosecutor's office says.

The group operated in Moscow. In total, the affected credit and financial institutions lost more than p1 billion. According to Kommersant, they included such banks as Promsvyazbank, Zenit, Trust, Uralsib, as well as small-scale credit organizations. Of the total amount stolen, about p880 million was found on Lysenko's account. The leader and organizer of the group does not have a higher or any other education in the field of IT or finance.

At first, the group was engaged in theft of money from ATMs. Special devices were installed on ATMs that influenced the procedure for issuing cash. Thus, about p5.7 million were stolen. After that, the group started withdrawing funds via the Internet.

Prosecutors demand 15 years in prison for group leader

The prosecutor's office requested for the Ukrainian Yuri Lysenko, accused of organizing a cybercriminal group, a punishment of 15 years in prison. For 13 of Lysenko's accomplices, the prosecution requires from 6.5 years to 12 years in prison. This was announced on Monday, December 10, 2018, by the Kommersant newspaper.

According to the prosecution, the criminals could put a bank card of 200 thousand rubles, and then transfer them to another card. Then, using malware, the transaction was canceled. Considering the transfer failed, the banks returned the money to the sender's account, but from their own funds. Thus, cybercriminals doubled their money. Using this method, attackers stole more than 1 billion rubles.

As the results of the forensic examination showed, to cancel transactions, the criminals developed their own software based on Montero and Software. However, the defense will insist that the results are inaccurate. According to the lawyers, they asked the manufacturers Montero and Software if such malware could exist, and received a negative answer.

Another 5.7 million rubles. participants of the OPS got it by installing special devices on ATMs to control the process of issuing banknotes. The victims of cybercriminals were Promsvyazbank, Zenit banks, Trust, Uralsib, etc.

Hackers took full control of the bank in Brazil

Hackers seized control of all IT operations of one Brazilian bank. Each of the bank's 36 domains, corporate email and DNS fell under the control of the attackers. This situation persisted for three months, until October 2016, when it became obvious that malware was being injected through the bank's website to all its visitors - a Java file hidden inside an.zip archive loaded into an index ^[29].

Revealing the details of the online attack at the summit of security analysts in the spring of 2017, Kaspersky Lab researchers Fabio Assolini and Dmitry Bestuzhev reported that the attackers were operating in nine other organizations in different regions of the world.

The bank, whose name has not been released, says it serves five million customers in,, Brazil USA Argentina and Greater Cayman and manages assets totaling $25bn through the network, which includes 500 branches.

"Each visitor has a plugin with a JAR file inside," Bestuzhev explains, adding that hackers controlled the site's index file. Inside the index, an iframe was downloaded that redirected visitors to the website from which the malware was downloaded to them.

Hackers seized control of the bank's DNS servers, moving all 36 of the bank's domains to fake sites that used free HTTPS certificates from Let's Encrypt.

"All domains, including corporate ones, were under the control of" bad guys, "" Assolini says, adding that attackers also infiltrated the corporate email infrastructure and blocked, preventing the bank from informing customers about the attack or contacting their registrar and DNS provider.

The researchers found eight modules, including configuration files with bank URLs, update modules, modules for stealing credentials for Microsoft Exchange, Thunderbird and a local address book, as well as Internet banking management and decryption modules. All modules, according to the researchers, had a dialogue with a management server in Canada.

One of the modules, Avenger, is a legitimate penetration test tool that is used to remove rootkits. But in this case, it was modified to remove security products running on infected computers. It was Avenger that helped researchers determine that nine other banks around the world were similarly attacked and seized.

"The criminals wanted to use this opportunity to hijack the operations of the original bank, as well as download malware capable of stealing money from banks in other countries," Bestuzhev says.

The researchers also reported that phishing pages were uploaded to bank domains to encourage victims to enter payment card data.

This scam was identified five months before the registration of Let's Encrypt certificate. Phishing emails with the name of the Brazilian registrar addressed to local companies were also found.

Bestuzhev and Assolini believe that this could be a way through which hackers used the DNS bank settings.

"Imagine that using the" fished "data of one employee, attackers gain access to DNS tables - this is very bad! - Bestuzhev emphasized. - If DNS is under the control of criminals - that's it, you "hit."

The researchers stressed the importance of securing the DNS infrastructure and the need to take advantage of features such as two-factor authentication, which are offered by most registrars, but few customers use them.

Hackers stole 100 million rubles from a Russian bank

On December 1, 2016, it became known about the loss of 100 million rubles by a Russian bank as a result of a cyber attack. Presumably, an automated banking system (ABS) was hacked.

According to Kommersant, citing sources in the information security market and a person close to the Central Bank, hackers withdrew more than 100 million rubles from the Russian bank. The press service of the Central Bank confirmed this damage to the publication.

At the same time, the name of the affected credit institution was not disclosed. It is only known that a branch of a regional bank was attacked, and the attackers withdrew all the funds that were in this unit.

The incident is handled by law enforcement and FinCERT FINCERT.

According to one version, hackers could hack into an automated banking system developed by Diasoft, as a result of which a large payment with a false address came out of the system. Kommersant notes that this may be the first attack of this type.

Banks have long believed that ABS is on the internal network and therefore attackers will not be able to get to it. But today, with the use of social engineering, it is not difficult to get into the internal network of the bank and from there successfully attack the ABS, - said the head of Digital Security Ilya Medvedovsky.

At the same time, the interlocutor of the newspaper in the Central Bank says that it is too early to draw conclusions, since the investigation has just begun its work. According to him, if the problem is true in the Diasoft software product, then  this information will be brought to the company to eliminate vulnerabilities. Over the past few weeks, customers in the financial sector  have not contacted the company for any incidents in the field of information security, said Alexander Gentsis, a member of the board of directors of Diasoft.

According to information published on the Diasoft website, the company's clients include more than 300 banks, including Sberbank, Gazprombank and Alfa-Bank.^[30]

FinCERT: 1.37 billion rubles stolen from Russian banks in 12 months

On July 19, 2016, the Bank of Russia-established Center for Monitoring and Responding to Computer Attacks in the Credit and Financial Sector (FinCERT) summed up the results of its first year of activity.

According to FinCERT, from June 2015 to May 2016, more than 20 large cyber attacks were recorded on credit institutions' payment systems. As part of these attacks, the criminals tried to steal 2.87 billion rubles. In cooperation with banks and law enforcement agencies, FinCERT managed to prevent the theft of more than 1.5 billion rubles. Thus, hackers were able to steal about 1.37 billion rubles from Russian banks. For more information, see the article on the Center for Monitoring and Responding to Computer Attacks in the Credit and Financial Sector (FinCERT)

CCI: Damage from hacker attacks on banks in 2016 2.87 billion

On June 16, 2016, it became known about the scale of damage from hacker attacks on banks in Russia in 2016 - it reached 2.87 billion rubles^[31]

Such data were published at an open meeting of the Committee on Financial Markets and Credit Organizations of the Chamber of Commerce and Industry of the Russian Federation.

The total amount of damage to banks since January 2016 is estimated at 2.87 billion rubles. However, the attackers managed to withdraw only 1.2 billion, another 570 million were stopped and 1.1 billion were blocked on the accounts of credit institutions. Alexander Chebar, Consultant of the Center for Monitoring and Responding to Computer Attacks in the Credit and Financial Sector of the Bank of Russia (FinCERT)

In the past two years, there has been a clear vector of a shift in attacks by cyber fraudsters from bank customers towards credit institutions directly. This is primarily due to the fact that as a result of a targeted attack on the bank, criminals receive a large amount, and the process of its withdrawal in recent years has been quite simple. Chebar explained that mainly premium segment cards (Visa Gold, Platinum) were used and the entry amount was 2.5 thousand rubles.

There are technologies that prevent theft of funds from customer bank cards. In particular, chips are introduced into bank cards that significantly reduce the likelihood of an attack. Fraudsters focus on the client's user data (card number, CV code, PIN code), therefore, when using a bank card, care is required.

Central Bank: fraudsters stole 1.9 billion rubles from cards

According to the data provided by commercial banks in the Central Bank of the Russian Federation, as well as in FinCERT as part of the exchange of information about incidents in the field of information security, during 2016/the total volume of unauthorized transfers of funds placed in bank accounts amounted to 1.9 billion rubles in Russia (for comparison - in 2015 this figure reached 3.8 billion rubles).

At the same time, 1.08 billion rubles were unauthorized in card transactions (1.15 billion in 2015). During the past year, 9 large attempts were revealed for a total of 2.18 billion rubles, of which 1.9 billion criminals managed to steal.

AlfaStrakhovanie and CBR data on bank losses

According to AlfaStrakhovanie experts, from July 2015 to June 2016, the number of unauthorized withdrawals from bank card accounts in our country increased 5.5 times. Specialists of the Central Bank of the Russian Federation note that during the first half of 2016, 8.2 billion operations totaling 23.4 trillion rubles were carried out using cards on the territory of the Russian Federation and abroad.

Sberbank called the numbers of losses from cybercriminals

In June 2016, experts reported the likelihood of an increase in losses from cyber threats worldwide to $2 trillion by 2018^[32]

In particular, this opinion of Sberbank experts was expressed by Stanislav Kuznetsov, Deputy Chairman of the Bank's Board.

Now there are at least 40 million cybercriminals in the world, and the damage to all countries is at least $500 billion. I think that this figure is somewhat underestimated, and the real one is much higher. Stanislav Kuznetsov

At the same time, the number of virus attacks in the world is growing at a rate of plus 3% per month, attacks on web services - 2.5%, theft of funds from various devices or electronic wallets - at least 3.5%.

In Russia, according to Sberbank, losses from cyber threats amounted to 550-600 billion rubles. in 2015.

According to Kuznetsov, this figure is about 2 times the damage from all other economic crimes.

He also cited data from the Central Bank that last year in Russia 32 thousand attempts were recorded to unauthorized write-offs from customers of different banks for a total amount of more than 5 billion rubles. Experts noted a 12-fold increase in the number of incidents in this area over the past 2 years.

Kuznetsov said that for the whole of 2015, Sberbank recorded 52 major hacker attacks on its systems, and since the beginning of 2016 ~ 57.

In 2015-2016, all Sberbank services recorded the growth of various centralized attacks on financial and credit institutions of the Russian Federation, including Sberbank. We note an increase in this kind of hacker attacks on all remote banking services that are provided via the Internet. Stanislav Kuznetsov

5 billion rubles tried to steal from Russian banks from January 1, 2016

Since January 1, 2016, cyber fraudsters have stolen 2.7 billion rubles from the national financial system of Russia. At the same time, the criminals tried to withdraw a total of about 5 billion rubles, that is, about half of the funds were saved. Such data were voiced by Artem Mikhailovich Sychev, deputy head of the main department of security and information protection of the Bank of Russia on November 8, 2016^[33]

At the same time, over the same period, the Central Bank of the Russian Federation revealed 21 major abductions in the amount of 2.5 billion rubles, of which about 1 billion rubles "the finality of the transfer of funds has come."

Two main reasons for the successful abductions are named:

• many vulnerabilities in payment applications that banks exploit. Which is what scammers use;
• inattention of bank management to information security issues, its insufficient provision.

As a result, the share of unauthorized money transfers in Russia is 0.005%, or 5 kopecks per 1000 rubles. transfers, according to the Central Bank of the Russian Federation. For comparison, according to the Bank of Russia, the share of unauthorized transfers in MasterCard and Visa payment systems in the regional context is 0.06%, or 6 cents per $100. The global figure is 0.09%, or 9 cents per $100 transfers.

2015

CBR: Dynamics of the number and volume of unauthorized transactions performed using RBS systems

• The main risk that has direct financial consequences remains the risk of fraud^[34]
• The risk affects both customers by undermining confidence in remote service facilities and financial institutions themselves, which began to suffer direct losses from attacks on the AWS of the CBD
• Plus - Risk of becoming a stop factor in business development and/or IT

Unauthorized access to the payment system

• According to Energobank, 27.02. 2015 from 12:30 to 12:43, some attackers gained control over the bank's terminal and conducted a number of unauthorized transactions on the Moscow Exchange to buy and sell currency. At such unsuccessful rates that as a result of these operations, the bank, as representatives of brokerage companies assure, lost about 370 million rubles.
• Other critical cases
• One and a half dozen participating banks of the United Settlement System became victims of large-scale fraud with payment cards. The incident, which took place in 16/08/2015, was under attack ~ 500 million rubles
• Hacking before the new year 2016 AWS sending payments in several banks of the Russian Federation, each bank lost about USD 10 million
• 2016 February: Metallinvestbank AKB PJSC - attempted theft, attack on the AWS of the CBD, possible losses ~ 200^[35]

Kaspersky Lab: Cybercriminals stole $1 billion from 100 financial organizations around the world

During a joint investigation of Kaspersky Kaspersky"," Europol and Interpol unveiled in February 2015 an unprecedented cybercriminal operation in which attackers stole 1 billion. dollars USA

Cyber ​ ​ looting lasted two years and affected about 100 financial organizations around the world. Experts believe that behind this high-profile incident is an international group of cybercriminals from Russia, Ukraine, several other European countries, as well as China.

The criminal group, called Carbanak, used methods specific to targeted attacks. Unlike many other incidents, however, this robbery marks a new stage: now cybercriminals can steal money directly from banks, not from users. The activities of cybercriminals from the Carbanak gang affected about 100 banks, payment systems and other financial organizations from almost 30 countries, in particular from Russia, the USA, Germany China, Ukraine, Canada, Taiwan,,,, Hong Kong Romania France Spain Norway,,, Poland, India Great Britain Pakistan, Nepal, Morocco, Iceland,,,, Ireland Czech Republic Switzerland Bulgaria and Brazil Australia. As experts found out, the largest amounts of money were stolen during the invasion of the banking network: for each such raid, cybercriminals stole up to $10 million. On average, robbing one bank - from infecting the first computer on a corporate network to stealing money and curtailing activities - took hackers two to four months.

The criminal scheme began with the penetration into the computer of one of the employees of the organization through phishing techniques. After infecting the machine with malware ON , attackers gained access to the bank's internal network, found the computers of administrators of money transaction systems and deployed video surveillance of their screens. Thus, the Carbanak gang knew every detail in the work of bank staff and could imitate the usual actions of employees when transferring money to fraudulent accounts.

"These bank robberies differ from the rest in that cybercriminals used methods that allowed them not to depend on the software used in the bank, even if it was unique. Hackers didn't even have to hack into banking services. They simply penetrated the corporate network and learned how to disguise fraudulent actions as legitimate. This is really a professional robbery, "explains Sergey Golovanov, a leading antivirus expert at Kaspersky Lab.

"These attacks are another confirmation that attackers will invariably exploit any vulnerability in any system. In such conditions, no sector can feel absolutely safe, so protection issues should be constantly paid attention. Identifying new trends in cybercrime is one of the main areas in which Interpol cooperates with Kaspersky Lab, and the purpose of this interaction is to help public and private companies provide better protection against these constantly changing threats, "said Sanjay Virmani, director of the Interpol Center for Cybercrime Investigation

.

How the attack took place:

• On average, robbing one bank - from infecting the first computer on a corporate network to stealing money and hiding traces - took hackers two to four months
• Average theft amount ~ 10,000,000 USD
• The infection took place either through a letter with an attachment, as if from an employee of a bank or client or through phishing - by linking to a WWW resource in which it was proposed to enter a login and password; employees entered their login and password into a fake site that imitated a corporate resource or system
• Further, the attackers collected information about the bank's process and found a convenient moment to commit theft, including using S.W.I.F.T (which at first glance seems absolutely secure) or remote banking systems to withdraw funds.
• Misbalances so that the amount of write-off is not immediately visible

2014: About 1.6 billion from payment cards stolen in Russia

On June 26, 2015, from a review of the Central Bank, it became known that the volume of fraudulent transactions with payment cards issued in the Russian Federation in 2014 reached 1.58 billion rubles^[36].

Attackers used more than 70 thousand payment cards, 70% of which are settlement (debit) cards. In total, in ATMs, payment terminals, through the Internet bank and mobile applications, in 2014, fraudsters stole 3.5 billion rubles from bank accounts of citizens and companies.

The Central Bank said: taking into account the growth of the total number of cards by 28% and by 42% - the volume of transactions on payment cards issued in the Russian Federation, the share of the number and volume of unauthorized transactions in 2014 decreased slightly.

The largest number of unauthorized transactions was carried out in the process of money transfers in the Russian Federation (the share of domestic unauthorized transactions amounted to 47% of the volume and 41% of the number of all unauthorized transactions).

Most often, fraudsters used the details of real bank cards (from 65% to 72%, depending on the quarter), then - fake "plastic" (from 18% to 24%), and 10-11% - data of lost or stolen cards.

The largest volume of unauthorized operations was recorded in Moscow and the Moscow region, the Central, North-Western and Ural federal districts. Of interest is the schedule for the distribution of operations by region by infrastructure type. If on average in the regions fraudsters give approximately equal preference to the Internet (stationary and mobile) and ATMs, then in the North Caucasus district the share of unauthorized transactions on the Internet reached 81%. And the largest number of attempts at fraud at cash points (10%) was recorded in Crimea.

According to bankers, as of June 2015, fraudsters actively use social engineering methods (sciences of managing human behavior without technical means, based on psychology) to fish out personal data of cardholders and their credit cards (phishing).

The standard phishing scheme begins with an SMS about blocking the card. Gullible people call the phone number indicated in the SMS and call the "bank security officers" the card number for verification, CVV code and other data. If the victim's card is protected by 3D Secure, you need a password to complete the transaction, which automatically arrives on the phone. Therefore, fraudsters say that a verification SMS message will be sent to unlock the card and the client must name the code indicated in it. In fact, at that moment they make a purchase through an online store or transfer funds to their card or mobile phone account^[37].

Fraudsters can introduce themselves as employees of the security service or the bank's contact center and convince the client to approach the nearest ATM, perform "rescue" operations under their control. Following the instructions on the phone, citizens use their own hands to transfer funds to electronic wallets, bank cards or fraudsters' phones.

The number of defrauded bank customers who have been lured to fake Internet sites with very low prices for air tickets or household appliances is growing. In the payment option on a fake site, fraudsters "embed" services for transferring money from card to card with entering a one-time password that comes via SMS. The customer recklessly enters the password, being sure to pay for the purchase. At the same time, the SMS indicates for what purposes the funds go: if it is clear that this is a transfer to a card, and the client makes a purchase, in no case should he drive in and transfer this code to anyone.

Using cards by scammers, 2014

VTB 24 considers skimming the most popular type of fraud (theft of card data using a reader at ATMs and other public payment devices).

To protect yourself from this type of cheating, you do not need to use ATMs in poorly lit and deserted places. It is necessary to use ATMs of reliable and proven banks, prevent third-party observers from withdrawing cash, and not resort to the help of unauthorized persons.

Bankers ask customers to carefully inspect the ATM before entering the PIN-code, Vedomosti

When entering a pin code, always cover the keyboard. This will prevent scammers from seeing the pin code or recording it on a video camera. The memo on the safety of the terms of use of Sberbank cards, for example, is part of the contract and the client is obliged to comply with the rules established in it. If the bank proves the recording of the pin code by scammers using a video camera because the client did not cover the keyboard with his hand, the court may well refuse to reimburse the client for the stolen goods.

2012: RBS customers in Russia lost $446 million for the year (-9%)

In 2012, about 9% less money was stolen in remote banking systems in Russia than a year earlier. This was announced in September 2013 in its report on the state of cybercrime in the country by Group-IB, a company specializing in the investigation of computer crimes.

Read more: Secure RBS system

Notes