In Russia, over the year there was a reduction in the volume of cybercrimes against banks by 85% to 510 million rubles. In the segment of PC Trojans, the decline was 89%, in Android Trojans - 43%, and in the phishing segment - 65%. Only social engineering is on the rise. Russian groups began to be more interested in targets abroad rather than in their homeland.
Decline in all directions
Cybercrimes against banks and their clients in Russia have sharply declined: in the second half of 2018 and the first half of 2019, their volume in money amounted to 510 million rubles, which is 85% less than in the previous year, when there were such crimes committed for 3.2 billion rubles. This was reported by the information security company Group-IB, which published a global report on high-tech crimes Hi-Tech Crime Trends 2024.
If we talk separately about thefts caused by PC Trojans, in this segment the volume of damage decreased by 89% to 62 million rubles. Such crimes are traditionally typical for Russia, but at the moment Russian-speaking hackers are no longer creating new desktop Trojans. There are currently only two groups involved in theft using PC Trojans in Russia - Buhtrap2 and RTM, and only the second was active during the year.
The segment of thefts using Trojans for Android showed an annual decline of 43% to 110 million rubles. The Trojans that were previously most widely used have fallen out of use: in a year, 22 Trojans ceased to be active, and only 7 new ones were created. The number of groups in this segment has decreased in Russia from eight to five. At the same time, the average theft amount increased from 7 thousand to 11 thousand rubles, as the remaining groups began to use card2card transfers instead of SMS .
The volume of crimes in the field of financial phishing decreased by 65% to 87 million rubles. Over the past period, 15 groups have left this segment, so there are now only 11 active groups. The average amount of funds stolen from one user has also decreased.
As the types of attacks listed above began to bring in less money, criminals began to increasingly resort to other methods - for example, social engineering, which thus became the most common cyber threat to bank users in Russia. Since the end of 2018, the country has been experiencing a wave of vishing - telephone fraud . Banks are engaged in behavioral analysis of user actions to identify suspicious activity, but only large banks do this, so vishing is predicted to have high dynamics in the future.
Theft of bank card data
The volume of crimes in the field of theft of bank card data increased by 33% to 56 billion rubles. The number of cards whose data was leaked to the Internet increased by 38% - from 27.1 to 43.8 million. Approximately 80% of the market is accounted for by dumps, that is, the contents of the magnetic stripes of cards. During the year, researchers found 31.2 million dumps for sale, which is 46% more than the previous year. Sales of text data such as card number, CVV and expiration date showed an increase of 19%. There was an increase in the average price of text data from $9 to $14, but the average price of a dump fell from $33 to $22.
The volume of cybercrimes against banks has decreased in Russia
American bank card data is the cheapest: the average price is $8-10 for current text data and $16-24 for dumps . Card data from European banks is traditionally expensive: $18-21 per text and $100-120 per dump. Russian cards are rarely found at large points of sale, but if they are found, their price is average. The dump price over the year has increased from $48 to $71, and the text price has dropped from $15 to $12. The maximum price for a Russian bank card dump in 2018 was $170, and in 2019 it jumped to $500.
The popularity of using JS sniffers has grown significantly - JavaScript tools that are used to steal bank card data on websites, primarily text ones. During the year, 38 families of JS sniffers were discovered ; currently there are more of them than banking Trojans . The USA is the leader in the use of JS sniffers , with the UK in second place. The use of JS sniffers is dangerous mainly for those countries where the 3D Secure XML protocol is not widely used.
Fraudsters also obtain card text data using phishing. This segment is becoming more competitive and new trends are emerging. For example, criminals have adopted panels for managing web injections and auto-filling, which were previously used only in crimes involving Trojans. Phishing kit developers have become more concerned about self-defense. To do this, they use blocking of security vendor subnets and hosting companies, and also serve phishing content only from IP addresses of the region in which the user is located. In addition, redirection to legitimate sites and checking for anomalous user-agents are used.
Gang activity
Losses from targeted attacks on Russian banks by financially motivated hacker groups decreased 14 times to RUB 93 million. The average amount of theft as a result of targeted attacks on banks in Russia decreased from 118 to 31 million rubles.
Distribution of cybercrime in the financial sector by segment
The leaders in the segment of cybercrime against banks are the Russian-language groups Cobalt, Silence and MoneyTaker, as well as the North Korean Lazarus and the new SilentCards group from Kenya. Of these, only Cobalt, Silence and MoneyTaker have Trojans at their disposal that can be used to control the ATM dispenser and withdraw money. During the year, attacks through ATMs were carried out only by Silence, attacks through card processing by Silence and SilentCards, and through SWIFT by Lazarus, and the latter managed to carry out two successful thefts in India and Malta with a total value of $16 million.
Lazarus is the only one using the FastCash theft method , known since the end of 2018, but first tested in Asia back in 2023. Silence began to pay less attention to their phishing mailings and now buy access to target banks from colleagues - for example, from the TA505 group . Of all five groups, SilentCards is the least prepared technically and has so far only successfully attacked African banks.
During the year, Cobalt and Silence each attacked Russian banks once, and MoneyTaker twice. The first two groups are now more interested in targets abroad, which greatly reduces the damage to the Russian financial sector. In the future, all three Russian-speaking groups will likely continue attacks on foreign targets. Only SilentCards will operate locally in its region.
Money will be withdrawn using attacks on the card processing system and ATM Trojans. Groups will target SWIFT much less frequently, only Lazarus will commit thefts through SWIFT and ATM Switch. Researchers believe that to destroy traces of successful attacks, carders will disable the infrastructure.
(c) https://www.cnews.ru/news/top/2019-11-29_v_rossii_na_85_upala_kiberprestupnost
Decline in all directions
Cybercrimes against banks and their clients in Russia have sharply declined: in the second half of 2018 and the first half of 2019, their volume in money amounted to 510 million rubles, which is 85% less than in the previous year, when there were such crimes committed for 3.2 billion rubles. This was reported by the information security company Group-IB, which published a global report on high-tech crimes Hi-Tech Crime Trends 2024.
If we talk separately about thefts caused by PC Trojans, in this segment the volume of damage decreased by 89% to 62 million rubles. Such crimes are traditionally typical for Russia, but at the moment Russian-speaking hackers are no longer creating new desktop Trojans. There are currently only two groups involved in theft using PC Trojans in Russia - Buhtrap2 and RTM, and only the second was active during the year.
The segment of thefts using Trojans for Android showed an annual decline of 43% to 110 million rubles. The Trojans that were previously most widely used have fallen out of use: in a year, 22 Trojans ceased to be active, and only 7 new ones were created. The number of groups in this segment has decreased in Russia from eight to five. At the same time, the average theft amount increased from 7 thousand to 11 thousand rubles, as the remaining groups began to use card2card transfers instead of SMS .
The volume of crimes in the field of financial phishing decreased by 65% to 87 million rubles. Over the past period, 15 groups have left this segment, so there are now only 11 active groups. The average amount of funds stolen from one user has also decreased.
As the types of attacks listed above began to bring in less money, criminals began to increasingly resort to other methods - for example, social engineering, which thus became the most common cyber threat to bank users in Russia. Since the end of 2018, the country has been experiencing a wave of vishing - telephone fraud . Banks are engaged in behavioral analysis of user actions to identify suspicious activity, but only large banks do this, so vishing is predicted to have high dynamics in the future.
Theft of bank card data
The volume of crimes in the field of theft of bank card data increased by 33% to 56 billion rubles. The number of cards whose data was leaked to the Internet increased by 38% - from 27.1 to 43.8 million. Approximately 80% of the market is accounted for by dumps, that is, the contents of the magnetic stripes of cards. During the year, researchers found 31.2 million dumps for sale, which is 46% more than the previous year. Sales of text data such as card number, CVV and expiration date showed an increase of 19%. There was an increase in the average price of text data from $9 to $14, but the average price of a dump fell from $33 to $22.
The volume of cybercrimes against banks has decreased in Russia
American bank card data is the cheapest: the average price is $8-10 for current text data and $16-24 for dumps . Card data from European banks is traditionally expensive: $18-21 per text and $100-120 per dump. Russian cards are rarely found at large points of sale, but if they are found, their price is average. The dump price over the year has increased from $48 to $71, and the text price has dropped from $15 to $12. The maximum price for a Russian bank card dump in 2018 was $170, and in 2019 it jumped to $500.
The popularity of using JS sniffers has grown significantly - JavaScript tools that are used to steal bank card data on websites, primarily text ones. During the year, 38 families of JS sniffers were discovered ; currently there are more of them than banking Trojans . The USA is the leader in the use of JS sniffers , with the UK in second place. The use of JS sniffers is dangerous mainly for those countries where the 3D Secure XML protocol is not widely used.
Fraudsters also obtain card text data using phishing. This segment is becoming more competitive and new trends are emerging. For example, criminals have adopted panels for managing web injections and auto-filling, which were previously used only in crimes involving Trojans. Phishing kit developers have become more concerned about self-defense. To do this, they use blocking of security vendor subnets and hosting companies, and also serve phishing content only from IP addresses of the region in which the user is located. In addition, redirection to legitimate sites and checking for anomalous user-agents are used.
Gang activity
Losses from targeted attacks on Russian banks by financially motivated hacker groups decreased 14 times to RUB 93 million. The average amount of theft as a result of targeted attacks on banks in Russia decreased from 118 to 31 million rubles.
Distribution of cybercrime in the financial sector by segment
The leaders in the segment of cybercrime against banks are the Russian-language groups Cobalt, Silence and MoneyTaker, as well as the North Korean Lazarus and the new SilentCards group from Kenya. Of these, only Cobalt, Silence and MoneyTaker have Trojans at their disposal that can be used to control the ATM dispenser and withdraw money. During the year, attacks through ATMs were carried out only by Silence, attacks through card processing by Silence and SilentCards, and through SWIFT by Lazarus, and the latter managed to carry out two successful thefts in India and Malta with a total value of $16 million.
Lazarus is the only one using the FastCash theft method , known since the end of 2018, but first tested in Asia back in 2023. Silence began to pay less attention to their phishing mailings and now buy access to target banks from colleagues - for example, from the TA505 group . Of all five groups, SilentCards is the least prepared technically and has so far only successfully attacked African banks.
During the year, Cobalt and Silence each attacked Russian banks once, and MoneyTaker twice. The first two groups are now more interested in targets abroad, which greatly reduces the damage to the Russian financial sector. In the future, all three Russian-speaking groups will likely continue attacks on foreign targets. Only SilentCards will operate locally in its region.
Money will be withdrawn using attacks on the card processing system and ATM Trojans. Groups will target SWIFT much less frequently, only Lazarus will commit thefts through SWIFT and ATM Switch. Researchers believe that to destroy traces of successful attacks, carders will disable the infrastructure.
(c) https://www.cnews.ru/news/top/2019-11-29_v_rossii_na_85_upala_kiberprestupnost
