Review: how hackers rob banks

[Tomcat]

Remember those epic heist movies? Where tough guys come up with an ingenious plan, change their looks more often than models in shows, use incredible (unrealizable) psychological tricks and risk their skin in pursuit of profit. I think you remember. It's hard to imagine such robbers these days. Major economic crimes take place in the digital field. Today, the robber is not a genius of psychology or a builder who knows where to start digging. Today, a robber is a hacker who knows all the intricacies of the banking sector.

Carding​

One of the most common types of "technological" fraud is bank card fraud. It is not surprising, because today almost everyone pays with cards everywhere. But are such payments safe?

History of bank cards
Initially, in even "prehistoric" times, there was nothing on the maps except for the number pressed out on the surface ("embossed"). The salesperson kept the number on a piece of paper. At the end of the working day or week, the data was sent to the acquiring bank, which sent a request to the issuing bank to withdraw money from the cardholder. Then cards with a magnetic stripe appeared, on which the necessary information was stored: card number, expiration date, owner's name; a service code (so that the ATM / terminal understands what functions the card has) and a verification code (similar to the one written on the back of the card). Such cards had a significant drawback: the magnetic stripe can be easily copied using a reader / encoder. ATM skimming is a consequence of this vulnerability. In the 90s, smart cards (cards with chips) replaced the magnetic stripe cards, promoted by the EMV consortium (Europay, MasterCard, Visa). Smart card transactions provide three levels of security: card authentication, payer verification, and transaction authorization. Finally, contactless payments have become popular since the mid-2010s.

There are many different types of attacks that payment systems and banks face on a daily basis:

Payments without 3-D Secure​

Most cases of fraud are related to online payments using the card-not-present scheme (the transaction requires only data written on the card and easily obtained in shadow markets). To combat such schemes, 3-D Secure was invented - an additional authorization scheme that uses three domain entities: the domain of the online store, the domain of the payment system, and the domain of the acquiring bank. However, some large stores such as Amazon are not ready to work with 3-D Secure, which is good news for scammers.

Magnetic stripe cloning​

Despite the fact that modern cards are equipped with a chip, magnetic stripe cloning is the second most popular type of fraud. The fact is that in many US stores, when paying with a smart card, you can conduct a transaction using a magnetic stripe. And if the terminal refuses to accept the magnetic stripe, there is a technical fallback scheme that works across America (both North and South) and Europe. Just insert a card with a non-existent chip into the terminal / ATM, and after three unsuccessful attempts, the terminal will offer to carry out the operation using the magnetic stripe. In Russia, terminals must not accept a magnetic stripe for payment if the card is equipped with a chip. However, in some stores you can find terminals that accept operations for technical fallback. And then,

The image shows that the card contains not one, but two magnetic stripes of different densities (Track1 and Track2).

Offline Authentication​

According to the modern rules of payment systems, 99.9% of transactions must be made online (the cryptogram is confirmed on the side of the issuing bank), with the exception of payments in the metro, on airplanes and cruise ships. In such places, the Internet does not always work stably. In addition, many payment systems used to work under the Floor limit - transactions above a certain limit were confirmed online, and below - by the terminal itself. Several years ago, the number of such terminals (especially in America and Europe) was large enough to attack the drawbacks of offline card authentication.

Human factor​

Man is the weakest link in any system, no matter how reliable it is. Attackers can easily bypass network perimeter protection using banal phishing that delivers malware to the corporate network. A bank employee can easily follow a suspicious link in an email or download an unidentified file. What can we say about ordinary users. The situation is aggravated by the fact that almost everyone has a remote banking service (for example, a mobile bank) on their smartphones. Let's consider a typical scheme using the example of the "5th Reich" virus from the Chelyabinsk "cyber-fascists" (the control system had Nazi symbols).

Example of a phishing email sent to a Check Point employee An

unsuspecting user downloaded a Trojan horse disguised as an Adobe Flash Player. During installation, the program asked for administrator rights. When a user launched a banking application, the Trojan replaced the original window with a phishing one, where the necessary data were entered, which were then sent to the attackers' server. Possessing a login, password and access to all SMS, including those with bank codes, scammers could successfully make bank transfers. The program was distributed via SMS mailing with a malicious link.

Example installation of malware

Penetration into corporate networks​

According to a study by Positive Technologies, the company's specialists managed to get access to financial applications in 58% of cases. In 25% of banks, the nodes from which the ATMs were controlled were compromised. In 17% of banks, card processing systems are insufficiently protected, which makes it possible to manipulate the balance on card accounts, the report says. The level of protection of the network perimeter of banks is usually higher than that of other companies, but it is still far from ideal.

As the authors of the study found out, the most dangerous for banks are remote access and control interfaces (such as SSH, Telnet, access protocols to file servers), which are often available to any user. Study it also showed that the weak link is the bank employees, as well as internal attackers. In some cases, for a successful attack, the privileges of an employee with access only to power outlets (guards, cleaners) are sufficient. After gaining access to the internal network, attackers need to take over local administrator privileges on the employee's computer or servers. The attacks, according to analysts, rely mainly on weak password policies (light passwords, standard accounts, poor group policy) and insufficient protection against password recovery from OS memory. By roaming the internal network using vulnerabilities and unsuspecting local software, attackers can gain complete control over the bank's infrastructure.

In general, the attack on the banking system can be described by the following steps:

• Penetration
• Remote access
• Obtaining privileges
• Finding targets
• Working with target systems
• Cashing out

Hacker organizations​

DPRK​

Oh, what sins North Korea is not accused of. Infringement of citizens' freedoms, totalitarianism, drug trafficking, aggressive foreign policy. But in terms of cyberattacks, North Korea has perhaps surpassed all other countries. State-sponsored hacker attacks bring huge sums of money to the country.

The likely base of the hackers is the Ruger Hotel in Pyongyang.

According to UN estimates, North Korea has earned about $ 2 billion from hacker campaigns, and this is at $ 28 billion of GDP (for 2016)! 7% percent is not sickly. Also not sickly, as well as sponsoring a hacker program. According to unofficial data (and why should they be official with respect to the DPRK?), Up to 20% of the annual military budget is spent on a hacker program. Periodically, in the schools of the DPRK, special tests are carried out for schoolchildren, according to the results of which high school students are sent to study computer science in depth. Here it is, the beginning of the formation of the cyber soldier Kim Jong-un. Often, the actions of hackers from the DPRK are associated with the hacker organization Lazarus. One of the largest attacks carried out by this group is the attack on Sony in 2014 (presumably for the 2014 film "Interview"), the attack on the Central Bank of Bangladesh in 2016 and the launch of the WannaCry ransomware virus in 2017 (which affected more than 200,000 computers worldwide). It is believed that the Lazarus Group was created in 2007 under the control of the General Staff of the DPRK.

The FBI is looking for a member of the Lazarus Group. Maybe you've seen it somewhere?

OldGremlin​

There are people who don't believe in gremlins.

But everybody gets out of them with a wrench, carelessly placed on a ladder, on the head. "[/I]

OldGremlin is a Russian-speaking hacker group that made its mark in 2020. The first attack dates back to March-April 2020. In the wake of the coronavirus, OldGremlin, on behalf of the Union of Microfinance Organizations, MiR sent out recommendations to financial institutions on how to ensure security during the pandemic. In general, the tactics of this group can be characterized as opportunistic. During 2020, they sent letters with a malicious link in connection with various social events: covid, political unrest in the CIS.

Silence​

This grouping differs in that it can be divided into 2 main roles: operator and developer. Perhaps it only includes two people! Of course, this does not diminish the harm it has done. The confirmed damage from this organization is estimated at 52 million rubles (according to other information, 272 million). The characteristics of Silence roles from Group-IB can be found below:

Timeline of Silence Attacks in 2018 Report from Group-IB

date	Attack characteristic
2016, July	Unsuccessful attempt to withdraw funds through the Russian interbank transfer system.
2016, August	An attempt to break into the same bank. The attack was prevented.
2017, October	ATM network attack. In one night, Silence stole about 7 million rubles.
2018 february	Card processing attack. The cybercriminals withdrew about 35 million rubles through ATMs.
2018, April	Previous diagram. Silence stole 10 million rubles overnight.

Major attacks​

Billion. And this is not a Russian film​

You walk down the street and see that the ATM starts dispensing money. Just. What's going on here? Probably, such a question arose among people in December 2013, when they saw a similar picture. The damage from an international group of hackers from Russia, China and European countries is estimated at approximately one billion dollars. The Carbanak virus was spread by hackers by mail, affecting about 100 financial institutions around the world. From the moment of infection to theft, it took about 2-4 months. ATMs were one of the ways to steal money. At a certain point, the hackers issued a command to the ATM to dispense cash. The kidnappers just had to come and get the money.

Mt. Gox.​

Eh, I had to buy bitcoin in 2010 and live happily ever after. I wonder what the hackers did with the stolen 850 thousand bitcoins in 2013? Well, we won't know that anymore. At the time of the theft, this amount of bitcoins was equal to approximately $ 480 million. At the time of this writing, so many bitcoins are already worth 51 billion. Almost like the floor of Mark Zuckerberg!

Mt. Gox. Is a bitcoin exchange. It was founded in 2010 in Tokyo. In 2013, about 70% of all transactions for the purchase and sale of bitcoin were performed through it. In 2014 she filed for bankruptcy due to theft.

Bitcoins from customer accounts began to flow away since 2011: then the cryptocurrency experienced the first boom in its history, in June 2011 its price grew exponentially, which aroused the interest of hackers. Fraudsters created fake orders and withdrew tens of thousands of bitcoins.

At some point, Mt.Gox started having problems, which led to a churn of clients. But they began to discover that funds can be withdrawn from accounts for several weeks, or even months. As a result, the exchange was closed, someone managed to withdraw it, and someone did not have time, as the saying goes, "whoever did it, he ate it." It is curious that after a while, the owner of the exchange suddenly discovered 200 thousand bitcoins on one of the accounts. The theft case is still pending.

8.5%​

HP LaserJet 400 is a laser printer. It costs about 20 thousand rubles. One fine (as it turns out - no) morning in the Central Bank of Bangladesh, such a printer in a small closet with no windows stopped working. But this printer was not easy. He had a very important task - he had to automatically print out the physical records of the bank 's SWIFT transactions. But on February 5, 2016, the print tray was empty. Bank employees tried to revive him, but to no avail.

This was no ordinary glitch. This crash was the culmination of a Lazarus hacker attack. Lazarus hacked into a computer at the Central Bank and gained access to the bank's SWIFT account, which had enormous capabilities. Including allowed to make transactions. Here it is worth taking a step back and saying that the Central Bank of Bangladesh keeps some of the money in the Federal Reserve Bank of New York. On February 4, the Central Bank of Bangladesh, unwillingly, initiated several dozen payments totaling $ 951 million. Thus, the hackers sent a request to New York, which no one in Bangladesh suspected. When the bank employees learned about the seriousness of the situation, it was too late. The workday in New York has already ended, and all employees have left for the weekend.

Monday brought some news, both good and bad. The good news was prompted by the vigilance of colleagues from New York: transactions for $ 870 million were canceled. Because of the English language. One of the transactions was directed to a strange recipient - Shalika Fandation in Sri Lanka. Apparently, the Lazarus hackers wanted to send money to the account of the non-existent Shalika Foundation, but their literacy let them down. The bad news was that $ 81 million in transactions were approved and the money went to dummy accounts in the Philippines and Sri Lanka. Out of a possible 951 million, hackers got only 81 million - 8.5 percent.

And what about Russia?​

They say that Russian hackers have their own unspoken "code of honor." Many people tend to romanticize the image of cybercriminals, making them digital Robin Hoods. One of the rules of Russian-speaking malefactors is “do not work on RU”. True, it is not clear what is more here, patriotism or fear of the FSB. Many hacker groups "hammer" on this rule, acting exclusively in the CIS. Suffice it to recall the famous OldGremlin, which attacks exclusively Russian companies - banks, industrial enterprises, medical organizations and software developers.

On April 12, 2021, the Central Bank of Russia announced an increase in losses of Russians from cyber fraudsters by 52% in 2020, to 9.77 billion rubles. Responsibility for crimes in the field of computer information is described in Chapter 28 of the Criminal Code of the Russian Federation. At the moment, there is no single approach to understanding cybercrime and the information space, which in turn leads to a different understanding of homogeneous crimes in the legislation of different countries. If we talk about Russia, then its legislation in terms of cybercrime does not stand out in any way.

Who is to blame and what to do​

To solve any problem, you need to understand its causes. There are several reasons why banks, despite the improvement of security systems, remain susceptible to hacker attacks. The first reason: the lack of a legal framework for uniform safety standards. The second reason: the desire of banks to save on security systems. The third reason: the lack of the necessary corporate culture in the field of cybersecurity. These are three pillars, without which it will not be possible to competently resist hacker attacks, and eliminating these causes is the first step towards reducing the number of cybercrimes in the banking sector. Naturally, the level of sophistication of hackers will grow with the level of security systems. But if bank employees continue to click on suspicious links in email.