Home Security MoneyTaker hackers attack banks in US and Russia

MoneyTaker hackers attack banks in US and Russia

A group of attackers dubbed MoneyTaker has staged a number of successful attacks on financial institutions and legal firms in the US, UK and Russia, a Russian security company claims.

Group-IB said MoneyTaker had mainly been taking aim at card-processing systems, including the AWS CBR (Russian Interbank System) and also reportedly SWIFT (US).

It said that there had been 16 attacks in the US, three in Russia and one in the UK over 2016 and 2017.

The group had gone unnoticed by constantly changing their tools and tactics to bypass anti-virus and traditional security solutions. Additionally, Group-IB said, MoneyTaker had always been careful to clean up any traces of its presence in a system.

"MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise," said Dmitry Volkov, co-founder of Group-IB and head of Intelligence.

"In addition, incidents occur in different regions worldwide and at least one of the US banks targeted had documents successfully exfiltrated from their networks, twice."

money taker

The first attack was noticed in the Western spring of 2016 when a theft took place from a bank by gaining access to First Data's STAR network operator portal.

The method used by the group was to break into the bank's network, and then check if they could connect to the card processing system. If this was found to be feasible, cards were either bought or card accounts legally opened at the bank.

Then money mules — criminals who withdraw money from ATMs — with previously activated cards went abroad and waited for the operation to begin.

The attackers then got into the card processing system and removed or increased cash withdrawal limits for the cards held by the mules. Overdraft limits were removed making it possible to overdraw even with debit cards.

Using these cards, the mules withdrew cash from ATMs, one by one. The average loss caused by one attack was about US$500,000.

The attacks were tied to the same group because of the common tools used, the distributed infrastructure, one-time-use components in the group's attack toolkit and specific withdrawal schemes – using unique accounts for each transaction.

"Another distinct feature of this group is that they stick around after the event, continuing to spy on a number of impacted banks and sending corporate emails and other documents to Yandex and Mail.ru free email services in the first.last@yandex.com format," Group-IB said.

To protect command and control communications from being detected by security teams, MoneyTaker uses SSL certificates generated using well-known brand names: Bank of America, Federal Reserve Bank, Microsoft, Yahoo!, instead of filling the fields out randomly. In the US, they used the LogMeIn Hamachi solution for remote access, Group-IB said.

Graphic: courtesy Group-IB


Did you know: 1 in 10 mobile services in Australia use an MVNO, as more consumers are turning away from the big 3 providers?

The Australian mobile landscape is changing, and you can take advantage of it.

Any business can grow its brand (and revenue) by adding mobile services to their product range.

From telcos to supermarkets, see who’s found success and learn how they did it in the free report ‘Rise of the MVNOs’.

This free report shows you how to become a successful MVNO:

· Track recent MVNO market trends
· See who’s found success with mobile
· Find out the secret to how they did it
· Learn how to launch your own MVNO service


Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.