Home Security MoneyTaker hackers attack banks in US and Russia

A group of attackers dubbed MoneyTaker has staged a number of successful attacks on financial institutions and legal firms in the US, UK and Russia, a Russian security company claims.

Group-IB said MoneyTaker had mainly been taking aim at card-processing systems, including the AWS CBR (Russian Interbank System) and also reportedly SWIFT (US).

It said that there had been 16 attacks in the US, three in Russia and one in the UK over 2016 and 2017.

The group had gone unnoticed by constantly changing their tools and tactics to bypass anti-virus and traditional security solutions. Additionally, Group-IB said, MoneyTaker had always been careful to clean up any traces of its presence in a system.

"MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise," said Dmitry Volkov, co-founder of Group-IB and head of Intelligence.

"In addition, incidents occur in different regions worldwide and at least one of the US banks targeted had documents successfully exfiltrated from their networks, twice."

money taker

The first attack was noticed in the Western spring of 2016 when a theft took place from a bank by gaining access to First Data's STAR network operator portal.

The method used by the group was to break into the bank's network, and then check if they could connect to the card processing system. If this was found to be feasible, cards were either bought or card accounts legally opened at the bank.

Then money mules — criminals who withdraw money from ATMs — with previously activated cards went abroad and waited for the operation to begin.

The attackers then got into the card processing system and removed or increased cash withdrawal limits for the cards held by the mules. Overdraft limits were removed making it possible to overdraw even with debit cards.

Using these cards, the mules withdrew cash from ATMs, one by one. The average loss caused by one attack was about US$500,000.

The attacks were tied to the same group because of the common tools used, the distributed infrastructure, one-time-use components in the group's attack toolkit and specific withdrawal schemes – using unique accounts for each transaction.

"Another distinct feature of this group is that they stick around after the event, continuing to spy on a number of impacted banks and sending corporate emails and other documents to Yandex and Mail.ru free email services in the first.last@yandex.com format," Group-IB said.

To protect command and control communications from being detected by security teams, MoneyTaker uses SSL certificates generated using well-known brand names: Bank of America, Federal Reserve Bank, Microsoft, Yahoo!, instead of filling the fields out randomly. In the US, they used the LogMeIn Hamachi solution for remote access, Group-IB said.

Graphic: courtesy Group-IB


Our Mesh WiFi system MW3 is the first in Australia market with price below AUD$200 for a set of three.

· Best valued product
· Strong signal covering up to 300m2 for MW3 and 500m2 for MW6
· Aesthetically pleasing and light weigh (blend into any room deco)
· Wireline backhauls supported
· Product units are pre-paired and easy to setup
· Not requiring phone number or email address to set up
· Wall penetration (better than other similar brands)
· Seamless WiFi roaming
· User friendly app with controls to setup a guest network, parental controls for disabling groups of devices you allocate to individuals, QoS and more



Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the sitecame into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.


Popular News




Sponsored News