Home Security MoneyTaker hackers attack banks in US and Russia

MoneyTaker hackers attack banks in US and Russia

A group of attackers dubbed MoneyTaker has staged a number of successful attacks on financial institutions and legal firms in the US, UK and Russia, a Russian security company claims.

Group-IB said MoneyTaker had mainly been taking aim at card-processing systems, including the AWS CBR (Russian Interbank System) and also reportedly SWIFT (US).

It said that there had been 16 attacks in the US, three in Russia and one in the UK over 2016 and 2017.

The group had gone unnoticed by constantly changing their tools and tactics to bypass anti-virus and traditional security solutions. Additionally, Group-IB said, MoneyTaker had always been careful to clean up any traces of its presence in a system.

"MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise," said Dmitry Volkov, co-founder of Group-IB and head of Intelligence.

"In addition, incidents occur in different regions worldwide and at least one of the US banks targeted had documents successfully exfiltrated from their networks, twice."

money taker

The first attack was noticed in the Western spring of 2016 when a theft took place from a bank by gaining access to First Data's STAR network operator portal.

The method used by the group was to break into the bank's network, and then check if they could connect to the card processing system. If this was found to be feasible, cards were either bought or card accounts legally opened at the bank.

Then money mules — criminals who withdraw money from ATMs — with previously activated cards went abroad and waited for the operation to begin.

The attackers then got into the card processing system and removed or increased cash withdrawal limits for the cards held by the mules. Overdraft limits were removed making it possible to overdraw even with debit cards.

Using these cards, the mules withdrew cash from ATMs, one by one. The average loss caused by one attack was about US$500,000.

The attacks were tied to the same group because of the common tools used, the distributed infrastructure, one-time-use components in the group's attack toolkit and specific withdrawal schemes – using unique accounts for each transaction.

"Another distinct feature of this group is that they stick around after the event, continuing to spy on a number of impacted banks and sending corporate emails and other documents to Yandex and Mail.ru free email services in the first.last@yandex.com format," Group-IB said.

To protect command and control communications from being detected by security teams, MoneyTaker uses SSL certificates generated using well-known brand names: Bank of America, Federal Reserve Bank, Microsoft, Yahoo!, instead of filling the fields out randomly. In the US, they used the LogMeIn Hamachi solution for remote access, Group-IB said.

Graphic: courtesy Group-IB

LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACK

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips

DOWNLOAD NOW!

RECOVERING FROM RANSOMWARE

Ransomware is a type of malware that blocks access to your files and systems until you pay a ransom.

The first example of ransomware happened on September 5, 2013, when Cryptolocker was unleashed.

It quickly affected many systems with hackers requiring users to pay money for the decryption keys.

Find out how one company used backup and cloud storage software to protect their company’s PCs and recovered all of their systems after a ransomware strike.

DOWNLOAD THE REPORT!

Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.

 

Popular News

 

Telecommunications