The role of the Internet in the world can’t be overstated. It provides access to information, allows people to instantly communicate with each other, brings entertainment right at their fingertips. You name it and this thing is there. However, it’s also used by con artists who’re always looking for ways to make themselves richer at someone else’s expense. Hackers use the Web for their dirty deeds and this time, it’s a Russian-speaking group that became a center of attention. And this isn’t the case of blaming everything on Russians – this group has actually stolen money from companies located there.
But it has decided not to limit itself and also attacked firms from the UK and USA. According to a report by cybersecurity company Group-IB, MoneyTaker has removed overdraft limits on debit cards and took money from cash machines. Adding to that, it stole documentations for technology used by more than 200 banks in the USA and Latin America, which gives the hackers the ability of commencing further attacks in the future. The investigation is currently ongoing and Group-IB is cooperating with both Europol and the Russian government in an effort to trace the cybercriminals.
According to Kevin Curran, who is an independent expert and professor of cybersecurity at Ulster University, the attacks were “as sophisticated as it gets at this moment in time”. And MoneyTaker has really profited here. It made 16 attacks on USA firms and banked an average of $500,000, and it has made even more from targeting Russian banks – $1.2m, with the help of three attacks since May 2016. In December 2016, MoneyTaker turned its attention to a software and service provider located in the UK, but the amount stolen from it is unknown at the moment.
What makes this group difficult to detect is it changing their tools and tactics all the time, and also making sure that all of its traces are eliminated once the attack has been finished. The one that’s currently known as its earliest was made on First Data’s Star network – the debit card processing system is used by more than 5,000 banks. What con artists did was them removing or increasing cash withdrawal and overdraft limits on credit and debit cards. Once that has been done, “money mules” were dispatched to withdraw money from cash machines.
The situation is made all the more remarkable by the fact that MoneyTaker has employed a combination of malware that was custom-written for the occasion and tools that are publicly available – like the code that was shown at the Russian cybersecurity conference ZeroNights in 2016 and Metasploit – a key tool for network administrators. According to Group-IB, “file-less” software was among it – this type of software is stored in a memory of the computer and not on the hard drive. This also makes the detection more difficult. There’s also at least one known case of the hackers using the home computer of a Russian bank’s system administrator to achieve their goals. They were able to breach the internal network through it and gain access to everything they needed. Nothing was stopping them from that moment on.
It should also be mentioned that MoneyTaker was employing secure socket layer (SSL) certificates. It didn’t stay on the same server for too long and changed them constantly. SSL certificates appeared to be issued by big names like the Federal Reserve Bank. And cybercriminals appear to be thinking ahead here, as they weren’t just stealing the finances – they also wanted to get their hands on internal banking system documentation, which included transaction logs, internal instructions and administrator guides. The documentation, in particular, was stolen when the group compromised the Russian Interbank payment system – it’s analogous to Swift.
MoneyTaker group could be using it to plan further attacks, according to Group-IB, and it has also attacked OceanSystems’ FedLink card-processing system – a wire transfer product employed by more than 200 banks in the US and Latin America. All in all, MoneyTaker doesn’t discriminate and, adding to banks and financial institutions, has targeted law companies and software vendors. When it comes to the USA, firms from California, Utah, Oklahoma, Colorado, Illinois, Missouri, South Carolina, North Carolina, Virginia, and Florida have been affected.
When the hackers were attacking the payment system of the Russian Interbank, they used a program named MoneyTaker v.5.0 (they also have adopted it as the name of their group). These tools allowed them to find payment orders and make changes to them, and also replace original payment details with fraudulent ones and erase everything that might have raised suspicions. It’s said time and time again that companies should put protecting their sensitive data at the forefront and these events prove it once more.
Employees shouldn’t open the attachments that come with spam emails, even if they’re presented as important documents, and security software installed on computers must be kept up-to-date and running all the time. It’s impossible to count on luck when it comes to matters such as this – con artists will find the breach in the system and make sure to exploit it. And the consequences of this might be absolutely disastrous. Millions of people use banking services every day and if the bank gets its security compromised, then its customers might lose their trust in it.
Only time will tell what MoneyTaker will do next, but, as of this moment, the group remains at large. Europol and Interpol are using the dossier that was provided to them by Group-IB and have every intention of finding those responsible for the crimes. But the hackers take great care to erase all the traces of their activity, so it might take some time to make progress in this case. However, security researchers don’t just sit and watch it all happen – they do their part as well and are always on the lookout for solutions to various cyber threats.