Over the last six months, from August 2015 to February 2016, with the help of the virus Buhtrap hackers made 13 successful attacks on Russian banks, which resulted in the kidnapped 1.8 billion rubles, said on its report the company Group-IB, which is investigating computer crimes.
A group of hackers that uses the virus Buhtrap, since October 2014, however, the first attacks on banks were recorded in August 2015, before the group attacked the only Bank clients.
Hackers was that they used the newsletter emails ostensibly on behalf of the Bank of Russia. The first mailing was recorded on 22 October 2015, said the report by Group-IB. Then many Russian banks received a letter from mailboxes firstname.lastname@example.org with the theme “Information for Bank employees”, inside of which was a MS Office document. Opening the document resulted in the launch of the program, which was tested in the history of computers of links related to online banking and banking software. If such links were, the program was downloaded from the Internet malicious software (Buhtrap) and install it. Most antivirus software does not detect the Downloader as malicious software, said in the report Group-IB.
The hackers didn’t stop there and went on. They learned about the existence of the club “Antidrop”, which is composed of representatives of security services of banks and sharing information about the fraud. December 18, 2015 Buhtrap hackers sent out letters with the address email@example.com with the themes of “Urgent! Updated drop database”, “database Updated with new drops” with a link to a malicious file that describes the report Group-IB. But the security personnel of the banks quickly realized that the list is fraudulent, the report said.
The damage from the virus Buhtrap
600 million rubles — the maximum amount of theft at a Russian Bank in 2016
25,6 million rubles — the minimum amount of theft at a Russian Bank in 2016
143 million rubles — the average amount of successful theft from the Bank
1 billion rubles — the amount of the theft, which managed to stop in January 2016
Annual costs banks an effective means to prevent attacks in 28 times less than the average direct damage from one of targeted attacks.
In January of this year, hackers made a second newsletter on behalf of the Central Bank with supposedly open there is a vacancy. Letters came from the box firstname.lastname@example.org that is a modified domain of the Central Bank, with the theme “Vacancy in Central Bank” and virusom document MS Office (Buhtrap). The press service of the Central Bank at the request of RBC replied that address email@example.com does not belong to the Central Bank. “Upon this distribution, the Bank of Russia sent information to the police. The center for monitoring and responding to computer attacks in the financial sphere of the Bank of Russia (Finsert) was sent to participants of an information exchange of relevant information”, — said the press service.
According to the Director of methodology and standardization of Positive Technologies (the company is engaged in information security) Dmitry Kuznetsov, another hacker sending banks was recorded on 14 March. Hackers have registered to send emails domain fincert.net associated with the bankers of the structural unit of the main Directorate of security and information protection, Bank of Russia FinCERT, which has no website.
“This social engineering is a common technique that hackers use when you need to gain access to computers of a certain category of employees of the organization,” says Kuznetsov.
This year’s hacker attack, which resulted in the banks had some time to disconnect from BESP (Bank electronic urgent payments), were exposed to two Bank Metallinvestbank and the Russian international Bank.
On 5 March the “RIA Novosti” with reference to a source in law enforcement agencies reported that the hackers took over 677 million rubles from the accounts of Metallinvestbank. Later in the press service of Metallinvestbank stated that the Bank’s losses from hacker attacks amounted to RUB 200 million “, the amount that the attackers tried to steal, is less than 1% of Bank assets, the amount of losses less profits of the Bank from the beginning of 2016, which is more than 400 million”, — stated in a press release.
Russian international Bank was attacked on January 21, reported the portal “Banks.ru” with reference to the Bank’s President Gregory Afanasiev. “Crooks fired several thousand write-off funds from correspondent accounts of the Bank addressed to about 60 other banks, the money was then transferred mainly to individuals,” explained Afanasyev. As the Bank worked the program “Antikiller”, aimed to block the attack, the source of the virus in the Bank could not understand, says Afanasiev.