russian financial cybercrime: how it works · analysis of public information about the arrests of...
TRANSCRIPT
2015/11/24 Russian financial cybercrime: how it works - Securelist
https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/ 1/28
CYBER ESPIONAGE CYBERCRIME CYBERCRIME LEGISLATION
Download PDF version
IntroductionThe Russianlanguage cybercrime market is known allover the world. By ‘Russianlanguage market’ we meancybercriminals who are citizens of the Russian Federationand some former USSR countries, predominantly Ukraineand the Baltic states. Why is this market knownworldwide? There are two main factors: the first of these isfrequent global media coverage of the activity of Russianlanguage cybercriminals. The second is the openaccessibility of online platforms used by the cybercriminalcommunity for communications, promoting a variety of“services” and “products” and discussing their quality andmethods of application, if not for making actual deals.
Over time, the range of “products” and “services” availablethrough this underground market has evolved, becomingmore focused on financial attacks, and with an everincreasing level of sophistication. One of the mostcommon types of cybercrime was (and still is) the turnoverof stolen payment card data. With the emergence of onlinestores and other services involving epayment
Russian financialcybercrime: how itworksBy Ruslan Stoyanov on November 19, 2015. 10:57 am
PUBLICATIONS
2015/11/24 Russian financial cybercrime: how it works - Securelist
https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/ 2/28
transactions, DDoSattacks and financial cybercrime havebecome especially popular with the fraudsters whose maintargets are users’ payment data or the theft of moneydirectly from user accounts or companies.
Attacks on users’ and companies’ ewallets were initiatedby the Trojan ibank in 2006; then came ZeuS (2007) andSpyEye (2009) followed by the groups Carberp (2010) andCarbanak (2013). And this list is incomplete; there aremore Trojans out there, used by criminals to steal users’money and data.
With online financial transactions becoming morecommon, the organizations supporting such operationsare becoming more attractive to cybercriminals. Over thelast few years, cybercriminals have been increasinglyattacking not just the customers of banks and onlinestores, but the enabling banks and payments systemsdirectly. The story of the Carbanak cybergroup whichspecializes in attacking banks and was exposed earlierthis year by Kaspersky Lab is a clear confirmation of thistrend.
Kaspersky Lab experts have been monitoring the Russianhacker underground since it first emerged. Kaspersky Labregularly issues reports on financial cyberthreats whichtrack changes in the number of financial malware attackscarried out over time. Information on the number ofattacks may indicate the extent of the problem but doesnot reveal anything about who creates them and how. Wehope that our review will help to shed light on this aspectof financial cybercrime.
Between 201215, lawenforcementagencies arrestedover 160Russianspeakingcybercriminals
Tweet
2015/11/24 Russian financial cybercrime: how it works - Securelist
https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/ 3/28
The data presented in this article is compiled from dozensof investigations that Kaspersky Lab experts haveparticipated in over the last few years, as well as theirmany years’ experience observing the Russian cybercrimemarket.
Situation overviewAccording to Kaspersky Lab, between 2012 and 2015, lawenforcement agencies from a number of differentcountries, including the United States, Russia, Belarus,Ukraine and the EU arrested over 160 Russianspeakingcybercriminals who were members of small, mediumsizedand large criminal groups. They were all suspected ofbeing engaged in stealing money using malware. The totaldamage resulting from their worldwide activity exceeded$790 million dollars. (This estimate is based both on theanalysis of public information about the arrests of peoplesuspected of committing financial cybercrime in the periodbetween 2012 and 2015 and on Kaspersky Lab’s owndata.) Of this sum, about $509 million dollars was stolenoutside the borders of the former USSR. Of course, thisfigure only includes confirmed losses, the details of whichwere obtained by law enforcement authorities during theinvestigation. In reality, cybercriminals could have stolen amuch larger amount.
The number of arrests of Russianspeakingcybercriminals as officially announced during the
period 2012 to 2015
2015/11/24 Russian financial cybercrime: how it works - Securelist
https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/ 4/28
Since 2013, Kaspersky Lab’s Computer IncidentsInvestigation team has participated in the investigation ofmore than 330 cybersecurity incidents. More than 95% ofthese were connected with the theft of money or financialinformation.
Although the number of arrests of Russianlanguagecriminals suspected of financial cybercrime increasedsignificantly in 2015 compared with the previous year, thecybercriminal market is still “crowded.” According toKaspersky Lab experts, over the last three years Russianlanguage cybercrime has recruited up to a thousandpeople. These include people involved in the creation ofinfrastructure, and writing and distributing malware code tosteal money, as well as those who either stole or cashedthe stolen money. Most of those arrested are still not inprison.
We can calculate fairly precisely the number of peoplewho make up the core structure of an active criminalgroup: the organizers, the money flow managers involvedin withdrawing money from compromised accounts andthe professional hackers. Across the cybercriminalunderground, there are only around 20 of these coreprofessionals. They are regular visitors of undergroundforums, and Kaspersky Lab experts have collected aconsiderable amount of information that suggests thatthese 20 people play leading roles in criminal activitiesthat involve the online theft of money and information.
The exact number of groups operating across Russia andits neighboring countries is unknown: many of thoseinvolved in criminal activities participate in several theftsand then, for various reasons cease their activity. Someparticipants of known but apparently disbanded groupscontinue their criminal activities as part of new groups.
Kaspersky Lab’s Computer Incidents InvestigationDepartment can now confirm the activity of at least fivemajor cybercriminal groups specializing in financialcrimes. These are the groups whose activities have beenmonitored by the company’s experts over the last fewyears.
2015/11/24 Russian financial cybercrime: how it works - Securelist
https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/ 5/28
All five groups came to the attention of the company’sexperts in 20122013, and are still active. They eachnumber between ten and 40 people. At least two of themare actively attacking targets not only in Russia but also inthe USA, the UK, Australia, France, Italy and Germany.
Since the investigation into these groups has not beencompleted, it is not possible to publish more detailedinformation on the activities of these groups. KasperskyLab continues to investigate their activity and iscooperating with the law enforcement agencies of Russiaand other countries in order to curb their cybercriminalbusiness.
Investigation into the activities of these groups hasallowed Kaspersky Lab experts to form an idea about theirmethods of operation and the structure of thecybercriminal market.
The structure of the Russian-language cybercriminalmarket
“A Range of products and services”
The cybercriminal market usually comprises a set of“services” and “products”, used for various illegal actionsin cyberspace. These “products” and “services” areoffered to users of dedicated online communities, most ofwhich are closed to outsiders.
There are ~20 ofpeople, whomake up the corestructure of anactive criminalgroup
Tweet
2015/11/24 Russian financial cybercrime: how it works - Securelist
https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/ 6/28
The “products” include:
Software designed to gain unauthorized access to acomputer or a mobile device, in order to steal datafrom an infected device or money from a victim’saccount (the Trojans);Software designed to take advantage of vulnerabilitiesin the software installed on a victim’s computer(exploits);Databases of stolen credit card data and othervaluable information;Internet traffic (a certain number of visits to acustomerselected site by users with a specific profile.)
The “services” include:
Spam distribution;Organization of DDoS attacks (overloading sites withrequests in order to make them unavailable tolegitimate users);Testing malware for antivirus detection;“Packing” of malware (changing malicious softwarewith the help of special software (packers) so that it isnot detected by antivirus software);Renting out exploit packs;Renting out dedicated servers;VPN (providing anonymous access to web resources,protection of the data exchange);Renting out abuseresistant hosting (hosting that doesnot respond to complaints about malicious content,and therefore does not disable the server);Renting out botnets;Evaluation of the stolen credit card data;Services to validate the data (fake calls, fakedocument scans);Promotion of malicious and advertising sites in searchresults (Black SEO);Mediation of transactions for the acquisition of“products” and “services”;Withdrawal of money and cashing.
Payments for such “products” and “services” on thecybercriminal market are generally made via an epayment system such as WebMoney, Perfect Money,
2015/11/24 Russian financial cybercrime: how it works - Securelist
https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/ 7/28
Bitcoin and others.
All of these “products” and “services” are bought and soldin various combinations in order to enable four main typesof crime. These types can also be combined in variousways depending on the criminal group:
DDoS attacks (ordered or carried out for the purposeof extortion);Theft of personal information and data to access emoney (for the purpose of resale or money theft);Theft of money from the accounts of banks or otherorganizations;Domestic or corporate espionage;Blocking access to data on the infected computer forthe purpose of extortion;
According to Kaspersky Lab experts, the theft of money iscurrently the most widespread type of crime. The rest ofthis report therefore focuses on this segment of theRussianlanguage cybercrime market.
The “labor market” of financialcybercrime
The variety of skills required for the creation of “products”and the provision of “services” has given rise to a uniquelabor market of professionals involved in financialcybercrime.
The list of key roles is almost exactly the same as thatseen in any ITrelated company:
Programmers / encoders / virus writers (for thecreation of new malicious software and modification ofexisting malware);Web designers (for the creation of phishing pages,emails, etc.);System administrators (for the construction andsupport of the IT infrastructure);Testers (to test the malicious software);“Cryptors” (responsible for the packing of malicious
2015/11/24 Russian financial cybercrime: how it works - Securelist
https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/ 8/28
code to bypass antivirus detection).
The list does not include the heads of the criminal groups,the money flow managers engaged in withdrawing moneyfrom compromised accounts, and the heads of moneymules supervising the process of cashing the stolenmoney. This is because the relationship between theseelements of the criminal groups is not an employeremployee one, but more of a partnership.
Depending on the type and extent of the criminalenterprise, the heads of the groups either employ “staff”and pay them a fixed salary or work with them on afreelance basis paying for a particular project.
An offer of employment posted on a semiclosed forum inviting aprogrammer to join a cybercriminal group. The job requirementsinclude experience in writing complex bots.
“Employees” are recruited either via sites where thoseinvolved in criminal activity traditionally gather or viaresources for those interested in nonstandard ways ofmaking money online. In some cases, the ads are placedon mainstream job search sites or on the labor exchangesfor remote employees.
2015/11/24 Russian financial cybercrime: how it works - Securelist
https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/ 9/28
In general, employees involved in cybercrime can bedivided into two types: those who are aware of theillegality of the project or the work they are offered, andthose who (at least in the beginning) know nothing aboutit. In the latter case, these are usually people performingrelatively simple operations such as copying the interfaceof banking systems and sites.
By advertising “real” job vacancies, cybercriminals oftenexpect to find employees from the remote regions ofRussia and neighboring countries (mostly Ukraine) whereproblems with employment opportunities and salaries forIT specialists are quite severe.
A fraudster has advertised a job vacancy for java / flash specialistson a popular Ukrainian website. The job requirements include agood level of programming skills in Java, Flash, knowledge of JVM /AVM specifications, and others. The organizer offers remote workand full employment with a salary of $2,500.
We can confirmthe activity of atleast 5 majorcybercriminalgroupsspecializing infinancial crimes
Tweet
2015/11/24 Russian financial cybercrime: how it works - Securelist
https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/ 10/28
The idea of searching for “employees” in these regions issimple – they carry a saving because staff can be paidless than employees based in large cities. Criminals alsooften give preference to candidates who have notpreviously been involved in cybercrime activity.
Often, such job offers are presented as legitimate work,with the true purpose of the work only becoming clearonce the task is received.
In this example, the organizer of the criminal group offers a job to ajavascript programmer, masking it under a vacancy at a “Webinnovation studio specializing in the development of highlysophisticated Internet applications.”
In the case of illegal job search sites, lessexperiencedcandidates are expected.
2015/11/24 Russian financial cybercrime: how it works - Securelist
https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/ 11/28
This vacancy invites a C ++ developer to develop “custom”software. In this context “custom” software means malicioussoftware.
The second reason in favor of remote “personnel” is theorganizer’s aim of making the activity of the group asanonymous as possible, and to ensure that no singlecontractor possesses complete information about thegroup.
Options for organizing a criminalgroup
Criminal groups involved in stealing money or financialinformation that will enable them to get access to money,differ in the number of participants and scope of activities.There are three main types of involvement:
Affiliate programsSingle dealers, small and middlesized groups (up toten members)Large organized groups (ten or more participants)
This division is nominal. The scale of the group’s activitydepends on the skillfulness of its participants, theirambition and the overall level of organizational abilities. Insome cases, Kaspersky Lab experts came acrossrelatively small criminal groups performing tasks thatusually require a greater number of participants.
Affiliate programs
Affiliate programs are the easiest and least expensivemethod of getting involved in cybercrime activities. Theidea behind an affiliate program is that the organizersprovide their “affiliates” with almost all the tools they needto commit a crime. The task of the “affiliates” is togenerate as many successful malware infections aspossible. In return, the owner or owners of the affiliateprogram share the income received as a result of theseinfections with the affiliates. Depending on the type offraudulent scheme this could be a share of:
2015/11/24 Russian financial cybercrime: how it works - Securelist
https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/ 12/28
The sums stolen from the accounts of Internet bankingusers;The money paid by the user as a ransom whencybercriminals use ransomware Trojans;The money stolen from the “prepaid” accounts ofmobile device users by sending out SMS messages topremium mobile numbers with the help of a maliciousprogram.
Creating and supporting an affiliate program for thepurpose of stealing money is a cybercrime committed, asa rule, by a group of users. However, such projects areoften carried out by large organized groups whose activityis analyzed later in this document.
This advertisement announces the launch of the beta testing of anaffiliate program used to distribute encrypting ransomware. Judgingby its characteristics, the group’s activity is focused on companieslocated in the US and the UK. This is indicated by the commentsaying that the malware distributed via the partner network is able toencrypt files with 80 different extensions, many of which are files ofapplications used in companies. The text on requirements forcandidates to participate in testing includes a demonstration of thepresence of traffic or downloads from the United States and theUnited Kingdom.
According to Kaspersky Lab experts, affiliate programsare becoming less popular with Russianlanguagecybercriminals. The main driver of their popularity hadbeen fraudulent schemes used to infect users’ mobiledevices with malicious programs which then sent out SMSmessages to premium numbers. However, in the spring of2014, the Russian regulator introduced new requirements
2015/11/24 Russian financial cybercrime: how it works - Securelist
https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/ 13/28
for the organization of such services, which included aneed to secure additional confirmation of subscription to aparticular paid mobile service. This change wasinstrumental in reducing the number of malicious mobilepartner programs to practically zero. Nevertheless, thistype of joint cybercriminal activity is still used by groupsspecializing in the distribution of encrypting ransomware.
Small Groups
What distinguishes this form of cybercriminal activity froman affiliate program is that in this instance the criminal orcriminals organize their own fraudulent scheme. Most ofthe components needed for the attack, such as malwareand its modifications (“repacked” malware), the traffic, theservers, etc., are bought on the black market. Often,members of such groups are not experts in the field ofcomputer and network technologies; they learn about thecomponents and organization of financial attacks frompublic sources, usually forums. The abilities of suchgroups can be restricted by a number of factors.Specifically, the use of widelyavailable malware results inrapid detection by security solutions. This, in turn, makescybercriminals invest more money in the distribution ofmalware and in its “repacking” to bypass detection. Theend result is a significant drop in profits for the attacker.
Mistakes made by this type of cybercriminal often result intheir identification and arrest. However, as a relatively lowcost entry into the world of cybercriminal activity (from $200), this “amateur” format continues to attract newdealers.
An example of such an “amateur” criminal organization isthe group that in 2012 was convicted by the Russian courtfor stealing more than 13 million rubles (then worth about$422,000) from a Russian bank’s online customers.During a comprehensive investigation Kaspersky Labexperts were able to collect the information that allowedlaw enforcement authorities to identify those behind thetheft.
The court sentenced two members of the criminal group,
2015/11/24 Russian financial cybercrime: how it works - Securelist
https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/ 14/28
giving each a suspended sentence of four and a halfyears. However, this verdict did not stop the criminals, andthey continued to commit crimes, stealing almost as muchagain over the next two and a half years. They were rearrested in May 2015.
Large organized criminal groups
Large criminal groups differ from the other players, boththrough a larger scale of activity and through a morethorough approach to the organization and operation ofcriminal schemes. Such groups can comprise up toseveral dozen people (not including money mules used forcashing and “laundering” money.) The targets of theirattacks are not limited to individual online bankingcustomers: they also attack small and mediumsizedcompanies, while the largest and most sophisticated ofthem, such as Carbanak focus mostly on banks and epayment systems.
The operational structure of large groups differssignificantly from smaller groups. To a certain extent, thestructure reflects that of an ordinary, averagesizedcompany engaged in software development.
In particular, large groups have some form of regular staff– a group of associates who perform organizational tasksin return for a regular, fixed payment. However, even inthese large, professional groups some of the tasks arepassed to thirdparty contractors. For example, the “repacking” of malware can be performed by the staff or hiredvirus writers or via thirdparty services where the processis automated with the help of special software. The sameis true for many other elements of the IT infrastructurerequired for committing crime.
Examples of large, organized criminal groups are Carberp,whose members were arrested in Russia and Ukraine in2012 and 2013 respectively, and Carbanak, unmasked byKaspersky Lab in early 2015.
Although the damage from the activity of partner programsand small groups can run into hundreds of thousands of
2015/11/24 Russian financial cybercrime: how it works - Securelist
https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/ 15/28
dollars, the large criminal groups are the most dangerousand destructive. The estimated damage caused byCarberp reaches several hundred million dollars (up to abillion). In this regard, studying how these groups functionand the tactics they use is extremely important, as itstrengthens our ability to effectively investigate theiractivity and – ultimately – to suppress it.
Distribution of roles in a largecybercriminal groupA major financial cybercrime undertaken by criminal“experts” in security and the finance sector can result inmultimillion dollar losses for attacked organizations. As arule, such crimes are preceded by many months ofpreparation. This preparation includes constructingcomplex infrastructure, and selecting and developingmalicious software, as well as a thorough study of thetarget organization in order to clarify the details of itsinternal operations and security vulnerabilities. Eachmember of the criminal group has their ownresponsibilities.
2015/11/24 Russian financial cybercrime: how it works - Securelist
https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/ 16/28
The following role distribution is typical for a criminal groupinvolved in stealing money. The distribution of roles ingroups that specialize in other types of cybercrime may bedifferent.
Virus writer/Programmer
A virus writer or programmer is responsible for creatingmalicious programs, i.e. the programs that allow theattackers to gain a foothold in the corporate network of thetarget organization, download additional malware that willhelp to obtain the necessary information, and ultimatelysteal money.
The significance of this group member and the nature oftheir relationship with the organizers may vary from groupto group. For example, if the group uses readymademalware taken from open sources or bought from othervirus writers, their functions may be limited to setting andmodifying malicious programs to work in the infrastructurecreated specifically for a certain cybercrime, or to adapt itfor attacks on specific institutions. The most advancedgroups, however, tend to rely on their own “developments”since it makes a malicious program less visible to mostsecurity solutions and provides more opportunities formalware modification. Where this is the case, the viruswriter’s role becomes more important as they areresponsible for the architecture and feature set of amalicious program.
A virus writer can also take on responsibility for malware“repacking”. But this happens only when the organizerwants to keep the maximum number of tasks within thegroup, and where original software is used for malware“repacking”. In most cases, however, this procedure isshifted to thirdparty contractors or packingservices.
Testers
The function of testers in a criminal group is not thatdifferent from testers working in legal IT companies. Inboth cases, testers receive from their managers the
2015/11/24 Russian financial cybercrime: how it works - Securelist
https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/ 17/28
specifications for testing programs in differentenvironments (different versions of operating systems,different sets of installed applications, etc.) and executethem. If a fraudulent scheme involves fake interfaces ofremote banking or epayment systems, the task of testersalso includes monitoring the correct operation of thesefakes.
Web designers and Webprogrammers
Typically, web designers and web programmers areremote employees, whose tasks include creating phishingpages and websites, fake application interfaces and webinjects, all of which are used to steal data to get access toepayment and ebanking system.
Distributors
Distributors aim to ensure the download of malicioussoftware on as many devices as possible. The result isachieved by using several tools. Generally, the grouporganizer determines the profile of the users to be infectedand buys the required type of traffic from the socalledtraffic providers (services to attract users with certaincharacteristics to a particular website).
An advert offering to buy traffic. Cybercriminals are willing to payonly for the successful installation of malicious software at $ 140 per1000 “callbacks” (a message that is sent by the malware to thecommand server after a successful infection).
2015/11/24 Russian financial cybercrime: how it works - Securelist
https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/ 18/28
The organizer can choose and order a spam mailing thatwill contain either an infected attached file or a link takinga victim to a malicious website. The organizers can alsochoose the site with the necessary target audience;involve hackers in breaking into it and placing the exploitpack on it. Of course, all these tools can be used incombination with each other.
Hackers
Often, in the course of an attack, the exploits and othermalicious software the organizer has to hand is notenough to infect all the computers necessary for the attackand to anchor in them. It may become necessary to hackinto a specific computer or site. In such cases, theorganizers involve hackers, people who have considerableskills in information security and are able to perform nonstandard tasks. In many of the cases examined byKaspersky Lab experts, hackers were occasionallyinvolved and were paid on a feeforservice basis.However, if hacking is required regularly (e.g., for targetedattacks on financial institutions), a hacker becomes a“team member” and is often one of the cybercriminalgroup’s key participants, along with the organizers andmoney flow managers.
System administrators
System administrators in cybercriminal groups performnearidentical tasks to their counterparts in legitimatebusinesses: they implement the IT infrastructure andmaintain it in working condition. Cybercriminal systemadministrators configure management servers, buy abuseresistant hostings for servers, ensure the availability oftools for anonymous connection to the servers (VPN) andresolve other technical challenges, including theinteraction with remote system administrators hired toperform small tasks.
Call services
Social engineering is important for the success of the
2015/11/24 Russian financial cybercrime: how it works - Securelist
https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/ 19/28
cybercriminal business. Especially when it comes toattacks on organizations that result in the theft of hugesums of money. In most cases, even if the attackers areable to establish control over the computer from which thetransaction could be performed, confirmation of itslegitimacy is required to successfully complete theoperation. This is what the “call service” is for. At thespecified time, its “employees” play the role of anemployee of the attacked organization or a bank withwhich the organization works, and confirm the legitimacyof the transaction.
“Call services” can participate in a particular cybercrimeboth as a subdivision of the criminal group, or as a thirdparty organization, performing a specific task on a feeforservice basis. The forums that users involved incybercrime use to communicate with each carry plenty ofads offering such services.
This advertisement offers “call services” in English, German, Dutchand French. The group specializes in calls to Internet stores andbanks, as well to duped mules. Also, the group offers the quickcreation of local tollfree numbers used to imitate support services infraudulent schemes, receiving SMS messages, and receiving andsending faxes. The criminals ask from $10 to $12 for one call, $ 10for receiving SMS and from $ 15 for creating tollfree numbers.
According to Kaspersky Lab, large cybercriminal groupsprefer to have their own “call services” so they hardly everturn to thirdparty providers.
Money flow managers
2015/11/24 Russian financial cybercrime: how it works - Securelist
https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/ 20/28
Money flow managers are members of the cybercriminalgroup who come into play when all the technical tasks fororganizing the attack (choosing and infecting the targetand anchoring in its infrastructure) are fulfilled, andeverything is ready to commit the theft. Money flowmanagers are the people who withdraw money fromcompromised accounts. However, their participation is notlimited to pressing the keys; they play a key role in thewhole process.
Money flow managers usually thoroughly understand theinternal rules of the attacked organization (they even knowthe lunch hours of the employee from whose computer thefraudulent transaction will be made). They know how theautomated antifraud systems operate and how to bypassthem. In other words, in addition to their criminal role ofthieves, money flow managers perform “expert” tasks thatare difficult or impossible to automate. Perhaps becauseof this special status, money flow managers are one of thefew members of the criminal group who receive apercentage of the stolen money rather than a fixed“salary”.
Money flow managers often perform as botnet operators.i.e. members of the criminal group who analyze andclassify the information obtained from infected computers(the access to the remote banking services, availability ofmoney on the accounts which could be accessed, theorganization where the infected computer is located, etc.).
Besides money loaders, these “working conditions” areonly shared by the leaders of mule projects.
Head of Mules (Mule “project”leader)
The list of keyroles in financialcyber gangsalmost mirrors ITcompanies
Tweet
2015/11/24 Russian financial cybercrime: how it works - Securelist
https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/ 21/28
leader)
Head of mules is a representative of the criminal groupworking closely with the people involved in the process ofstealing money. The function of the mules is to get thestolen money, cash it and transfer to the criminal group itsdue share. To do this, the head of mules builds their owninfrastructure, which consists of legal entities andindividuals with their own bank accounts, to which thestolen money is transferred and from which it is laterwithdrawn and moved into the pockets of the fraudsters.The mule project leader cooperates with the organizer ofthe criminal group, and provides them with the numbers ofthe accounts to which the money loader sends the stolenmoney. Both mule project leaders and money flowmanagers work on commission which, according to theinformation obtained by Kaspersky Lab during the courseof investigation, can amount to half the sum stolen.
Mule “projects”
Mule projects are a vital component of any financialcybercrime. Such groups comprise one or moreorganizers and up to several dozen individual mules.
A mule (or drop) is a holder of a means of payment who,on command from the money mules manager, cashes themoney received into their/an account, or transfers it toanother account as specified by the money mulesmanager.
Mules can be divided into two types: duped and nonduped. Duped mules are people who, at least at thebeginning of their cooperation with the money mulesmanager, do not realize they are involved in a criminalscheme. As a rule, the task of getting and transferringmoney is presented to them under some plausible pretext.For example, the money mules manager can establish alegal entity and appoint to an executive position (thegeneral or financial director, for example) a person whowill perform the functions of the duped mule: such assigning corporate documents which will, in fact serve as alegal screen for withdrawing stolen money.
2015/11/24 Russian financial cybercrime: how it works - Securelist
https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/ 22/28
Nonduped mules are well aware of the real purpose ofthe money mules manager’s tasks.
The options used by the mule projects to withdraw moneyare manifold. Depending on the amount of money stolen,they may include individual credit card holders ready tocash money and give it to the representative of the moneymules manager for a small fee, or specially created legalentities, whose representatives open “salary projects”(credit cards for transferring the salaries of companyemployees) at their corporate bank.
Yet another common method for constructing a mulescheme is for nonduped mules to open dozens ofaccounts at different banks.
This advert offers sets of payment cards (the card, the documentsbased on which the card was authorized, the SIM card with whichthe bank account of the card is associated) that can be used forcashing stolen money. For sale is the card issued by Russian banksand banks from neighboring countries, as well as banks from thecountries of Europe, Asia and the United States. The Momentumtype set is costs 3000 rubles (less than $50), the set with thePlatinum card – eight thousand rubles (about $120).
When the theft occurs outside of Russia, the role of thenonduped mules is performed by a citizen or group ofcitizens of an Eastern Europe country, who within a shortperiod of time visit several countries on the continent andin each of them open accounts in their names. Then thenondupe mules provide the money mules manager with
2015/11/24 Russian financial cybercrime: how it works - Securelist
https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/ 23/28
the data to access all these accounts. These accounts areused later to withdraw the stolen money.
An example of an ad offering for sale a list of companies registeredin the Russian Federation and in the offshore zone. The services ofcybercriminals cost from $560 to $750.
Stuffers
The word “stuffer” comes from the word “stuff” (acolloquial word for “goods”). One way to withdraw stolenmoney is by buying goods in estores with the stolenmoney, reselling them and returning to the fraudsters theirdue percent. This is done by the stuffers, members of thecybercriminal groups engaged in spending money fromcompromised accounts on purchasing goods in onlinestores.
In fact, a stuffer is a variation of the money flow manager.Withdrawing money by purchasing goods is generallypracticed if the stolen sums are relatively small. As a rule,the stuffers work in a team with the fences. Working “intandem” often involves purchasing a certain type of goods,sometimes from a specific manufacturer or a clearlydefined model.
Organizer
If we consider cybercrime as a project, the organizer ofthe criminal group is its general manager. Their dutiesusually include financing the preparatory phase of theattack, allocating tasks to executors, monitoring theirperformance and interacting with thirdparty agents such
2015/11/24 Russian financial cybercrime: how it works - Securelist
https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/ 24/28
as mule projects and call services (if the group does nothave its own). The organizer determines the targets forattacks, selects the necessary “specialists” and negotiateswith them.
Stages of the attacksIt should be noted that the above classifications are notset in stone. In some cases, a single member of thecriminal group can combine several roles. Nevertheless,regardless of how many people execute them, each of theroles described can be found when investigating almostevery moneyrelated cybercriminal incident. Here’s howthey work in “real time.”
1. Exploration. When it comes to targeted attacks on aspecific company, the organizer first instructs thecontractors to collect information about the company,which will help to develop a plausible socialengineering scheme for the first stage of attack. If weare talking about an attack on individual users, thepreliminary exploration stage is skipped or limited tochoosing a “target audience” for the attack (forexample, the users of the online banking service of aspecific bank) and creating phishing emails andphishing sites with relevant content.
2. Infection. Penetration of the corporate network isperformed by spearphishing or a phishing massmailing that contains an attachment with the specialdocument or a malicious weblink. Opening theattachment or following the link leads to malwareinfection. Often, infection occurs automatically withoutthe user’s awareness or participation – after clickingon the link, a malicious program is automaticallydownloaded on the user’s computer (drivebydownload) and runs on it.
In other cases, infection is carried out viacompromised popular sites on which a tool is placedthat invisibly redirects users to a thirdparty sitecontaining a set of exploits. Once on this site, the user
2015/11/24 Russian financial cybercrime: how it works - Securelist
https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/ 25/28
will be infected with malware.
Once inside the system cybercriminals use a numberof malicious tools to consolidate their presence. Forexample, to ensure that internal sites of compromisedorganizations have the malware reinstalled when theorganization’s security software deletes the previousversion. In addition, attackers are often set up withinthe infrastructure software of the attackedorganization, enabling easy access to the internalcorporate network from outside.
3. Exploration and implementation. The programs forremote, hidden administration and management aredownloaded onto compromised computers. They areused by cybercriminals to gain system administrators’credentials. Legal programs for remote managementand administration whose functionality is known tomany users are often used for this.
4. Money theft. In the final stage, cybercriminals accessthe financial systems of the targeted organization andtransfer money from its accounts to the accounts ofthe mule projects or withdraw money directly at ATMs.
ConclusionFinancial cybercrime backed by Russianspeakingcriminals has become widespread in recent years and thisgrowth is due to a number of causes. The main ones are:
Not enough qualified staff in law enforcementagencies;Inadequate legislation allowing criminals in manycases to avoid responsibility or to receive a lightersentence;A lack of established procedures for internationalcooperation between law enforcement agencies andexpert organizations in different countries.
Unlike the real world, a robbery in cyberspace usuallygoes unnoticed and there is a very small window for
2015/11/24 Russian financial cybercrime: how it works - Securelist
https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/ 26/28
collecting digital evidence after the crime. Further,criminals have no need to stay in the country where thecrime is committed.
Unfortunately, for Russianspeaking cybercriminalscurrent conditions are more than favorable: the risk ofprosecution is low while the potential rewards are high. Asa result, the number of crimes and the damage caused bythem is growing, and the market for cybercriminal servicesis increasing momentum.
The lack of established mechanisms for internationalcooperation also plays into the hands of criminals: forexample, Kaspersky Lab experts know that the membersof some criminal groups permanently reside and work inRussia’s neighbors, while the citizens of the neighboringstates involved in criminal activity often live and operate inthe territory of the Russian Federation.
Kaspersky Lab is doing everything possible to terminatethe activity of cybercriminal groups and encourages othercompanies and law enforcement agencies in all countriesto cooperate.
The international investigation of Carbanak’s activity,initiated by Kaspersky Lab, is the first example ofsuccessful international cooperation. If the world is to seea serious and positive change there should be more suchcases.
Reference. What is Kaspersky
Lab Computer Incidents
A relatively lowcost of entry ($200) tocybercrimeattracts newdealers
Tweet
2015/11/24 Russian financial cybercrime: how it works - Securelist
https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/ 27/28
Lab Computer IncidentsInvestigation?Kaspersky Lab is a wellknown developer of antimalwaresecurity solutions. But the company providescomprehensive protection, and this also includes servicesfor computer incidents investigation.
Evidence of an incident, mainly presented in the form ofdigital data, needs to be collected and recorded so thatthere are no grounds for doubt in the investigation and trialwhen a victim makes a court application.
Kaspersky Lab Computer Incidents Investigation isresponsible for:
Responding to IT security incidents and providing aquick analysis of the situation;Collecting digital evidence and determining thecircumstances of IT security incidents in accordancewith established procedures;Analyzing the evidence collected, searching theinformation related to the circumstances of theincident on the Internet and fixing them;Preparing materials for the victim’s application to lawenforcement agencies;Providing expert support to investigative operations.
A huge amount of data is processed when responding toIT security incidents and supporting investigativeoperations. The analysis of this data, in combination withstatistics on malicious objects detected identifies thetrends of criminal behavior in cyberspace.
The Kaspersky Lab Computer Incidents InvestigationDepartment was established in 2011 and involves sixforensic experts.
Related Articles
2015/11/24 Russian financial cybercrime: how it works - Securelist
https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/ 28/28
THERE IS 1 COMMENT
If you would like to comment on this article you must first login
JohnPosted on November 19, 2015. 2:00 pm
Superb article which nicely sets out the structure and operation ofthese criminal networks.I have distributed a link to this article to several of my clients in theUK.
Keep up the good work.
Reply
KASPERSKY
SECURITYBULLETIN.2016PREDICTIONS
BEACHES,
CARNIVALSANDCYBERCRIME:A LOOK
IT THREAT
EVOLUTION INQ3 2015