Hackers invented a new scheme of theft of money, stealing 250 million rubles
Group-IB revealed a new type of fraud with which criminals stole money from bank accounts.
UPDATE of 11/24/2015 - some additional information appeared on Forbes.com
To perform the main actions, the attackers used ATMs, therefore this scheme was called “ATM reverse”, or “reverse reverse”. In the described scheme, the offender received an unnamed payment card, replenished it and immediately withdrew the deposited money at the ATM, requesting a check for the transaction.
Further, data about the transactions was sent to an accomplice (accomplices) who had access to virus-infected POS terminals, which were often located outside of Russia. Through the terminals, according to the operation code indicated on the check, a command was formed to cancel the cash withdrawal operation. As a result of the cancellation of the operation, the card balance was instantly restored (in the processing system of the bank it looked similar to the return of the purchased goods) - and the attacker had “canceled” money in the account. The criminals repeated these actions many times until the cash runs out at the ATMs.
According to Group-IB, five unnamed large Russian banks suffered as a result of these actions. In total, the criminals stole about 250 million rubles, but the potential damage is estimated at more than 1 billion rubles. Banks succeeded in preventing further attempts of such theft only after the development and implementation of security systems together with Visa and MasterCard payment systems.
Surely there was a man among scammers familiar with the processing of one of the affected banks. According to the representative of one of the large banks, in the described scheme, the attackers used the vulnerability in the processing center of the issuing bank, which during the cancellation operation did not check all the data. “An additional check could find that the money is issued in one country, and the operation is canceled in another,” the expert noted.
Update:
Valery Baulin, head of the Computer-Forensics Laboratory Group-IB:
“ Attackers have learned to exploit a certain, so to speak, vulnerability, which was based on the characteristics of the relationship between issuing banks and acquirers, as well as payment systems. Therefore, to say for sure which side the vulnerability was on is probably impossible and wrong. This was done to simplify relationships, mutual settlements, accelerate transactions. Actually, the attackers knew about this, about some such simplified verification schemes, and were able to use it. ”
Information about which banks were hit and whether the criminals were detained has not yet been disclosed in the interests of the investigation.
Maxim Emm, expert in the field of information security and technology:
“We are talking about the fact that in any payment system, including Visa and MasterCard, there is an opportunity to both withdraw money and return money. And in this case, the attackers took advantage of the fact that for a number of banks it was possible to withdraw money in one terminal, and to issue a money-back transaction from another terminal. In this case, which was controlled by attackers, this was the vulnerability. Finding these transactions was difficult enough because no one claimed losses. That is, it was possible to find only by comparing the debit and credit on the card accounts, and there were a lot of transactions, until they figured it out, probably, such an amount of money - 250 million - flowed away. Protection, in general, from this threat is inexpensive, it's just a reconfiguration of the rules in the processing of the bank. If an information system of this kind supports these rules, and most processings support them, it’s quite simple to set it up, and this loophole will be covered, and all clients will be spared this kind of problem. In fact, it wasn’t the customers who lost the money, they lost the bank, therefore, in general, the banks will figure it out quickly enough. Those cybercriminals imagined in great detail the rules of the payment system, the rules for the formation of a transaction, both debiting and replenishment, and cancellation of this debiting. And, most likely, they understood in detail how the processing in banks works. Perhaps some of the attackers used to work in a company that develops processing services, or in a bank. Therefore, this is a rather sophisticated attack, which was able to quickly identify. I think that most banks now, on the basis of this information, will introduce such checks,".
Based on materials from RBC , SecurityLab and BFM.RU .
UPDATE of 11.24.2015 , additional information appeared on Forbes.com :
- POS-terminals were mainly from the USA and the Czech Republic (Czech Republic);
- criminal activity began in the summer of 2014 and ended in the first quarter of 2015;
- The criminals managed to adapt their schemes, instead of replenishing the card at ATMs, transferring funds from a card issued in one bank to a card issued in another. The details of the transaction were used to “return”, and the last card was used to withdraw funds from the ATM, thereby allowing criminals to continue their fraud;
- Several court cases were opened against the perpetrators; “Money mules” were from London, Ukraine, Latvia and Lithuania;
“After the first correction, the scammers changed the schemes a bit and again committed fraud.
Then the error was finally fixed, but no one is sure that the circuit cannot be changed again, ”says Dmitry Volkov, Group-IB.
“This scheme may affect non-Russian banks, but we only know about Russian victims.”
UPDATE of 11/24/2015 - some additional information appeared on Forbes.com
To perform the main actions, the attackers used ATMs, therefore this scheme was called “ATM reverse”, or “reverse reverse”. In the described scheme, the offender received an unnamed payment card, replenished it and immediately withdrew the deposited money at the ATM, requesting a check for the transaction.
Further, data about the transactions was sent to an accomplice (accomplices) who had access to virus-infected POS terminals, which were often located outside of Russia. Through the terminals, according to the operation code indicated on the check, a command was formed to cancel the cash withdrawal operation. As a result of the cancellation of the operation, the card balance was instantly restored (in the processing system of the bank it looked similar to the return of the purchased goods) - and the attacker had “canceled” money in the account. The criminals repeated these actions many times until the cash runs out at the ATMs.
According to Group-IB, five unnamed large Russian banks suffered as a result of these actions. In total, the criminals stole about 250 million rubles, but the potential damage is estimated at more than 1 billion rubles. Banks succeeded in preventing further attempts of such theft only after the development and implementation of security systems together with Visa and MasterCard payment systems.
Surely there was a man among scammers familiar with the processing of one of the affected banks. According to the representative of one of the large banks, in the described scheme, the attackers used the vulnerability in the processing center of the issuing bank, which during the cancellation operation did not check all the data. “An additional check could find that the money is issued in one country, and the operation is canceled in another,” the expert noted.
Update:
Valery Baulin, head of the Computer-Forensics Laboratory Group-IB:
“ Attackers have learned to exploit a certain, so to speak, vulnerability, which was based on the characteristics of the relationship between issuing banks and acquirers, as well as payment systems. Therefore, to say for sure which side the vulnerability was on is probably impossible and wrong. This was done to simplify relationships, mutual settlements, accelerate transactions. Actually, the attackers knew about this, about some such simplified verification schemes, and were able to use it. ”
Information about which banks were hit and whether the criminals were detained has not yet been disclosed in the interests of the investigation.
Maxim Emm, expert in the field of information security and technology:
“We are talking about the fact that in any payment system, including Visa and MasterCard, there is an opportunity to both withdraw money and return money. And in this case, the attackers took advantage of the fact that for a number of banks it was possible to withdraw money in one terminal, and to issue a money-back transaction from another terminal. In this case, which was controlled by attackers, this was the vulnerability. Finding these transactions was difficult enough because no one claimed losses. That is, it was possible to find only by comparing the debit and credit on the card accounts, and there were a lot of transactions, until they figured it out, probably, such an amount of money - 250 million - flowed away. Protection, in general, from this threat is inexpensive, it's just a reconfiguration of the rules in the processing of the bank. If an information system of this kind supports these rules, and most processings support them, it’s quite simple to set it up, and this loophole will be covered, and all clients will be spared this kind of problem. In fact, it wasn’t the customers who lost the money, they lost the bank, therefore, in general, the banks will figure it out quickly enough. Those cybercriminals imagined in great detail the rules of the payment system, the rules for the formation of a transaction, both debiting and replenishment, and cancellation of this debiting. And, most likely, they understood in detail how the processing in banks works. Perhaps some of the attackers used to work in a company that develops processing services, or in a bank. Therefore, this is a rather sophisticated attack, which was able to quickly identify. I think that most banks now, on the basis of this information, will introduce such checks,".
Based on materials from RBC , SecurityLab and BFM.RU .
UPDATE of 11.24.2015 , additional information appeared on Forbes.com :
- POS-terminals were mainly from the USA and the Czech Republic (Czech Republic);
- criminal activity began in the summer of 2014 and ended in the first quarter of 2015;
- The criminals managed to adapt their schemes, instead of replenishing the card at ATMs, transferring funds from a card issued in one bank to a card issued in another. The details of the transaction were used to “return”, and the last card was used to withdraw funds from the ATM, thereby allowing criminals to continue their fraud;
- Several court cases were opened against the perpetrators; “Money mules” were from London, Ukraine, Latvia and Lithuania;
“After the first correction, the scammers changed the schemes a bit and again committed fraud.
Then the error was finally fixed, but no one is sure that the circuit cannot be changed again, ”says Dmitry Volkov, Group-IB.
“This scheme may affect non-Russian banks, but we only know about Russian victims.”