The Russian high-tech crime market for 2014 is showing ever-increasing sophistication, with criminals creating shadow worlds of illegal activity, exploiting new financial theft techniques and incorporating mobile attacks more often.
Group-IB’s computer forensics lab and its CERT-GIB unit, in its annual report on the Russian cybercrime scene, noted that a top trend to stand out is the fact that the Russian market for stolen credit card information—arguably the epicenter of the data breach trend—has become much more structured in the last year, complete with wholesalers and online trading platforms. Revenue is increasing accordingly; the company estimates the carding market to be at about $680 million.
“Criminals can easily browse and purchase stolen credit-card information as if they were shopping on any mainstream e-commerce site,” the company said. “A study of the online card market site SWIPED found that the most active card supplier is a criminal individual called ‘Rescator,’ who uploaded details of over 5 million cards to the online marketplace.”
In investigating a test sample, Group-IB found that all sampled cards were originally stolen from the retail chain Target, which famously suffered a security breach in the past year.
Group-IB also found that 80% of payments on SWIPED are made using Bitcoin, with other cryptocurrencies also playing a role as convenient tools for illegal transactions.
“Shadow Internet shops selling goods such as stolen information, weapons and drugs have switched to using cryptocurrencies as their primary payment methods,” the report explained. “The use of malware-based botnets to mine Bitcoins has also become so developed that botnet renting through services like SkyShare has become a reality. Stealing from cryptocurrency wallets using trojans has also become more sophisticated and common.”
Speaking of trojans, on the banking front, mobile banking threats experienced strong growth.
“This year, five criminal groups emerged that specialize in mobile banking theft using trojans,” Group IB noted. “These groups infect Android phones and steal information via SMS banking and the use of phishing sites. The scale of these thefts is limited only by the manual nature of the activity.”
Mobile espionage has also become a thing, where malware allows criminals to read texts, listen to phone conversations and even pinpoint a victim’s location with the GPS on their phone.
More classic targeted attacks on financial institutions are continuing too: Groups targeting financial institutions have stolen about $40 million during the report period, using techniques including trojans, phishing sites and even assistance from personnel inside the banks. Criminals are also using sophisticated processes to evade policies barring bank workers from opening executable files, hiding malware inside of harmless-looking document files.
Russian hackers are also becoming more adept at reprogramming ATM machines to hand out the big bills: Either by physical access or infection of local networks, hackers are able to introduce malicious scripts to ATM software.
“In some cases the purpose is to record any ATM card numbers and PINs used on the compromised machines and to make cash withdrawals from those accounts,” the firm said. “Other scripts can reprogram an ATM to pay out larger-value notes than they should, for example issuing 5,000-ruble notes when 100-ruble notes ought to be issued. The total amount stolen from one group via this method exceeded 50 million rubles.”
In a lone bright spot, online banking fraud is down: Of eight criminal groups active in Russian online banking theft last year, two have switched to foreign targets, and one was broken up following the 2014 arrest of one of its leaders. This has resulted in a decrease in the total online banking fraud market, Group-IB said, from an estimated $615 million in 2012 to $425 million in 2013-2014.
Photo copyright © Asaf Eliason