Russian hackers stolen millions of roubles using text message scam
Malware planted on Android devices by Russian cyber criminals was successfully used to steal from domestic bank customers, with European lenders lined up as the next target, before the thieves’ arrest.
Although their campaign raised a relatively small sum by cyber-crime standards - more than 50 million roubles (£686,000) - they had also obtained more sophisticated malicious software for a modest monthly fee to go after the clients of banks in France and possibly a range of other western nations.
Russia’s relationship to cyber crime is under intense scrutiny after US intelligence officials alleged that Russian hackers had tried to help Republican Donald Trump win the presidency by hacking Democratic Party servers.
The Kremlin has repeatedly denied the allegation.
The gang members tricked the Russian banks’ customers into downloading malware via fake mobile banking applications, as well as via pornography and e-commerce programmes, according to a report compiled by cyber security firm Group-IB which investigated the attack with the Russian Interior Ministry.
In total, 16 suspects were arrested by Russian law enforcement authorities in November last year. The criminals had infected more than a million smartphones in Russia, on average compromising 3,500 devices a day, Group-IB said.
The hackers targeted customers of state lender Sberbank and also stole money from accounts at Alfa Bank and online payments company Qiwi, exploiting weaknesses in the companies’ SMS text-message transfer services, said two people with direct knowledge of the case.
Although operating only in Russia before their arrest, they had developed plans to target large European banks including French lenders Credit Agricole, BNP Paribas and Societe General, Group-IB said.
A BNP Paribas spokeswoman said the bank could not confirm this information, but added that it “has a significant set of measures in place aimed at fighting cyber-attacks on a daily basis”. Societe General and Credit Agricole declined to comment.
The gang, which was called “Cron” after the malware it used, did not steal any funds from customers of the three French banks. However, it exploited the bank service in Russia that allows users to transfer small sums to other accounts by sending an SMS message.
Having infected the users’ phones, the gang sent SMS messages from those devices instructing the banks to transfer money to the hackers’ own accounts.
The findings illustrate the dangers of using SMS messages for mobile banking, a method favoured in emerging countries with less advanced internet infrastructure, said Lukas Stefanko, a malware researcher at cyber-security firm ESET in Slovakia.
“It’s becoming popular among developing nations or in the countryside where access to conventional banking is difficult for people,” he said. “For them it is quick, easy and they don’t need to visit a bank. But security always has to outweigh consumer convenience.”
The Russian Interior Ministry said a number of people had been arrested, including what it described as the gang leader. This was a 30-year-old man living in Ivanovo, an industrial city 300km northeast of Moscow, from where he commanded a team of 20 people across six different regions.
Four people remain in detention while the others are under house arrest, the ministry said in a statement.
In February, former GCHQ deputy director of intelligence Brian Lord said that Britain was at risk from cyber-attack on “vulnerable” targets from states like Russia that do not operate under the same legal standards.