Russian Hackers MoneyTaker Steal over $10 Million from US Banks

Cyber threat surveillance company Group-IB has published a report on December 11, 2017; revealing details about an outrageous bank theft at the hands of Russian-speaking hackers. The report calls these hackers “Money Takers,” based on the software used by these criminals to attack financial institutions. The report provides several insights into the changing aspects of cyber crime, and it also shows that no institution is safe from malicious infiltration.

This article will give a concise summary of the report, and the main features of the scam that stole millions of dollars from over a dozen banks in the United States and Russia. For more information, however, please refer to the reference links below.

What exactly happened?

According to the 36-page report released by Group-IB, a network of hackers have stolen over 10 million dollars from 15 banks in the United States and three banks in Russia over the course of 18 months. Research shows that the first attack was carried about back in May 2016, and ever since then, the criminal group was using the same methods to compromise banks networks.

It should be pointed out that no hacker group has taken responsibility for these attacks, so the actual name of these criminals is not known. As mentioned, “Money Takers” is used because of the software they used to breach different systems. Also, at first it was thought that the scam affected 15 banks in Utah, New York, and California, but it was later found out that Money Takers had some “fun” in Russia, too.

Also, when it comes to financial thefts, we would normally imagine criminals stealing money or anything related to currency. However, Money Takers were not satisfied with only the money they got. The moment a particular system was infected; this malware stole almost everything it could get its figurative hands on. The attack was persistent enough to remain on the compromised systems and collect information on admin guides, change request forms, international regulations, transaction logs, and so on. It shows that MoneyTaker actors tried to make the best use of every single infiltration.

The main target of this attack was card payment systems used by small banks. Why would MoneyTak target smaller fry? The answer is simple: smaller banks and other institutions do not have the resources to invest a lot in security measures, and so it should technically be easier to assault smaller companies than large enterprises. However, security report also maintains that banks are not the only type of institutions that were attacked. MoneyTaker also targeted a credit card union, financial service providers, and a law firm.

How does the attack work?

When we think of cyber attacks, we imagine digital transactions and intangible thefts. However, the Money Taker scam was more than tangible. The criminals used legitimate credit and debit cards they have acquired from the affected banks prior to the attack. When the systems of the said financial institutions were infected with malware, the hackers used it to delete limits off the cards they had. Normally, a debit or a credit card has a certain withdrawal limit imposed, thus stopping a client from taking out more money than they could cover with their credit later on. MoneyTaker infection got rid of that limit, thus allowing money mules to visit ATMs and take out huge sums of money. For instance, the attacks in Russia raked in around $1.3 million, when the criminals corrupted a messaging system that is used even by Russia’s Central Bank.

But now, what is a money mule? A money mule is a person who works as an intermediary for cyber criminals. Sometimes they might be aware of the fact that they are a part of an illegal operation, sometimes they are not aware of that. So in this case, money mules were the people with the credit cards who withdrew money from the ATMs.

New Trend in Cyber Theft

As mentioned, the Group-IB report also offers insights into the new cyber theft trends that are displayed by this attack. It is interesting to see that criminals now choose to attack banks and not their customers. From that, it is possible to assume that the security measures taken by financial institutions have made individual attacks less profitable. As a result, criminals are looking for other ways to make a bigger profit, and focusing on the institution itself is more practical.

To enter the systems, MoneyTaker would deliver malicious payloads to white-listed targets. It means that the server that distributed the attack employed such tactic to possibly avoid security researchers and other professionals that could have thwarted the attack. What’s more, the criminals use a penetration test (pentest) framework server that uses the legitimate Metasploit tool to look for vulnerable applications, exploit vulnerabilities, and so on.

This is one of the reasons we have not heard of MoneyTaker before. They are just that good at covering their tracks, and it took quite a while for the security researchers to figure out how the attack works. What’s more, the infection itself is hard to detect because the criminals use a so-called file-less malware program to perform it. It means that the files associated with the infection only stays in the %TEMP% directory, and they get deleted the next time someone reboots the system. On top of that, this malware generates encryption certificates from well-known brand names, thus making the affected system “think” it is dealing with legitimate programs. It is known that MoneyTaker actors make use of the US Federal Government, Bank of America, Yahoo, and Microsoft certificates.

Potential Future Developments

Group-IB claims that SWIFT (a global messaging services used by over 11,000 financial institutions worldwide) has not been compromised by MoneyTaker. At least not yet. But it is very likely that hackers will try to take over the system sometime in the future. According to Reuters, SWIFT revealed in October that hackers continue to target the interbank messaging system. So it would seem that after dealing with small community banks here and there, MoneyTaker criminals might intend to focus on something bigger.

As mentioned, the attack steals everything it can on the affected system, and Group-IB pointed out that the hackers managed to steal a lot of documents that belong to FedLink. This money transfer system is used by quite a few banks in Latin America. So it might be possible that Money Takers will try to target financial institutions there.

Finally, the full extent of this scam is unknown. Researchers have only recently managed to figure out the origins of the infection when they traced back the first hack to a bank employee’s home computer in Russia. As mentioned, we have found out about Money Takers just now because they are just that clever, and it is clear that we will hear from them in the future again.

References:

1. Eric Auchard. Hackers hit U.S., Russian banks in ATM robbery scam: report. Reuters.
2. Bradley Barth. Researchers expose Russian cyber bank robbers who stole over $10M. SC Magazine.
3. Dan Goodin. Hackers hit key ATM network in crime spree that clears $10 million. ARS Technica.
4. Group-IB. MoneyTaker: in pursuit of the invisible. Group-IB Blog.
5. John Fingas. Russian hackers steal $10 million from ATMs through bank networks. Engadget.
6. Patrick Reevell. Russian-speaking hackers stole about $10 million from US, Russian banks: Report. ABC News.