Hackers invented a new money theft scheme, stealing 250 million rubles
Group-IB revealed a new type of fraud with which criminals stole money from bank accounts.
UPDATE from 11/24/2015 - some additional information appeared on Forbes.com
To commit the main actions of the attackers used ATMs, so this scheme is called "ATM-reverse", or "reverse reverse". In the described scheme, the criminal received a non-nominal payment card, replenished it and immediately withdrawn the money deposited at an ATM, requesting a receipt for the operation.
')
Further, the data on the transactions carried out were sent to an accomplice (accomplices) who had access to virus-infected POS terminals, which were often located outside Russia. Through the terminals, according to the operation code indicated in the check, a team was formed to cancel the cash withdrawal operation. As a result of the cancellation of the transaction, the card balance was instantly restored (in the processing system of the bank, it looked similar to the return of the purchased goods) - and the attacker had “canceled” money in the account. The criminals repeated these actions many times until cash came to an end in ATMs.
According to Group-IB, as a result of these actions, five unnamed large Russian banks were hit. In total, the criminals stole about 250 million rubles, but the potential damage is estimated at more than 1 billion rubles. Banks succeeded in preventing subsequent attempts at such theft only after the development and implementation of security systems with the Visa and MasterCard payment systems.
Surely among the scammers was a man familiar with the work of processing one of the affected banks. According to a representative of one of the large banks, in the described scheme, the attackers exploited a vulnerability in the processing center of the issuing bank, which did not check all the data during the cancellation operation. “An additional check could have revealed that the money is being issued in one country, and the operation is canceled in another,” the expert noted.
Update:
Valery Baulin, Head of the Computer Forensics Laboratory at Group-IB:
“The attackers learned to use some, if I may say so, vulnerability, which was based on the peculiarities of the relationship between issuing banks and acquirers, as well as payment systems. Therefore, it is probably impossible and wrong to say for sure which side the vulnerability was on. This was done to simplify relationships, mutual settlements, speed up transactions. Actually, the attackers knew about it, about some such simplified verification schemes, and were able to use it. ”
Information about which particular banks suffered, as well as whether the criminals were detained, has not yet been disclosed in the interests of the investigation.
Maxim Emm, an expert in the field of information security and technology:
“The point is that in any payment system, including Visa and MasterCard, it is possible to either withdraw money or return the money. And in this case, the attackers took advantage of the fact that for a number of banks it was possible to withdraw money in one terminal, and arrange a transaction for the return of money from another terminal. In this case, which was controlled by attackers, this was the vulnerability. It was quite difficult to find these transactions because no one claimed losses. That is, it was possible to find it only by comparing debit and credit card accounts, and there were a lot of transactions until we figured out, probably, and that much money — 250 million — flowed out. Protection, in general, from this threat is inexpensive, it is just a reconfiguration of the rules in the processing of the bank. If an information system of this kind supports these rules, and most processing systems support them, it is enough just to set it up, and this loophole will be covered, and all customers will be spared from this kind of problem. In fact, it was not the clients who were losing money, they were losing the bank, therefore, in general, the banks would figure it out quite quickly. Those intruders had a very detailed idea of ​​the rules of the payment system, the rules for forming a transaction, both debiting and replenishing, and canceling this debiting. And, most likely, they understood in detail how the processing works in banks. Perhaps someone from the attackers used to work in a company that develops processing, or in a bank. Therefore, this is a rather sophisticated attack, which was quickly discovered. I think that most of the banks now, based on this information, will introduce such checks, and in the future such problems with our banks will be excluded . ”
Based on RBC , Securitylab and BFM.RU.
UPDATE from 11/24/2015 , additional information appeared on Forbes.com :
- POS-terminals were mainly from the USA and the Czech Republic (Czech Republic);
- criminal activity began in the summer of 2014 and ended in the first quarter of 2015;
- The criminals managed to adapt their schemes, instead of replenishing the card in ATMs, transferring funds from a card issued in one bank to a card issued in another. Transaction details were used to “return”, and the last card was used to withdraw funds from an ATM, thereby allowing criminals to continue their fraud;
- several court cases were opened against the perpetrators; “Money mules” were from London, Ukraine, Latvia, and Lithuania;
- “After the first correction, the fraudsters changed the schemes a bit and again committed fraud.
Then the error was finally corrected, but no one is sure that the scheme cannot be changed again, ”says Dmitry Volkov, Group-IB.
“This scheme may affect non-Russian banks, but we only know about Russian victims.”
UPDATE from 11/24/2015 - some additional information appeared on Forbes.com
To commit the main actions of the attackers used ATMs, so this scheme is called "ATM-reverse", or "reverse reverse". In the described scheme, the criminal received a non-nominal payment card, replenished it and immediately withdrawn the money deposited at an ATM, requesting a receipt for the operation.
')
Further, the data on the transactions carried out were sent to an accomplice (accomplices) who had access to virus-infected POS terminals, which were often located outside Russia. Through the terminals, according to the operation code indicated in the check, a team was formed to cancel the cash withdrawal operation. As a result of the cancellation of the transaction, the card balance was instantly restored (in the processing system of the bank, it looked similar to the return of the purchased goods) - and the attacker had “canceled” money in the account. The criminals repeated these actions many times until cash came to an end in ATMs.
According to Group-IB, as a result of these actions, five unnamed large Russian banks were hit. In total, the criminals stole about 250 million rubles, but the potential damage is estimated at more than 1 billion rubles. Banks succeeded in preventing subsequent attempts at such theft only after the development and implementation of security systems with the Visa and MasterCard payment systems.
Surely among the scammers was a man familiar with the work of processing one of the affected banks. According to a representative of one of the large banks, in the described scheme, the attackers exploited a vulnerability in the processing center of the issuing bank, which did not check all the data during the cancellation operation. “An additional check could have revealed that the money is being issued in one country, and the operation is canceled in another,” the expert noted.
Update:
Valery Baulin, Head of the Computer Forensics Laboratory at Group-IB:
“The attackers learned to use some, if I may say so, vulnerability, which was based on the peculiarities of the relationship between issuing banks and acquirers, as well as payment systems. Therefore, it is probably impossible and wrong to say for sure which side the vulnerability was on. This was done to simplify relationships, mutual settlements, speed up transactions. Actually, the attackers knew about it, about some such simplified verification schemes, and were able to use it. ”
Information about which particular banks suffered, as well as whether the criminals were detained, has not yet been disclosed in the interests of the investigation.
Maxim Emm, an expert in the field of information security and technology:
“The point is that in any payment system, including Visa and MasterCard, it is possible to either withdraw money or return the money. And in this case, the attackers took advantage of the fact that for a number of banks it was possible to withdraw money in one terminal, and arrange a transaction for the return of money from another terminal. In this case, which was controlled by attackers, this was the vulnerability. It was quite difficult to find these transactions because no one claimed losses. That is, it was possible to find it only by comparing debit and credit card accounts, and there were a lot of transactions until we figured out, probably, and that much money — 250 million — flowed out. Protection, in general, from this threat is inexpensive, it is just a reconfiguration of the rules in the processing of the bank. If an information system of this kind supports these rules, and most processing systems support them, it is enough just to set it up, and this loophole will be covered, and all customers will be spared from this kind of problem. In fact, it was not the clients who were losing money, they were losing the bank, therefore, in general, the banks would figure it out quite quickly. Those intruders had a very detailed idea of ​​the rules of the payment system, the rules for forming a transaction, both debiting and replenishing, and canceling this debiting. And, most likely, they understood in detail how the processing works in banks. Perhaps someone from the attackers used to work in a company that develops processing, or in a bank. Therefore, this is a rather sophisticated attack, which was quickly discovered. I think that most of the banks now, based on this information, will introduce such checks, and in the future such problems with our banks will be excluded . ”
Based on RBC , Securitylab and BFM.RU.
UPDATE from 11/24/2015 , additional information appeared on Forbes.com :
- POS-terminals were mainly from the USA and the Czech Republic (Czech Republic);
- criminal activity began in the summer of 2014 and ended in the first quarter of 2015;
- The criminals managed to adapt their schemes, instead of replenishing the card in ATMs, transferring funds from a card issued in one bank to a card issued in another. Transaction details were used to “return”, and the last card was used to withdraw funds from an ATM, thereby allowing criminals to continue their fraud;
- several court cases were opened against the perpetrators; “Money mules” were from London, Ukraine, Latvia, and Lithuania;
- “After the first correction, the fraudsters changed the schemes a bit and again committed fraud.
Then the error was finally corrected, but no one is sure that the scheme cannot be changed again, ”says Dmitry Volkov, Group-IB.
“This scheme may affect non-Russian banks, but we only know about Russian victims.”
Source: https://habr.com/ru/post/271211/
All Articles