Global Cyber Security Company

Group-IB: online trading and stock brokerage attacked by hacker’s

17.04.2013 MoscowGroup-IB has found a new kind of malware, targeting the stock brocking application QUIK. It was detected during several targeted attacks starting in November 2012 where the cybercriminals started to gather detailed information on the respective owner accounts.

Traditionally the hacker’s key interests were private and corporate banking accounts where online systems could be exploited and funds stolen. Corporate accounts are higher targets because of higher balances.

In the last year, Group-IB has received several incoming incident fraud requests on some famous online trading and stock brokerages where systems were possibly hacked. Our research has shown it was done without any kind of malware, but directly through untrusted or fake partners.

In the previous month, Group-IB has detected the first professional malware, targeted at a specialized trading software named QUIK (Quik Broker, Quik Dealer) from ARQA Technologies and FOCUS IVonline from EGAR Technology, used by many large banks of the Russian Federation, specifically national banks “Sberbank”, “Alfa-Bank” and “Promsvyazbank”.

Both of the applications are used for trading on MICEX ( ), one of the leading Russian stock exchanges and the biggest trading venue in Eastern Europe. MICEX offers companies-issuers a wide variety of services including placing and trading stocks, listing services, and helping execute initial public offerings (IPOs). Exchange clients can trade in securities of such prominent issuers as Gazprom, Sberbank of Russia, LUKOIL, Rosneft, VTB Bank, Surgutneftegaz, Transneft, RusHydro, Mobile TeleSystems, etc.

The initial act of the malware is to check the presence of these applications in the OS, then begin to monitor the user’s actions and extract information about his activity by capturing screenshots and intercepting credentials which are then sent to the C&C server.

Some of such data was extracted by elite Group-IB specialists in handling the C&C servers, and then some monitoring by Group-IB Bot-Trek returns victim information.

It is very important to note that QUIK software is used not only in Russian Federation for online trading, but many entities in other countries, such as BrokerCreditService (Cyprus), Otkritie (GB / RU) InstaForex and many others.

About Group-IB

Group-IB is one of the leading companies in global cybercrime prevention and hi-tech crime investigations.

Key activities of our company: Cyber Intelligence and Threat Prevention, Information Security, Assessment and Vulnerability Research, Computer Forensics and Cybercrime and Hi-Tec Investigations. Also, innovative software products development for monitoring, detection and prevention of emerging global cyber threats.

In the technologies field, our team members are on the cutting edge. Our employees have earned several certificates: CISSP (Certified Information Systems Security Specialist), CISA (Certified Information Systems Analyst), CEH (Certified Ethical Hacker), Extreme Networks Administrator, A+ Certification, Net+, MCP (Microsoft Certified Professional), and MCSA (Microsoft Certified Systems Administrator).
We have more than 90 employees serving customers in more than 25 countries. Our clients include various banks, financial institutions, oil and gas companies, software and hardware vendors, telecommunications service providers from Australia, Argentina, Brazil, Canada, EU, Russian Federation, UK, USA and Ecuador.

Group-IB employees participate in key IT-security conferences such as e-Crime, Cardex, APWG:Counter-eCrime Operations Summit (CeCOS), Cyber Intelligence Asia and the SCADA Security Summit.

Georgiy Pulyaevskiy Group-IB PR-manager
+7 495 661-55-38 доб. 092
+7 965 399-17-92

Contact Us:

+1 917 809-47-41

More information