Global Cyber Security Company

Members of the largest criminal group engaged in online banking fraud are detained

March 20, 2012

MOSCOW — Group-IB, the first Russian company providing comprehensive investigation of IT security incidents and breaches of information security is announcing the results of its joint investigation with the Federal Security Service (FSB) and the Ministry of the Interior (MVD) of Russia, culminating in the suppression of the criminal activities carried out for the past two years by a group engaged in online banking fraud. Clients of over a hundred banking institutions worldwide suffered losses due to the activities of these criminals, who, just in the last quarter, managed to steal over 130 million rubles.

For the first time in international practice it was possible to establish the entire criminal chain, including the head of this group and owner of a botnet, those conducting fraudulent transactions, and those directly involved in cashing the stolen funds. In all, a total of eight individuals comprised the group. It should be noted that in addition to stealing funds from bank accounts, the criminals were also involved in carrying out distributed denial of service (DDoS) attacks.

The criminals hacked websites actively using accountant services in their operations, as well as popular news media websites and online stores, infecting them with malware. Having established remote access to the computer of a potential victim, and having detected online banking details on that computer, the criminals created a fraudulent payment order to transfer funds to a specially prepared account. Then the stolen funds were cashed via bank cards, established for dummy individuals or legal entities. In order to have a comfortable working environment, an office was opened by the criminals, functioning as a data recovery company.

“Our experts did an enormous amount of work, which resulted in identifying the head of this criminal group, the owner and operator of a specialized banking botnet, identifying the control servers, and identifying the directing of traffic from popular websites in order to spread malware infection,” noted Ilya Sachkov, Group-IB CEO. “The investigations conducted by our Forensics Lab confirmed the use of the Win32/Carberp and Win32/Rdpdor malware by the criminals in order to carry out theft of funds.”

Group-IB experts first encountered the activities of this group in November 2010, and in January 2011 the head of the criminal group was identified. However, a vast amount of effort was devoted to documenting his activities and identifying his accomplices. The investigation was complicated by the fact that the individual was constantly on the move throughout the country, and often was outside the Russian Federation.

The investigation of the botnet and its servers, obtained as a result of interaction with specialized organizations in various countries, including Holland and Canada, helped prevent theft of funds from clients of over a hundred banking institutions worldwide.

Group-IB expresses special gratitude to Sberbank of Russia for their funding of these works and providing necessary information, as well as to the Dutch company FOX-IT for its assistance throughout the many stages of this investigation.

To date, all members of this criminal group have been detained, and a criminal case has been instituted under the articles 158 (larceny), 273 (creation and distribution of malicious software), and 272 (unauthorized access to computer information) of the Criminal Code of the Russian Federation.

About Group-IB

Group-IB is the first company in Russia and the former Soviet Union working professionally and comprehensively in cybercrime investigation, information security breaches, and computer forensics. As part of the company, a computer forensics lab provides independent computer forensic investigations, including for Russian law enforcement agencies. Created on the basis of Group-IB, CERT-GIB operates as the first private computer emergency response team in Russia. Group-IB is part of LETA Group.

For additional information contact Bogdan Vovchenko, Group-IB’s Head of PR department, at +7 (495) 661-5538, ext. 151, or [email protected].

About company
Legal services
Brand protection
Investigation
Incident Response
Incident Investigation
DDoS Attack Investigation
Online Banking Fraud Investigation
Botnet Monitoring
Computer Forensics
Collecting Digital Evidence
Expert Participation in Investigative Actions
Forensic Investigations
Data Recovery
Software Auditing
Malware Investigation
Peer-Reviewing Third-Party Determinations
Auditing and Consulting
Information Security Testing and Assessment
Penetration Testing and Vulnerability Assessment
Application Security Code Review
Web-Application Security Assessment
SCADA & ICS Security Assessment

© 2003 — 2013 «Group-IB» All rights reserved, a part of LETA Group