Global Cyber Security Company

Cyberfascists detained in Russia

13th of April, 2015, Moscow - Administration “K” of the Ministry of Internal Affairs of Russia with a help of Group-IB and Sberbank security service have detained Russian accomplices of a group of cybercriminals. Fraudsters organized malware attacks at android-operated mobile devices of Russian banks’ customers.

They used a Trojan that was requesting account balance of the credit card tied to the mobile device, hiding incoming SMS-notifications and making payments to the accounts of fraudsters.

With a help of Sberbank’s data as well as Group-IB’s unique Bot-trek cyber intelligence and forensics analysis and Administration “K” efforts it was possible to identify 4 citizens of Chelyabinsk Region suspected of a crime. Several laptops have been seized form the detainees together with a dozen of cell phones and a large number of sim-cards. A criminal case has been filed.

The hackers named their software “The fifth Reich” and have been using Nazi symbols in the management system, that’s how this group got its name “The fascists”.

The first information about the malware used by this group appeared in July 2013. It was clear that the Trojan had been designed to steal money from bank accounts. The software evolved since then and new functionality allowed it to commit theft more efficiently. One of the first ways to steal money involved using SMS-banking (a procedure of money transfer with a help of specific SMS that is being sent to the bank).


Later on the fraudsters began to collect credit cards data and were using phishing web-sites for that. The malware was opening a new window atop of Google Play interface and was asking to type credit card credentials as illustrated on the picture below. When a user was typing in this information it was then sent to fraudsters’ server.

  adcard  flashpl

After that the hackers created phishing web-sites for a couple of Russian and Ukranian banks but this time they were not collecting credit cards information but online banking accounts credentials. When a user was launching banking application the Trojan would switch the original window to a phishing one where the user would type in all sensitive information to immediately send it to the fraudsters. Having logins, passwords and access to all SMS-messages in their hands the fraudsters were able to successfully make payments.


The malware was distributed via SMS-mailing with a fake link for Adobe Flash Player download that would in fact download the Trojan.

This a second case of cybercriminals engaged in theft from bank accounts using malware for Android devices being detained in the last six month.


About Group-IB

Group-IB is one of the leading international companies specializing in preventing and investigating high- tech cyber crimes and fraud. The company offers a range of services on preventing financial and reputational damages, consulting and auditing of information security systems, and on computer forensics. The company also develops a number of innovative software products Bot-Trek used to monitor, detect and prevent emerging cyber threats.
The Group-IB team is made up of experts with unique skills and solid practical experience. They are internationally certified by CISSP, CISA, CISM, CEH, CWSP, GCFA, and also have information security state certificates. In 2013, computer security incident response team CERT-GIB operated by Group-IB became a member of FIRST - Forum of Incident Response and Security Teams.

For more information please contact the PR Department, Group-IB:
Marina Koldomasova | + 7 495 984-33-64 |

Contact Us:

+1 917 809-47-41

More information