Scheme hackers

in #life8 years ago

Hackers have invented a new scheme of theft of money, having stolen 250 million rubles
Payment system* Information security*
Group-IB found a new type of fraud in which criminals stole money from Bank accounts.

UPDATE from 24.11.2015 — there is some additional information on Forbes.com

For performing the main actions of the attackers used the ATMs, so this scheme is called "ATM-reverse" or "reverse, reverse". In this scheme the offender received a non-personalized payment card, enlarged it and then made money off the ATM, requesting a receipt for the transaction.

image

Further data on the performed transactions went to the accomplice (accomplices) who had access to the infected POS terminals, which are often located outside of Russia. Through the terminals, by code the activity specified in the receipt, formed a team at the abolition of the cash withdrawal. As a result of cancellation of the transaction the card balance instantly recovered (in the processing system of the Bank it looked similar to the return of goods purchased) — and the attacker would get the "cancelled" money in the account. Criminals repeating these steps repeatedly until the ATMs are not ended the cash.

According to Group-IB, as a result of these actions affected five unnamed major Russian banks. Only criminals have stolen about 250 million rubles, but the potential damage is estimated at more than RUB 1 billion to Prevent further attempts of theft of such banks was only after development and implementation, jointly with payment systems Visa and MasterCard protective systems.

Certainly among the fraudsters were employees familiar with the work of processing one of the affected banks. According to the representative of one of the major banks, as the attackers used a vulnerability in the processing centre of the issuing Bank which, when a cancel operation has not checked all the data. "Additional testing could detect that the money issued in one country and the operation is canceled in the other," — said the expert.

Update:
Valery Baulin, head of the laboratory of computer forensics, Group-IB:
"Attackers have learned to use some, if I may say so, a vulnerability that was based on the characteristics of the relationship between issuing banks and acquirers, and payment systems. So to say exactly which side was the vulnerability might be impossible and it would be wrong. This was done to simplify the relationship of settlements, speed up transactions. In fact, the attackers knew about it, some such simplified schemes of verification and was able to use it".

Information about what banks were affected and whether the detained criminals, in the interests of the investigation is not disclosed.

Maksim EMM, an expert in the field of information security and technology:
"The idea is that any payment system including Visa and MasterCard, it is possible to withdraw money and return the money. In this case, the attackers have used the fact that for a number of banks you can withdraw money in one terminal, and the transaction of the refund to issue to the other terminal. In this case, which was controlled by hackers, that was the vulnerability. To find these transactions was difficult enough, because no one had reported losses. That is, can be found only by comparing the debit and credit card accounts and transactions very much, while there figured, probably, that this amount of money — 250 million — has flowed. Protection, in General, from this threat are inexpensive, it's just a reconfiguration of the rules in the Bank's processing. If an information system of this kind, these rules support, and the majority of processors support them, quite simple to configure, and this loophole will be covered, and all customers from this kind of problem will be spared. In fact, losing money is not the customers lost by the Bank, so, in General, fast enough, the banks will understand. Those attackers very thoroughly imagined work rules payment system rules of formation transaction as write-off and replenishment, and the cancellation of this cancellation. And, most of all, thoroughly understand how the processors work in banks. Maybe someone of the attackers had previously worked at the company that makes processors, or in a Bank. So it's a pretty sophisticated attack, which has been fast enough to identify. I think most banks now, based on this information, this kind of validation is introduced, and in the future such problems with our banks will be excluded".

According to RBC, and Securitylab BFM.RU.

UPDATE from 24.11.2015, there was additional information on Forbes.com:

— POS-terminals were primarily from the USA and the Czech Republic (Czech Republic);

— criminal activity began in the summer of 2014 and ended in the first quarter of 2015;

Criminals managed to adapt their schemes, making instead of a credit card in the ATM funds transfer card issued in one Bank card in the other. The details of the transaction were used to "return", and the last card was used to withdraw money from the ATM, thereby allowing the criminals to continue their fraud.

— there are several court cases against those responsible; "money mules" was from London, Ukraine, Latvia and Lithuania;

— "After the first repair scammers have slightly changed the scheme again and committed fraud.
Then the bug was finally fixed, but no one is sure that the scheme cannot be changed again", says Dmitry Volkov, Group-IB.
"This scheme may affect non-Russian banks, but we only know about the Russian victims."
payment system, payment cards, ATM, pos-terminal

Sort:  

An interesting article. Comprehensive information on an important subject.