The Dubai-based company Group-IB presented a report exposing a group of hackers who illegally withdrew funds from bank accounts around the world.
Group-IB, a leading provider of information and cyber security services with offices in the United Arab Emirates (Dubai) and Russia (Moscow), has published a report detailing the fraudulent schemes of a Russian-speaking hacker group known as MoneyTaker .
In less than two years, a team of MoneyTaker cybercriminals made more than 20 successful attacks on financial and law firms around the world. Despite the fact that the group successfully carried out a number of attacks on several banks in different countries, they were not reported to the public. Constantly changing their tools and tactics to bypass antiviruses and security systems and, most importantly, carefully masking the traces of intrusion, the group managed to go unnoticed for a long time.
According to Group-IB, hackers carried out their first attack in the United States in May 2016, while the latter took place most recently - in November 2017 in Russia.
“MoneyTaker uses tools that are publicly available, which greatly complicates the process of identifying attacks and conducting an investigation,” says Dmitry Volkov, co-founder of Group-IB and director of intelligent data processing. “In addition, the attacks took place in different regions of the world. Group-IB experts suggest that new attacks will take place in the near future, therefore, to reduce the risk, they prepared a report containing a description of the methods and tools used by hackers, as well as criteria by which to determine that you are a victim of MoneyTaker. "
Using its own security threat intelligence system, Group-IB managed to identify the relationship between all 20 attack cases in 2016 and 2017. The connections were found not only in the tools used, but also in the distributed infrastructure, one-time components in the software set used by the group, Group-IB also describes specific withdrawal schemes - the use of unique accounts for each transaction. Another distinctive feature of the group is that after the theft, the attackers continue to monitor the deceived banks, redirecting corporate emails and other documents to mailboxes on Yandex and Mail.ru resources.
