• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • March 5th, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Cyber Crime
Scams and Fraud

Sophisticated ‘MoneyTaker’ group stole millions from Russian & US banks

December 12th, 2017 Waqas Cyber Crime, Hacking News, Scams and Fraud, Security 0 comments
Sophisticated ‘MoneyTaker’ group stole millions from Russian & US banks
Share on FacebookShare on Twitter

The IT security researchers at Moscow based cybercrime prevention firm Group-IB has identified the presence of a dangerous and sophisticated group of cybercriminals that has so far stolen more than $10 million from banking and financial sectors.

Dubbed MoneyTaker by researchers, the group has in last 18 months conducted 20 successful attacks in Russia, United Kingdom, and the United States. The group targeted card processing systems like AWS CBR (Russian Interbank System) and purportedly SWIFT (SWIFT international bank messaging service in the United States.

Sophisticated 'MoneyTaker' group stole millions from Russian & US banks

On average, MoneyTaker stole a whopping $3 million from three Russian financial institutions while a sum of $500,000 was stolen from banks in the United States. But, the group is not limiting itself to money or banking sector, in fact, MoneyTaker also targeted financial software vendors and law firms.

“Criminals stole documentation for OceanSystems’ FedLink card processing system, which is used by 200 banks in Latin America and the US,” says the report compiled by Group-IB.

Researchers confirmed that MoneyTaker targeted 20 companies with 1 in the UK, 3 in Russia and 16 in the US. All those attacks went unreported and undetected since the group used publically available tools for the operations.

“MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise. In addition, incidents occur in different regions worldwide, and at least one of the US Banks targeted had documents successfully exfiltrated from their networks, twice. Group-IB specialists expect new thefts in the near future and in order to reduce this risk, Group-IB would like to contribute our report identifying hacker tools, techniques as well as indicators of compromise we attribute to MoneyTaker operations,” said Dmitry Volkov, Group-IB Co-Founder and Head of Intelligence.

However, MoneyTaker first caught the attention when Group-IB’ researchers tracked the group’s activities after it stole money from a US bank in 2016 by gaining access to First Data’s “STAR” network operator portal.

“In 2016, Group-IB identified 10 attacks conducted by MoneyTaker; 6 attacks on banks in the US, 1 attack on a US service provider, 1 attack on a bank in the UK and 2 attacks on Russian banks. Only one incident involving a Russian bank was promptly identified and prevented that is known to Group-IB.”

“In 2017, the number of attacks has remained the same with 8 US banks, 1 law firm and 1 bank in Russia being targeted. The geography, however, has narrowed to only the USA and Russia.”

Sophisticated 'MoneyTaker' group stole millions from Russian & US banks

Furthermore, researchers noted links between all 20 attacks conducted by the group in 2016 and 2017 including using the same tools, similarly distributed infrastructure, one-time-use components in the attack toolkit and spying on the target after a successful attack.

To evade detection, the group uses fileless malware, and SSL certificates generated using names of popular institutions such as Microsoft, Yahoo, Bank of America, Federal Reserve Bank, and Microsoft. Moreover, MoneyTaker uses a distributed infrastructure and delivers payloads to the victim with IP addresses in MoneyTaker’s whitelist.

MoneyTaker takes advantage of borrowed and self-written tools such as it developed an application equipped with keylogging and screenshot capabilities. The app can take screenshots and capture keystrokes from a targeted device and steal content.

To take full control of the operation, MoneyTaker uses a Pentest framework Server. On it, the hackers install a legitimate tool for penetration testing – Metasploit. The group uses Metasploit to conduct following activities:

1 Network reconnaissance

2. search for vulnerable applications

3. exploit vulnerabilities

4. escalate systems privileges

5. collect information

Another astonishing discovery by Group-IB researchers regarding MoneyTaker is that it uses privilege escalation tools based on codes presented at the Russian cybersecurity conference ZeroNights 2016. In some attacks, the group used Citadel and Kronos banking Trojans. In this case, Kronos was used to deliver Point-of-Sale (POS) malware dubbed ScanPOS.

Remember, in August this year, FBI arrested WannaCry hero Marcus Hutchins for “creating and distributing Kronos banking trojan.” Kronos stole banking credentials from around the world but primarily targeted the United Kingdom and North America.

  • Tags
  • Banking
  • Cyber Attack
  • Cyber Crime
  • hacking
  • internet
  • Malware
  • MoneyTaker
  • Russia
  • security
  • TROJAN
  • USA
Facebook Twitter LinkedIn Pinterest
Previous article Bitfinex cryptocurrency exchange hit by massive DDoS attacks​
Next article Banker jailed for helping criminals who stole millions using Dridex malware
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related Posts
Top Russian hacker forums Maza, Verified hacked; data leaked online

Top Russian hacker forums Maza, Verified hacked; data leaked online

IT Security firm Qualys extorted by Clop gang after data breach

IT Security firm Qualys extorted by Clop gang after data breach

Marketing firm CallX exposed customers data including call recordings

Marketing firm CallX exposed customers data including call recordings

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
Top Russian hacker forums Maza, Verified hacked; data leaked online
Hacking News

Top Russian hacker forums Maza, Verified hacked; data leaked online

IT Security firm Qualys extorted by Clop gang after data breach
Cyber Crime

IT Security firm Qualys extorted by Clop gang after data breach

Marketing firm CallX exposed customers data including call recordings
Leaks

Marketing firm CallX exposed customers data including call recordings

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us