Russian Financial Cybercrime

Many Shapes & Forms of Cybercrime Facilitated by Highly Developed Skills and Connectivity

The Russian-language cybercrime market is known all over the world. By ‘Russian-language market’ we mean cybercriminals who are citizens of the Russian Federation and some former USSR countries, predominantly Ukraine and the Baltic states. 

Russian Cyber Crime's Top Flight 'Stole $790m'
 
A 20-strong group of Russian cyber criminals have made $790m (£520m) over three years by emptying bank accounts around the world, it has been claimed.

Security firm Kaspersky said the gangs primarily target businesses and individuals in the US and Western Europe, however people in former Soviet Union states have also lost cash.

Kaspersky investigation unit boss Ruslan Stoyanov said that the Russian criminal underground is thriving and has, 1,000 new cyber-gang recruits in the last three years.

He pointed out that the new sign-ups vastly outnumber those arrested - which he puts at around 160, based on official crime figures.

But Mr Stoyanov - who used to work for the Kremlin's cyber crime unit - said that while thousands are involved in cyber crime there is a small group of 20 who represent the top flight of professional hacking.

This elite group of criminals is making hundreds of millions of dollars by running their crime operations with the sophistication of a legitimate business.

He said: "Cybercriminal system administrators configure management servers, buy abuse-resistant hosting for servers, ensure the availability of tools for anonymous connection to the servers (VPN) and resolve other technical challenges, including the interaction with remote system administrators hired to perform small tasks."

He said the staff were sometimes recruited using public advertisements in underprivileged areas like war-torn Ukraine.

Mr Stoyanov pointed out that his analysis of the size of Russia's cybercrime problem could be conservative. He said: "This estimate is based both on the analysis of public information about the arrests of people suspected of committing financial cybercrime in the period between 2012 and 2015 and on Kaspersky Lab’s own data.

"Of course, this figure only includes confirmed losses, the details of which were obtained by law enforcement authorities during the investigation. In reality, cybercriminals could have stolen a much larger amount."

Why is this market known worldwide?

There are two main factors why this is now known globally: the first of these is frequent global media coverage of the activity of Russian-language cybercriminals. The second is the open accessibility of online platforms used by the cybercriminal community for communications, promoting a variety of “services” and “products” and discussing their quality and methods of application, if not for making actual deals.

Over time, the range of “products” and “services” available through this underground market has evolved, becoming more focused on financial attacks, and with an ever-increasing level of sophistication. One of the most common types of cybercrime was (and still is) the turnover of stolen payment card data. With the emergence of online stores and other services involving e-payment transactions, DDoS-attacks and financial cybercrime have become especially popular with the fraudsters whose main targets are users’ payment data or the theft of money directly from user accounts or companies.

Attacks on users’ and companies’ e-wallets were initiated by the Trojan ibank in 2006; then came ZeuS (2007) and SpyEye (2009) followed by the groups Carberp (2010) and Carbanak (2013). And this list is incomplete; there are more Trojans out there, used by criminals to steal users’ money and data.

With online financial transactions becoming more common, the organizations supporting such operations are becoming more attractive to cybercriminals. Over the last few years, cybercriminals have been increasingly attacking not just the customers of banks and online stores, but the enabling banks and payments systems directly. 

According to Kaspersky Lab, between 2012 and 2015, law enforcement agencies from a number of different countries, including the United States, Russia, Belarus, Ukraine and the EU arrested over 160 Russian-speaking cybercriminals who were members of small, medium-sized and large criminal groups. They were all suspected of being engaged in stealing money using malware. The total damage resulting from their worldwide activity exceeded $790 million dollars. 

Of this sum, about $509 million dollars was stolen outside the borders of the former USSR. Of course, this figure only includes confirmed losses, the details of which were obtained by law enforcement authorities during the investigation. In reality, cybercriminals could have stolen a much larger amount.

The exact number of groups operating across Russia and its neighboring countries is unknown: many of those involved in criminal activities participate in several thefts and then, for various reasons cease their activity. Some participants of known but apparently disbanded groups continue their criminal activities as part of new groups.

Unlike the real world, a robbery in cyberspace usually goes unnoticed and there is a very small window for collecting digital evidence after the crime. Further, criminals have no need to stay in the country where the crime is committed.

Unfortunately, for Russian-speaking cybercriminals current conditions are more than favorable: the risk of prosecution is low while the potential rewards are high. As a result, the number of crimes and the damage caused by them is growing, and the market for cybercriminal services is increasing momentum.

Security Affairs: http://bit.ly/1lTGhS2
Sky: http://bit.ly/1PLwjys
Securelist: http://bit.ly/1XamtFf