Vulnerabilities / Threats //

Advanced Threats

10/15/2014
02:31 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Russian Hackers Made $2.5B Over The Last 12 Months

The big bucks are in selling credit card data -- not using it for fraud -- and PoS and ATM attacks are on the rise.

The Russian hacking industry brought in $2.5 billion between mid 2013 and mid 2014, thanks in large part to the Target breach, according to a report released today by Group-IB.

Other bad news: ATM hacks are on the rise. Spamming still pays well. New criminal groups are hitting the scene, specializing in mobile threats. And POS attacks will only get worse, because they can deliver data that's 10 times more profitable than your average plaintext credit card number.

Also, while financial fraud is still a big earner -- accounting for $426 million -- it's being surpassed by the simple buying and selling of credit card data. The carding business brought in $680 million.

All of this is evidence of the growing sophistication of the Russian cybercrime industry. (Group-IB defines this as "the market of computer crimes committed by Russian citizens, by citizens of the [countries in the Commonwealth of the Independent States, created when the Soviet Union was dissolved] and the Baltic states, as well as by citizens of other countries from the former Soviet Union.") As the report describes it:

The market for stolen credit card data in the last 10 years has finally been structured and now features mass automated distribution channels in the form of electronic trading platforms.

[Want more about the Russian hacking industry? Read how the cyber espionage group, Sandworm, hit Ukrainian and American targets with a Windows zero-day attack.]

Last year, the Target breach was the "main source of stolen credit card details," but soon attacks on point-of-sale may be the new well where the carding marketplace goes. As the report explains:

The market value of a credit card dump is on average 10 times higher than the cost of credit card text details. This is because dumps offer greater opportunities for fraudulent transactions. So, with the dump of a credit card, an attacker can make a physical duplicate of that card and conduct operations in off-line points of sale, buying expensive electronics, luxury goods, medicines and other goods to be subsequently sold in a secondary market. Credit card dumps are stolen with the use of skimming hardware, or by infecting POS terminals with special Trojans (Dexter, BlackPOS, JackPOS, BrutPOS, Alina, etc.).

PoS attacks were all the rage this summer, and their popularity is likely to grow.

"POS attacks have a good potential to get worse," says Group-IB CEO Ilya Sachkov. "There is a vast number of vulnerable devices, random infections, target attacks, and reluctance of operators to provide the necessary level of protection. The result is big leaks. [Another] important factor is that no one has been prosecuted so far. There is no precedent, therefore there is no reason for a decline, only growth."

These breaches, in particular, are a boon to card traders. The size and growth of the booming carding market was what most surprised Sachkov about the findings.

There are now professional wholesalers who deal in stolen card data. The main supplier of user data stolen from compromised credit cards has been "Rescator" -- a.k.a. Helkern, a.k.a. ikaikki, and suspected to be Ukrainian resident Andrey Hodirevski. The wholesalers buying Rescator's wares do quite well for themselves, too. Rescator made roughly $1 million by selling over 150,000 cards to SWIPED, one of the largest online trading platforms; SWIPED itself made $6 million in one year.

Group-IB also notes that Bitcoin has become the currency of choice in the criminal marketplace. "Almost all shops selling credit card data, as well as shops in the shadow Internet selling weapons, drugs and more have switched over to Bitcoin as their method of accepting payments," the report states.

There has also been a "sharp increase" in Russian criminals' attacks on ATM machines. From the report:

Attackers now use not only malicious programs capable of stealing credit card details, but also more advanced types of fraud, where the criminals manipulate the amount issued from ATMs or are able to control the dispenser for the ultimate aim of emptying the ATM machines of their cash during maximum load.

Earlier this year, ATMs were plagued by the Ploutus malware and just last week Kaspersky Labs released details about attackers compromising ATMs by using the Tyupkin malware.

"ATM attacks have increased due to [the] emergence of new software and [a] new criminal group that does targeted attacks," says Sachkov. "In addition, ATMs historically were considered very secure, except skimming, therefore banks were not heavily involved in development of protection from such attacks."

The Russian hacking industry also has tidy little businesses in DDoS attacks ($113 million) and the sale of nefarious goods and services like traffic, exploit code, and anonymization ($288 million). Yet what brings in the most bucks is perhaps the least glamorous: spam, which brought in a whopping $841 million. Sachkov says that that spamming was always a lucrative business, and that the evolution of spam for Skype, SMS, and voice media is getting new players into the market.

"The worst news is the increase in number of criminal groups due to the emergence of new ways of theft from individuals by use of mobile devices," says Sachkov. This year also saw the emergence of five new crime groups specialized in mobile bank theft, and all of them used their own unique Trojan horse. "In addition, the bad news is that hackers use politics and geography to avoid prosecution."

Yet, it's not all gloom and doom.

"The best news," says Sachkov, "is that we've seen a reduction of theft from legal entities in [the] Russian sector. This essentially means that investigations that were undertaken have proved to be effective.

"The best news for [the] foreign sector is the arrest of Paunch," says Sachkov. "Paunch," the 27-year-old creator of the BlackHole and Cool exploit kits, was arrested last October. Before his arrest, his criminal endeavors were making him over $50,000 per month. "[Paunch's] exploit-kit pack malware was widely used in attacks, including bank theft from customers of banks overseas."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/17/2014 | 8:43:09 AM
Re: Enforcement irony?
Well there is Interpol, of course, which recently announced that it is teaming up with Kaspersky Labs and Trend Micro in a state-of-the art facility to fight cyber crime based in Singapore. But in terms of big busts stemming from the major retail breaches of the past year, the criminals responsible seem to have gotten off scott free -- at least so far.

 

 
AnonymousMan
100%
0%
AnonymousMan,
User Rank: Moderator
10/16/2014 | 6:47:48 PM
Re: Time for Apple Pay?
LOL.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/16/2014 | 6:37:54 PM
Re: Enforcement irony?
Laws are geographically bounded but the Internet is not, this certainly creates some challenges but if each country does its own duty property the problem would be less severe.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/16/2014 | 6:35:08 PM
Re: That's a lot
Numbers are more likely estimates but that does not change the fact that there is a market on stolen credit cards. We need to change overall system to avoid utilization of current credit cards and numbers.
Dr.T
0%
100%
Dr.T,
User Rank: Ninja
10/16/2014 | 6:32:44 PM
Time for Apple Pay?
Maybe it is time for ApplePay now. Apple releasing iOS8.1 on Monday which will support ApplePay, that may a way out with this complexity.
AnonymousMan
50%
50%
AnonymousMan,
User Rank: Moderator
10/16/2014 | 10:48:38 AM
Re: That's a lot
It is a lot, but since it's pretty much a made up number AFAICT...why not say $2.5T?  Then we could really get some popular support in the US for the Govt to intervene like we all know they want to.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
10/16/2014 | 9:40:11 AM
Re: Enforcement irony?
You bring up a good point Marilyn. How come there have been no substantial repercussions for these attacks? Basically illuminating the idea that if the stove never burned you, you would keep touching it proverb. Especially if it had a high yield like credit data theft.

From my perspective I would have to think it would be difficult to prosecute on an international level. Not being too familiar with other countries cyber crime laws and punishments. But in certain countries these may not apply. Is there a global authoritative level for issues such as these?
prospecttoreza
50%
50%
prospecttoreza,
User Rank: Strategist
10/16/2014 | 9:31:51 AM
this number was not reported on the tax return, so were does it come from?
So Target lost around 50M cards, Home deport another 50M. Let's double this number to cover other breaches. 200M. Now, kids, let's multiply 200M by $10 per card - and we are getting a wooping $2Billion. But that is assuming that all of them are sold - at that specific price! Look at all other numbers here depicting profit from selling data to spammers and so on. These numbers have 3 meaningful digits which implies 0.1% accuracy! This is all bogus numbers that come from a mere action of multiplication.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/16/2014 | 9:17:40 AM
Enforcement irony?
Isn't it ironic that in POS attacks "no one has been prosecuted so far..... therefore there is no reason for a decline, only growth." But the biggest successes (reduction of theft from legal entities) were where there were effective investigations. Isn't that kind of obvious? Or am I missing something? 
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
10/16/2014 | 8:11:13 AM
That's a lot
$2.5 billion is starting to get to the point where you wonder if the state might be getting involved. We've already seen some of the most rogue hacking elements in China come from practically autonomous military units. Perhaps the Russian government is padding its coffers with a bit of illicit hacking? 
Page 1 / 2   >   >>
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.