Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

10/15/2014
02:31 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Russian Hackers Made $2.5B Over The Last 12 Months

The big bucks are in selling credit card data -- not using it for fraud -- and PoS and ATM attacks are on the rise.

The Russian hacking industry brought in $2.5 billion between mid 2013 and mid 2014, thanks in large part to the Target breach, according to a report released today by Group-IB.

Other bad news: ATM hacks are on the rise. Spamming still pays well. New criminal groups are hitting the scene, specializing in mobile threats. And POS attacks will only get worse, because they can deliver data that's 10 times more profitable than your average plaintext credit card number.

Also, while financial fraud is still a big earner -- accounting for $426 million -- it's being surpassed by the simple buying and selling of credit card data. The carding business brought in $680 million.

All of this is evidence of the growing sophistication of the Russian cybercrime industry. (Group-IB defines this as "the market of computer crimes committed by Russian citizens, by citizens of the [countries in the Commonwealth of the Independent States, created when the Soviet Union was dissolved] and the Baltic states, as well as by citizens of other countries from the former Soviet Union.") As the report describes it:

The market for stolen credit card data in the last 10 years has finally been structured and now features mass automated distribution channels in the form of electronic trading platforms.

[Want more about the Russian hacking industry? Read how the cyber espionage group, Sandworm, hit Ukrainian and American targets with a Windows zero-day attack.]

Last year, the Target breach was the "main source of stolen credit card details," but soon attacks on point-of-sale may be the new well where the carding marketplace goes. As the report explains:

The market value of a credit card dump is on average 10 times higher than the cost of credit card text details. This is because dumps offer greater opportunities for fraudulent transactions. So, with the dump of a credit card, an attacker can make a physical duplicate of that card and conduct operations in off-line points of sale, buying expensive electronics, luxury goods, medicines and other goods to be subsequently sold in a secondary market. Credit card dumps are stolen with the use of skimming hardware, or by infecting POS terminals with special Trojans (Dexter, BlackPOS, JackPOS, BrutPOS, Alina, etc.).

PoS attacks were all the rage this summer, and their popularity is likely to grow.

"POS attacks have a good potential to get worse," says Group-IB CEO Ilya Sachkov. "There is a vast number of vulnerable devices, random infections, target attacks, and reluctance of operators to provide the necessary level of protection. The result is big leaks. [Another] important factor is that no one has been prosecuted so far. There is no precedent, therefore there is no reason for a decline, only growth."

These breaches, in particular, are a boon to card traders. The size and growth of the booming carding market was what most surprised Sachkov about the findings.

There are now professional wholesalers who deal in stolen card data. The main supplier of user data stolen from compromised credit cards has been "Rescator" -- a.k.a. Helkern, a.k.a. ikaikki, and suspected to be Ukrainian resident Andrey Hodirevski. The wholesalers buying Rescator's wares do quite well for themselves, too. Rescator made roughly $1 million by selling over 150,000 cards to SWIPED, one of the largest online trading platforms; SWIPED itself made $6 million in one year.

Group-IB also notes that Bitcoin has become the currency of choice in the criminal marketplace. "Almost all shops selling credit card data, as well as shops in the shadow Internet selling weapons, drugs and more have switched over to Bitcoin as their method of accepting payments," the report states.

There has also been a "sharp increase" in Russian criminals' attacks on ATM machines. From the report:

Attackers now use not only malicious programs capable of stealing credit card details, but also more advanced types of fraud, where the criminals manipulate the amount issued from ATMs or are able to control the dispenser for the ultimate aim of emptying the ATM machines of their cash during maximum load.

Earlier this year, ATMs were plagued by the Ploutus malware and just last week Kaspersky Labs released details about attackers compromising ATMs by using the Tyupkin malware.

"ATM attacks have increased due to [the] emergence of new software and [a] new criminal group that does targeted attacks," says Sachkov. "In addition, ATMs historically were considered very secure, except skimming, therefore banks were not heavily involved in development of protection from such attacks."

The Russian hacking industry also has tidy little businesses in DDoS attacks ($113 million) and the sale of nefarious goods and services like traffic, exploit code, and anonymization ($288 million). Yet what brings in the most bucks is perhaps the least glamorous: spam, which brought in a whopping $841 million. Sachkov says that that spamming was always a lucrative business, and that the evolution of spam for Skype, SMS, and voice media is getting new players into the market.

"The worst news is the increase in number of criminal groups due to the emergence of new ways of theft from individuals by use of mobile devices," says Sachkov. This year also saw the emergence of five new crime groups specialized in mobile bank theft, and all of them used their own unique Trojan horse. "In addition, the bad news is that hackers use politics and geography to avoid prosecution."

Yet, it's not all gloom and doom.

"The best news," says Sachkov, "is that we've seen a reduction of theft from legal entities in [the] Russian sector. This essentially means that investigations that were undertaken have proved to be effective.

"The best news for [the] foreign sector is the arrest of Paunch," says Sachkov. "Paunch," the 27-year-old creator of the BlackHole and Cool exploit kits, was arrested last October. Before his arrest, his criminal endeavors were making him over $50,000 per month. "[Paunch's] exploit-kit pack malware was widely used in attacks, including bank theft from customers of banks overseas."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/17/2014 | 8:43:09 AM
Re: Enforcement irony?
Well there is Interpol, of course, which recently announced that it is teaming up with Kaspersky Labs and Trend Micro in a state-of-the art facility to fight cyber crime based in Singapore. But in terms of big busts stemming from the major retail breaches of the past year, the criminals responsible seem to have gotten off scott free -- at least so far.

 

 
AnonymousMan
100%
0%
AnonymousMan,
User Rank: Moderator
10/16/2014 | 6:47:48 PM
Re: Time for Apple Pay?
LOL.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/16/2014 | 6:37:54 PM
Re: Enforcement irony?
Laws are geographically bounded but the Internet is not, this certainly creates some challenges but if each country does its own duty property the problem would be less severe.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/16/2014 | 6:35:08 PM
Re: That's a lot
Numbers are more likely estimates but that does not change the fact that there is a market on stolen credit cards. We need to change overall system to avoid utilization of current credit cards and numbers.
Dr.T
0%
100%
Dr.T,
User Rank: Ninja
10/16/2014 | 6:32:44 PM
Time for Apple Pay?
Maybe it is time for ApplePay now. Apple releasing iOS8.1 on Monday which will support ApplePay, that may a way out with this complexity.
AnonymousMan
50%
50%
AnonymousMan,
User Rank: Moderator
10/16/2014 | 10:48:38 AM
Re: That's a lot
It is a lot, but since it's pretty much a made up number AFAICT...why not say $2.5T?  Then we could really get some popular support in the US for the Govt to intervene like we all know they want to.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
10/16/2014 | 9:40:11 AM
Re: Enforcement irony?
You bring up a good point Marilyn. How come there have been no substantial repercussions for these attacks? Basically illuminating the idea that if the stove never burned you, you would keep touching it proverb. Especially if it had a high yield like credit data theft.

From my perspective I would have to think it would be difficult to prosecute on an international level. Not being too familiar with other countries cyber crime laws and punishments. But in certain countries these may not apply. Is there a global authoritative level for issues such as these?
prospecttoreza
50%
50%
prospecttoreza,
User Rank: Strategist
10/16/2014 | 9:31:51 AM
this number was not reported on the tax return, so were does it come from?
So Target lost around 50M cards, Home deport another 50M. Let's double this number to cover other breaches. 200M. Now, kids, let's multiply 200M by $10 per card - and we are getting a wooping $2Billion. But that is assuming that all of them are sold - at that specific price! Look at all other numbers here depicting profit from selling data to spammers and so on. These numbers have 3 meaningful digits which implies 0.1% accuracy! This is all bogus numbers that come from a mere action of multiplication.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/16/2014 | 9:17:40 AM
Enforcement irony?
Isn't it ironic that in POS attacks "no one has been prosecuted so far..... therefore there is no reason for a decline, only growth." But the biggest successes (reduction of theft from legal entities) were where there were effective investigations. Isn't that kind of obvious? Or am I missing something? 
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
10/16/2014 | 8:11:13 AM
That's a lot
$2.5 billion is starting to get to the point where you wonder if the state might be getting involved. We've already seen some of the most rogue hacking elements in China come from practically autonomous military units. Perhaps the Russian government is padding its coffers with a bit of illicit hacking? 
Page 1 / 2   >   >>
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...