Attacks on Internet banking users are no longer newsworthy. In fact, several different banking trojans have, for almost a decade, been targeting Internet users making online banking transactions. These attacks are now routine even though the different attackers are constantly changing their methods and tools, as well as adjusting their techniques to counter security measures introduced by defenders. However, something new has developed in the past few years: the rise of organized, specialized cybercriminal groups directly targeting financial institutions instead of their customers.
This trend has been seen in several countries, but banks in Russia seem to be targeted most frequently. It is now common to see an attacker group trying to spear-phish workers in these banks with the ultimate goal of stealing money by making fraudulent transfers or using other elaborate schemes. Some of them are also showing particular interest in trading platforms used by the banks. We have seen a case where cybercriminals successfully gained unlawful access to a trading platform where they could issue orders on behalf of a victim bank. There have been some regulatory changes introduced in Russia lately, but this has not stopped the cybercriminals. We have even seen groups impersonating this new government body in order to better to lure their targets.
This paper will cover different groups targeting financial institutions worldwide, but especially in Russia. We will look at long lasting gangs such as Buhtrap and Corkow that have been relentlessly targeting the Russian financial sector. These groups are highly sophisticated and are spending a large amount of time compromising different entities to improve coordination of their attacks. They also infiltrate the corporate network for a long time, finding the right workstation and carefully planning their final attack. Some groups use a shotgun approach where they try to infect as many computers as possible and then run tools to find the interesting ones, while others are doing background research before conducting their attacks and attempt to compromise only interesting targets. This paper will review the different tactics and tools used by the different groups. Another interesting aspect of these attacks is the usage of code-signing certificates. In fact, one group has used more than 20 different code-signing certificates in the past two years. A description of how these tools were used, the different attacks they performed and an estimate of the amounts that were stolen will also be given.
Finally, we will try to determine whether these types of attacks are likely to transfer to the rest of the world, as is often the case with Russian cybercrime. In fact, we have seen countless examples of Russians being the first victims of trends that are then globalized.