Security research firm Kaspersky Labs has been detailing various ways in which gangs in Russia have been using more and more sophisticated software packages, called “crimeware”, to infect computers at financial institutions in order to steal large sums of cash.
Kaspersky details a few threats in particular that are currently being used in the wild in Russia. One gang is using a package called Metel, which is a series of modules used to infect bank employee workstations, and eventually leading towards computers used to process financial transactions. When they would eventually gain a foothold on the financial network, they would then use client cards to withdraw money from a compromised ATM, using their system access to immediately roll back the transaction so it never registered. They would be limited only by the amount of cash in the ATM. Kaspersky thinks this gang only consists of up to ten people, that they speak mainly Russian and they have detected no attacks outside of Russia.
Another gang using sophisticated techniques to steal from banks is a group known as GCMAN, who are hacking into banks by taking over HR or accounting workstations and purposefully crashing business software in order to bring an IT administrator to the workstation and steal those admin credentials. With the elevated access they would then root around the network until they find an appropriate machine handling transactions and write a script to transfer up to $200 at a time out of the system to avoid detection. This team is known to speak Russian and it is thought that there are only one or two members.
The third group detailed is one that has been known internationally for some time, the Carbanak group, which consists of members from Russia, China, Ukraine, and other European countries. This group has been using similar techniques to infect various companies’ financial systems and is known to have stolen millions of dollars from corporations around the world.
Kaspersky also includes tips for employees at banks to help avoid being the targets of malicious groups like this, as all of these attacks begin with a bank employee opening an infected email, attachment or web site and allowing the hacker into their system. The most important thing to remember is to keep software up to date, as a large number of intrusions begin with security holes that have already been patched.