Russia last week arrested 50 people they detained in 86 searches through 15 Russian territories in what’s being called the country’s biggest bust ever of financial hackers.
The country’s Federal Security Service (FSB) told the Russian news agency TASS that the gang is suspected of orchestrating the theft of 1.7 billion rubles ($25 million) from Russian banks and financial institutions.
Since 2011, the robbers had allegedly been stealing money directly from bank accounts in Russia and other countries of the Commonwealth of Independent States (CIS) by using a Trojan called Lurk.
Lurk uses a form of steganography: that’s where one file is hidden away inside another file of a completely different sort, such as an image, audio, or video file.
Outside of malware, steganography can entail messages tucked away in plain sight: such as within a pizza order, as one quick-witted hostage found out.
The cybercrime gang used Lurk to create a botnet of infected computers from which they launched targeted attacks against Russian banks, businesses and media companies.
A source close to the investigation told TASS that between March and April, six Russian banks were hit, including Metallinvestbank, Russian International Bank, Metropol and Regnum.
The source said that the gang obtained remote access to Metallinvestbank’s systems and transferred money out to accounts under their control. In total, the source claimed, 680 million rubles ($10.2 million) were stolen from that one bank.
Another victimized bank, Sberbank, worked with a Russian security firm, the Russian Interior Ministry and the FSB to catch the hackers.
Russian security firm Group IB, which profiles cyber crime groups in Eastern Europe, said that the Lurk gang had been siphoning off bank funds for 5 years.
Interior Ministry spokeswoman Irina Volk told TASS on Wednesday that there have been 18 targeted attacks on bank clients since mid-2015 and the damage from these attacks has exceeded 3 billion rubles.
More money was on its way out: Russian police managed to stop fake money transactions that would have been worth another $30 million (2,273 billion rubles).
All you had to do to be infected by Lurk was to visit a rigged site. After Lurk latched on to a victim’s computer, it would then download additional modules that stole login names and passwords for online bank accounts.
In particular, they targeted accounts held at Sberbank, one of Russia’s largest banks.
Group IB spokesman Victor Ivanovsky told the BBC that the group, which had initially gone after bank customers, earlier this year changed focus to launch Advanced Persistent Threat (APT) attacks on Russian banks.
The Lurk gang’s switch to APTs reportedly coincided with the public availability of source code for a banking malware called Buhtrap.
IB Group reports that Buhtrap’s main way to infect corporate networks is by sending carefully crafted phishing emails on behalf of the Central Bank of Russia or its representatives.
The messages look like they come from industry groups that certify bank and accounting staff, according to the BBC. Clicking on the rigged file would then infect a victim’s system with Lurk.
It’s easy to get sucked in by a phishing trap if you aren’t paying attention, because it’s easy for the crooks to clone the look and feel of the bank’s real site by simply copying and lightly modifying a legitimate business’s web pages.