Hackers Rob Millions From Dozens Of Banks

Bank finance © Paul Fleet Shutterstock 2012

In 2015 hackers turned to hacking banks directly, rather than targeting end users, according to Kaspersky Lab

More than two dozen large Russian banks were targeted by hacking gangs last year, with the loss of millions of pounds, according to a new study.

The report, presented by Moscow-based Kaspersky Lab’s Global Research and Analysis Team (GREAT) during the firm’s Security Analyst Summit in Tenerife this week, found that three distinct groups had successfully fleeced at least 29 unnamed banks.

“In 2015 we saw the rise of cybercriminals who rob banks directly,” Kaspersky said in a blog post.


A gang using malware called Metel, which first came to light in 2011, last year developed a scheme that allowed them to withdraw unlimited amounts of cash from ATMs, Kaspersky said.

The gang first targeted bank employees through targeted email-borne attacks exploiting browser vulnerabilities. Once inside a network, the hackers looked to take over PCs belonging to individuals with access to cash transactions.

They implanted malware on these systems that automatically erased records of ATM transactions, so that a cash withdrawal would not affect the account’s balance.

“The balance on the cards remained the same, allowing the cybercriminal to withdraw money limited only by the amount of cash in the ATM,” Kaspersky stated. “The criminals made similar cash-outs at different ATM machines.”

The gang, which remains active, consists of only about ten people and has only targeted Russian banks, Kaspersky said.

E-currency transfers

Another group, limited to only one or two members, similarly gained access to bank systems via email-borne attacks and looked to obtain system administrator login credentials. They used the credentials to gain access to systems with the ability to transfer funds to e-currency services.

The transfers were limited to small amounts of around £150 at a time, the upper limit for anonymous transactions in Russia, but wre carried out continuously, about once a minute, so that the total amount added up to a large sum, Kaspersky said.

“It’s noteworthy that the thieves were very careful. In one case they quietly stayed in the network for a year and half, stealthy hacking lots of devices and accounts,” the firm stated.

Carbanak gang broadens targets

Kaspersky’s investigations found that a group using the Carbanak malware, which has been known to researchers since 2013, returned late last year with a broader set of targets that included financial departments of a variety of companies, as well as banks.

The group gains access to a target organisation’s systems through means similar to the other gangs, and then looks for ways of transferring money from bank accounts of changing data about a company’s owner, according to Kaspersky.

The group is international, including dozens of members from Russia, China, Ukraine and European countries, Kaspersky said.

The gang used Carbanak to rob banks and financial institutions of nearly $1bn over a two-year period in 2013 and 2014, Kaspersky said in a report early last year. The group targeted up to 100 organisations in countries including Russia, the US, Germany, China, the Ukraine and Canada.

Kaspersky said at the time that the attacks marked a shift in hackers’ tactics, infiltrating banks directly rather than targeting end user accounts.

The company advised employees in the financial sector to be vigilant in guarding against such attacks, and noted that security software can detect and neutralise malware of the type used to attack banking systems.

Are you a security pro? Try our quiz!