The Cobalt grouping has tried a new method of withdrawing funds from credit organizations through payment system gateways. In September, about $ 100,000 were withdrawn from the Housing Finance Bank (BZHF) through sluices. According to Kommersant interlocutors in law enforcement, three other lending institutions were also infected. All banks have an extremely low level of information security, which, according to experts, could only be revealed by unscheduled inspections.
As it became known to “Kommersant”, in September, hackers from the Cobalt group removed about $ 100,000 from BZhF through gateways of payment systems. Such an attack is not just not typical for a grouping, experts say, there has been no withdrawal of funds through payment system gateways for many years. "However, there have been cases of such withdrawals from two years ago," said Stanislav Pavlunin, director of security at the Post Bank. Since then, hackers have switched to attacks, when funds were withdrawn through other channels, indicates the head of the information security management of the Renaissance Credit Dmitry Sturov. “I think this is primarily due to the fact that it is difficult for hackers to withdraw large sums through payment gateways,” he notes.
According to the executive director of CyberPlat, Vladimir Kuznetsov, when transferring money through the gateway of the payment system, money can be transferred both online and in tranches. At the same time, both the payment system and the bank set limits on transfers - both on the total amount of transfers during the day, and on the maximum amount of transfer, on the number of single-type transfers, etc. “Such bilateral limits should protect the bank, including from unauthorized write-offs, ”he noted. In this case, according to sources familiar with the situation of “Kommersant”, the attackers broke into the bank's ABS, increased the established limits for the transfer of funds and through the gateways of payment systems took out money to bank cards, then cash out.
The malware got into the bank using a phishing email, which was allegedly sent on behalf of Alfa Bank. In the letter, the bank wanted to resolve the issue with fraudulent transactions that allegedly came from the BZHF. The press service of Alfa Bank “Kommersant” reported that no one had hacked Alfa Bank mail. "The attack from the post, the name is similar to the address of a well-known organization, is an extremely common hacker technique designed for inattention," noted there.
The reasons for the return of hackers to the old schemes, experts see, including the fact that the payment system is difficult to see an unauthorized payment. Alexey Novikov, head of the Security Technologies expert center at Positive Technologies, notes that it is rather difficult to distinguish between a legitimate payment and an illegitimate payment system. “In most cases, only from a message from the bank the payment system can find out that the transfer of funds was made by intruders,” notes Vladimir Kuznetsov.
On the phishing mailing, with which the attackers infiltrated the bank, FinCERT (the Central Bank information security unit) reported in its August 16 bulletin. It said that one of the vulnerabilities of Microsoft was being exploited and recommendations were made to eliminate it. “It was about the Beacon Trojan,” Alexey Novikov noted. “It is used to organize remote access to an employee’s work computer.”
The interlocutor of “Kommersant” in law enforcement agencies said that they were aware of the infection of three more credit organizations. “We found out that both the injured bank and other infected ones share a low level of information security, the absence of Russian antiviruses, licensed software, and updates,” he noted. He is sure that it is necessary to give the Central Bank additional powers for unscheduled inspections of information security in banks. "If you do not do this, there may be a wave of theft," law enforcement officers warn. At the same time, the last mailing with Cobalt malware was registered by Positive Technologies experts at the end of September of this year, already after the described attack.
However, the banks are confident that the current realities have the opportunity to defend themselves. According to Sergey Chernokozinsky, the head of the Information Security Management Department of the OTP Bank, it is necessary to at least closely monitor all recommendations of FinCERT. We need enhanced protection of the contour of payment system gateways and access keys, adds Dmitry Sturov. “A reliably constructed echelon system of cyber defense can significantly reduce the likelihood of such theft,” Stanislav Pavlunin is convinced.