MoneyTaker hacking group steals millions from US, UK, Russian banks

Researchers say the cyberattackers have been able to steal potentially millions of dollars in the past two years alone.
Written by Charlie Osborne, Contributing Writer

Video: Criminals hack cash machines -- without cards or PINs

A newly-discovered hacking group had managed to steal potentially millions of dollars from US, UK, and Russian banks in the past two years, researchers claim.

The group, dubbed MoneyTaker, has successfully managed to attack over 20 financial institutions, banks, software vendors, and law firms worldwide in order to conduct fraudulent transactions, use money mules to withdraw cash stolen from companies, and steal valuable corporate and sensitive information.

Researchers from Group-IB said in a recent report that MoneyTaker has primarily targeted card processing systems, such as the AWS CBR (Russian Interbank System) and SWIFT.

The group has been linked to 16 victims in the US, one in the UK, and three in Russia.

The first attack was detected in 2016 when money was stolen from a US bank by compromising First Data's network operator portal. Since then, companies in California, Utah, Oklahoma, Colorado, Illinois, Missouri, South Carolina, North Carolina, Virginia, and Florida have also been targeted.

Group-IB connected the dots between attacks conducted by MoneyTaker through the tools used, attack infrastructure, and withdrawal schemes which had a particular signature -- the use of unique accounts for each transaction.

The hacking group uses software compiled from code demonstrated at the Russian cybersecurity conference ZeroNights in 2016, delivers Point-of-Sale (PoS) malware, keyloggers, screen capture code and also makes use of the Citadel and Kronos banking Trojans.

However, modular software used by MoneyTaker of particular interest is "MoneyTaker v5.0," which is able to search for payment orders and modify them, replace payment details, and erase logs.

"The success of replacement is due to the fact that at this stage the payment order has not yet been signed, which will occur after payment details are replaced," the researchers say. "In addition to hiding the tracks, the concealment module again substitutes the fraudulent payment details in a debit advice after the transaction back with the original ones."

"This means that the payment order is sent and accepted for execution with the fraudulent payment details, and the responses come as if the payment details were the initial ones," Group-IB added. "This gives cybercriminals extra time to mule funds before the theft is detected."

The average cost of a successful attack was estimated to be $500,000.

MoneyTaker is also known to use legitimate tools such as Metasploit, a key tool for network administrators. In addition, the hackers may employ fileless malware and fake SSL certificates generated using the names of well-known legitimate brands including Yahoo, Microsoft, and Bank of America.

The team says that MoneyTaker has gone "largely unnoticed" as the group is constantly evolving its tactics and tools in order to avoid detection and circumvent traditional security solutions.

In particular, the hackers take great care in wiping away any trace of their activities -- despite also "hanging around" after a successful attack to spy on their victims and exfiltrate information.

"MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise," says Dmitry Volkov, co-founder Group-IB and Head of Intelligence. "In addition, incidents occur in different regions worldwide and at least one of the US banks targeted had documents successfully exfiltrated from their networks, twice."

Group-IB has handed over details of the attacks to law enforcement including Europol, and while attacks continue, believes the next area to be targeted may be Latin America.

Best gifts: Top tech for co-workers

Previous and related coverage

    Bitcoin exchange NiceHash hacked, $68 million stolen

    Users are watching the attacker's wallet address like hawks, waiting for any movement of their stolen coins.

    Bangladesh minister: We want to 'wipe out' Philippines bank after $80 million heist

    The finance minister said he wants to "wipe out Rizal Bank from Earth" due to the cyberattack.

    Keylogger uncovered on hundreds of HP PCs

    For the second time this year, HP has been forced to issue an emergency fix for pre-installed keylogger software.

      Editorial standards