The Russian Interior Ministry announced on Mon the arrest of twenty individuals from a major cybercriminal gang that had stolen nearly $900,000 from banking company accounts afterward infecting over i meg Android smartphones with a mobile Trojan called "CronBot."
Russian Interior Ministry instance Rina Wolf said the arrests were business office of a articulation endeavor with Russian information technology safety theater Group-IB that assisted the massive investigation.
The collaboration resulted inward the arrest of xvi members of the Cron grouping inward Nov 2016, land the final active members were apprehended inward Apr 2017, all living inward the Russian regions of Ivanovo, Moscow, Rostov, Chelyabinsk, in addition to Yaroslavl in addition to the Republic of Mari El.
Group-IB kickoff learned of the Cron malware gang inward March 2015, when the criminal gang was distributing the Cron Bot malware disguised every bit Viber in addition to Google Play apps.
The Cron malware gang abused the popularity of SMS-banking services in addition to distributed the malware onto victims' Android devices past times setting upward apps designed to mimic banks' official apps.
The gang fifty-fifty inserted the malware into mistaken mobile apps for pop pornography websites, such every bit PornHub.
Once victims downloaded in addition to installed these mistaken apps on their devices, the apps added itself to the auto-start in addition to the malware hidden within them granted the hackers the mightiness to phish victims’ banking credentials in addition to intercept SMS messages containing confirmation codes sent past times the banking company to verify the transactions.
The malware would thus intercept the two-step verification codes sent past times the banking company to confirm the transaction in addition to block the victims from receiving a message notifying them nigh the transaction.
According to the safety firm, the grouping stole or thus 8,000 Rubles (nearly $100) from a victim on an average, fetching a total sum of 50 Million Rubles (almost $900,000) from to a greater extent than than i meg victims, with 3,500 unique Android devices infected per day.
After targeting customers of the Bank inward Russia, where they were living in, the Cron gang planned to expand its performance past times targeting customers of banks inward diverse countries, including the US, the UK, Germany, France, Turkey, Singapore, in addition to Australia.
In June 2016, the gang rented a slice of malware called "Tiny.z" for $2,000 per month, designed to laid on customers of Russian banks besides every bit international banks inward Britain, Germany, France, the the States in addition to Turkey, with other countries.
Despite operating solely inward Russian Federation earlier their arrest, the gang members had already developed spider web injections for several of French banks including Credit Agricole, Assurance Banque, BNP Paribas, Banque Populaire, Boursorama, Caisse d'Epargne, Societe Generale in addition to LCL, Group-IB said.
However, earlier the gang could launch attacks on French banks, the government managed to disrupt their operations past times making several arrests, including the gang's founder, a 30-year-old resident of Ivanovo, Moscow.
During the raids, the government seized reckoner equipments, banking company cards, in addition to SIM cards associated with the criminal gang.
Russian Interior Ministry instance Rina Wolf said the arrests were business office of a articulation endeavor with Russian information technology safety theater Group-IB that assisted the massive investigation.
The collaboration resulted inward the arrest of xvi members of the Cron grouping inward Nov 2016, land the final active members were apprehended inward Apr 2017, all living inward the Russian regions of Ivanovo, Moscow, Rostov, Chelyabinsk, in addition to Yaroslavl in addition to the Republic of Mari El.
Targeted Over 1 Million Phones — How They Did It?
The Cron malware gang abused the popularity of SMS-banking services in addition to distributed the malware onto victims' Android devices past times setting upward apps designed to mimic banks' official apps.
The gang fifty-fifty inserted the malware into mistaken mobile apps for pop pornography websites, such every bit PornHub.
Once victims downloaded in addition to installed these mistaken apps on their devices, the apps added itself to the auto-start in addition to the malware hidden within them granted the hackers the mightiness to phish victims’ banking credentials in addition to intercept SMS messages containing confirmation codes sent past times the banking company to verify the transactions.
"After installation, the programme added itself to the auto-start in addition to could mail SMS messages to the telephone numbers indicated past times the criminals, upload SMS messages received past times the victim to C&C servers, in addition to shroud SMS messages coming from the bank," writes Group-IB.
"The approach was rather simple: afterward a victim’s telephone got infected, the Trojan could automatically transfer coin from the user’s banking company concern human relationship to accounts controlled past times the intruders. To successfully withdraw stolen money, the hackers opened to a greater extent than than vi M banking company accounts."The gang commonly sent text messages to the banks initiating a transfer of upward to $120 to i of their 6,000 banking company accounts the grouping prepare to have the fraudulent payments.
The malware would thus intercept the two-step verification codes sent past times the banking company to confirm the transaction in addition to block the victims from receiving a message notifying them nigh the transaction.
Cyberthieves Stole $900,000 inward the Russian Federation Alone
On Apr 1, 2016, the gang advertised its Android banking Trojan, dubbed "Cron Bot," on a Russian-speaking forum, giving the Group-IB researchers in addition to Russian government a clue to their investigation into the group's operation.According to the safety firm, the grouping stole or thus 8,000 Rubles (nearly $100) from a victim on an average, fetching a total sum of 50 Million Rubles (almost $900,000) from to a greater extent than than i meg victims, with 3,500 unique Android devices infected per day.
After targeting customers of the Bank inward Russia, where they were living in, the Cron gang planned to expand its performance past times targeting customers of banks inward diverse countries, including the US, the UK, Germany, France, Turkey, Singapore, in addition to Australia.
In June 2016, the gang rented a slice of malware called "Tiny.z" for $2,000 per month, designed to laid on customers of Russian banks besides every bit international banks inward Britain, Germany, France, the the States in addition to Turkey, with other countries.
Despite operating solely inward Russian Federation earlier their arrest, the gang members had already developed spider web injections for several of French banks including Credit Agricole, Assurance Banque, BNP Paribas, Banque Populaire, Boursorama, Caisse d'Epargne, Societe Generale in addition to LCL, Group-IB said.
However, earlier the gang could launch attacks on French banks, the government managed to disrupt their operations past times making several arrests, including the gang's founder, a 30-year-old resident of Ivanovo, Moscow.
During the raids, the government seized reckoner equipments, banking company cards, in addition to SIM cards associated with the criminal gang.