HI-TECH

CRIME TRENDS
2016
2015 Q2 –
2016 Q1
 >>> Group-IB.COM
Review of the Russian cybercrime market
Key driver of growth – Targeted attacks
Changes to previous period
 >>> Group-IB.COM
TREND No.1
TARGETED ATTACKS ON BANKS AS A GLOBAL THREAT
 >>> Group-IB.COM
TREND NO.2
GROUPS REFOCUS FROM COMPANIES TO BANKS

CURRENT
COBALT CORKOW
soon!
ATMs and SWIFT POS terminals, ATMs,
trading terminals

BUHTRAP

Core Banking Systems

ANUNAK
LURK Core Banking Systems,
SWIFT, ATMs,
Core Banking Systems payment gateways,
POS terminals

GROUP-IB.COM/REPORTS
 >>> Group-IB.COM
FORECAST
TARGETED ATTACKS ON BANKS

CHANGE IN EXPANDING IN BROADENING

FOCUS GEOGRAPHY COMPETENCIES
Active groups Hackers attacking Russian Groups attacking ATMs will
specializing in attacks banks will move their perform cyber thefts on
on companies will activity to other regions SWIFT system
threaten banks worldwide
Arrests of Russian-speaking hacker groups
have a significant impact on
the global landscape of banking threats

PHISHING INVOLVING LEGITIMATE

MAILOUTS INSIDERS TOOLS
The key vector to infect Hackers devote more Criminals choose
banking networks is time searching for legitimate or free tools to
phishing emails insiders (contacts, perform attacks
application launch,
consulting on system
operation)
 >>> Group-IB.COM
TREND NO.3
Russian-speaking PC Trojan
developers take over the world
GLOBE
RUSSIA
Buhtrap Panda Banker (new)
Toplel Shifu (new)
Ranbyus Midas bot (Jupiter) (new)
RTM (new) GozNym (new)
Jupiter (new) Sphinx (new)
Corebot (new)
Lurk Atmos (new)
Corkow Gozi (ISFB)
Yebot Dridex
Kronos Qadars
Chtonic Gootkit
Vawtrak
Tinba
KINS (ZeusVM)
Citadel
Zeus
16 of the 19 Trojans that have been actively used to Quakbot (Qbot)
attack companies are believed to be developed by Retefe
Russian-speaking cybercriminals Ramnit
 >>> Group-IB.COM
FORECAST
Russian-speaking PC Trojan developers take
over the world

CONTRACTION OF MOVEMENT TO HACKERS TO

THE RUSSIAN NEW MARKETS SELL ACTIVE
MARKET BOTNETS
The amount of groups, New Trojans designed
to attack foreign banks Some active botnets will be
Trojans and losses from sold to less-experienced
attacks will continuously will be actively
developed perpetrators
decrease

WEB INJECTS FAKE WEB PAGES SPAM MAILOUTS

Developers will add web Fake web pages added to The key infection vector
injects to perform Trojans will enable hackers for banking Trojans
automated attacks to expand the list of
attacked countries
 >>> Group-IB.COM
TREND NO.4
ANDROID TROJAN MARKET IS EXPANDING QUICKLY
RUSSIA EUROPE AND
USA
Group 404
ApiMaps
Marcher 2.0 (new)
Adabot
Xbot (new)
Cron1 (new)
FlexNet (new) Abrvall (new)
Agent.sx (new) Asacub (new)
Agent.BID (new) Mbot 2.0 (new)
Honli (new) T00rb00r (new)
Asucub (new) Marcher
FakeInst.ft (new) GM-bot
GM bot (new) Skunk
Fake Marcher (new) Bilal
Cron2 (new) Reich (Svpeng)
Greff
March
Webmobil
Mikorta
MobiApps
Xruss
Tark
Sizeprofit
 >>> Group-IB.COM
TREND NO.4
ANDROID TROJAN MARKET EXPANDING QUICKLY

What causes explosive growth?

NEW FRAUD
SCHEMES

SMS banking

Transactions between
cards

Online banking transfers

Fake mobile banking

Interception of mobile
banking access
 >>> Group-IB.COM
TREND NO.4
ANDROID TROJAN MARKET IS EXPANDING QUICKLY

What causes explosive growth?

ADVANCED MORE EFFECTIVE

TROJANS DISTRIBUTION
Several infection stages Contextual advertising “Partner” programs
Exploits
Protecting network
communications and
code

Fake web pages

Web injects

FORECAST
a BOOM in banking Trojans targeting Android
Thefts from
companies
Trojans to be adjusted
to steal money from
legal entities
Covert infection
Specialized exploit kits for
Android will be released
Increased
damage
Average loss will
increase due to
targeted attacks on
companies
Mobile web injects
Services for writing injects
for mobile browsers will be
offered on underground
forums; Trojans will widely
support web injects
>>> Group-IB.COM
Sophisticated
functionality
Advanced Trojans will enable
hackers to implement all
attack schemes that were
successfully performed on
PC.
Losses from attacks using
Android Trojans will
exceed damages from PC
Trojans – THE MOST
DANGEROUS THREAT
to BANKS
 >>> Group-IB.COM
TREND NO.5
COMPLETELY AUTOMATED FRAUD

ON PC ON ANDROID PHISHING
Active automated Automated transfer via Bypassing SMS
manipulations SMS banking verification using
dialog windows
Passive automated Automated transfer
manipulations between cards
VISHING
All new Trojans
support automated Bypassing SMS
manipulations verification using IVR
 >>> Group-IB.COM
FORECAST
AUTOMATED FRAUD

Automatic fraud on AUTOMATED ROBOT-BASED

ANDROID PHISHING VISHING
Criminals will attack both The function to bypass Automated vishing attacks
companies and people SMS verification will make will be adjusted to bypass
using web injects to mobile Trojans the most SMS verification and will
replace payment details. dangerous threat to the become more popular
majority of banks.

With their wide distribution and automation

PHISHING and ANDROID Trojans will finally replace PC
Trojans.
 >>> Group-IB.COM
TREND NO.6
IOT TRIGGERS THE GROWTH OF
BOTNETS FOR DDOS ATTACKS

2015 2016 09.2016

450 Gbps 602 Gbps 1 Tbps
MOVE AWAY BOTNETS SOURCE CODES
AMPLIFIERS REAPPEAR ARE PUBLISHED
DNS, NTP, SSDP, Criminals often use Linux Lizard Stresser and Mirai
CharGen and other types servers and simple IoT were released publicly
are less actively used devices to create botnets

IoT devices are perfect bots

Dynamic IP addresses Difficult to update and eliminate
No antivirus installed known vulnerabilities
24-hours access to the Internet Passwords set by default
 >>> Group-IB.COM
TREND NO.7
Ransomware – snowballing threat

Key target – enterprises A wide variety of attacks

on mobile devices and IoT
Buy access to critical data

Check servers by guessing their

passwords

Encrypt Windows and Linux-based

servers
 >>> Group-IB.COM
FORECAST
INCREASE IN INCIDENTS WITH RANSOMWARE

Wide variety of Pinpoint attack Average ransom will

targets The key target is companies
Mobile and IoT devices, with critical business
cloud storages processes, which cannot
spend time to recover them
and will pay ransoms
increase
Newer ransomware versions
will deliberately target key
business assets, which will
significantly raise the price of
ransomware decryption keys

Worms Smoke Screens

An increase in attacks will
Ransomware will be Encrypting ransomware will
stimulate the cyber risk
distributed as be used as a “distraction”
insurance segment, which in
cryptoworms to widely tool in conjunction with high-
spread threats and profile targeted attacks, like turn will motivate criminals
cause significant DDoS attacks used
damage previously
 >>> Group-IB.COM
TREND NO.8
Increase in attacks
on critical infrastructure
 >>> Group-IB.COM
TREND NO.9
NEW TOOLS FOR TARGETED ATTACKS
AND ESPIONAGE

At provider level Using Android Trojans THREATS AT

TELECOM
What hackers need: OPERATOR LEVEL
Access to a routing
gateway or their own
autonomous system What hackers need:
(AS) Access to SS7 Hub or
What hackers obtain: license for one of the
Access to geo-location following paid services:
What hackers obtain: Voice interception Defentek, Verint,
Access to all the SMS interception CleverSig, Circles,
What hackers obtain:
traffic Access to messengers, Cobham
Access to geo-
Ability to decrypt photos, and files
location
SSL Execution of USSD
Voice interception
Access to commands
SMS interception
credentials of Password recovery
Execution of USSD
external systems Access to a cloud storage
commands
 >>> Group-IB.COM
FORECAST
ATTACKS ON CRITICAL INFRASTRUCTURE

Public Cyber-armies
arrests
information and recruitment
Cyber-armies will attack
Information on critical infrastructure
Hackers arrested for
successful attacks will facilities targeted attacks on
leak to journalists companies will be
because of their Goal: espionage and recruited by the
control capability Government
political subtext

Popularization Terrorists ONLINE

Cyber-terrorists will
RECRUITMENT
Public reaction to
target critical Cyber-terrorists will
successful attacks will
infrastructure facilities actively use the Internet
provoke increased interest
for propagation and
from cyber-armies and recruitments of technical
Goal: public attention,
terrorists specialists, who are able
human losses
to perform targeted
attacks
 >>> Group-IB.COM
Key findings

TARGETS

Banks Android
Critical infrastructure

ATTACKS

Distribution of targeted attacks Global operations Various and stealthy

TOOLS

IoT, Ransomware, Authors of PC Trojans

Automated thefts
Spyware are of Russian origin
GROUP-IB | Products & Services

Prevention Response Investigation Early Warning

System
Security Assessment Computer Forensic Services
Threat monitoring
Emergency
and analysis
DDoS Аttack Response Team Malware Аnalysis
Threat Intelligence
Prevention CERT-GIB and Investigation
Detection
Anti-Piracy Incident Investigation
of targeted attacks
TDS
Brand Protection Financial and
TDS Polygon
Corporate
Investigation
Early fraud detection
Secure Bank
Secure Portal
Profound human intelligence
and cutting-edge technologies
Key regions of monitoring: Russia, the CIS and Eastern Europe, Asia Pacific, Middle East

INFRASTRUCTURE HUMAN GLOBAL DATA

Honeynet and botnet analysis
Hacker community infiltration
Open-source monitoring
Network attack trackers
TDS Sensors
Behavior analysis system
INTELLIGENCE EXCHANGE
Forensics Computer incident response
teams
Investigations
Domain registrar and hosting
Malware monitoring and providers
research
Cyber security vendors
CERT-GIB request database
Europol, Interpol
Security Assessment and law enforcement agencies

Group-IB case studies

Website Facebook
www.group-ib.com facebook.com/Group-IB

Phone Twitter
+7 495 984-33-64 twitter.com/GroupIB_GIB

Email
info@group-ib.com