Russian cybercriminals have field tested their attack techniques on local banks, and have now begun taking them global, according to a new report -- and a new breed of mobile attack apps is coming up next.
Criminals stole nearly $44 million directly from Russian banks in the last half of 2015 and the first half of 2016, according to Dmitiry Volkov, co-founder and head of threat intelligence at Moscow-based Group-IB.
That was up 292 percent from the same period a year earlier. Direct, targeted attacks against banks now account for 45 percent of all bank-related cybercrime in Russia.
Meanwhile, thefts from individual online banking accounts went down 83 percent, to $0.1 million, and thefts from business bank accounts fell 50 percent to $17 million.
According to Volkov, criminals first develop their malware for the market they know best, then a combination of factors drives them to expand overseas.
Those factors include increased government prosecution and better banking security.
"And, since 2014, we have had a financial crisis in Russia," he added. "The ruble isn't worth as much as it did three or five years ago, and hackers earn less money from their activity in Russian territory. They want to get dollars or euros, not rubles -- the financial crisis helped protect Russian citizens."
Russian criminals began going after bank accounts in the U.S., Canada, Europe, and other countries.
Meanwhile, back in Russia, they began working on the next generation of attacks, directly targeting internal bank operations such as Swift and ATM management systems.
These kinds of attacks started showing up in 2013, and this year, they've gone global.
For example, this summer, a Ukrainian bank was hit for $10 million via its Swift network, according to the Information Systems Audit and Control Association, part of a broader attack against several banks in both Ukraine and Russia that netted hundreds of millions of dollars.
Another attack targeted the ATM networks of Alfa Bank in Belarus. And last spring's $81 million Bangladesh central bank heist, which used similar techniques, may also have been carried out by a Russian group.
"It is very hard to do attribution," Volkov said. In the case of the Bangladesh bank, original reports put the blame on North Korea, but later reports suggested that Russian-speaking hackers were also involved in the attacks.
Banks aren't sharing detailed information about how the attacks actually took place, he said, so it's hard to tell who exactly did what.
"The most recent wave of attacks against foreign banks happened just last week," he said, though he added that he could not share more information about the Russian cybercriminals involved.
"We are participating in a joint investigation with Europol, and we are not allowed to disclose information to the public," he said.
Earlier this month, Symantec released a report linking the Carbanac group, suspected to be based in Russia, with high-level attacks against banks in the U.S., Hong Kong, Australia, the U.K. and other regions. Total losses are estimated to range from tens to hundreds of millions of dollars.
"It's become really global," Volkov said.
Russian authorities are cooperating with international investigators to bring down these groups, he said, but the process is slow.
"It's very hard to investigate these cases," he said. In addition, members of any particular group could be located in several countries, and enforcement activities have to be coordinated to take them all down at once.
"Otherwise, the other guys will delete all the evidence, move to other locations, and take other measures to avoid arrest," he said.
Meanwhile, even while enforcement is improving, there's still a problem when it comes to information sharing, he said.
"There is no effective channel to exchange communications," he said. "There are official procedures for the exchange of data, and it is very slow."
The next wave of mobile attacks
Meanwhile, another wave of attacks is building up in Russia.
Thefts from individual bank accounts using mobile-based Trojans are up 471 percent in Russia, to $6 million, according to Group-IB.
The mobile Trojans first appeared in 2013 and used the SMS banking channel and mobile banking, and banks quickly responded by imposing limits on mobile transactions.
"So in 2014 and 2015 we saw a decrease in the amounts that hackers were able to steal from customers," Volkov said.
The criminals innovated, with new types of attacks, and new distribution mechanisms.
"Russia became a real testing environment for mobile banking Trojans," he said. "Next year, or in the next couple of years, all this knowledge will be exported outside of Russia."
For example, the malware uses fake dialogs asking for bank card details, transaction confirmations and one-time passwords to immediately transfer money to the criminals.
In addition, login credentials are collected and reused for online banking, where the transaction limits are higher than with mobile banking.
The criminals even began developing complete banking applications, designed to mimic the ones from the real banks.
"There are programs that generate new fake mobile banking applications in minutes," he said. "The criminals just specify the colors, icons, and fields."
Ads in Google, Yahoo and Russia's Yandex search engines get the links to the fake banking apps to appear above the legitimate listings.
There are also phishing messages, sent via SMS or email, telling the user to install a required update for a critical application or for the operating system, or warning of eBay and AliBaba activity.
"They click on a link, click the install button, and install the malware," he said.
The apps are also distributed through unofficial app stores, often hidden inside another application.
"Apps on the unofficial stores have huge abilities, to root the device, to escalate privileges," he said. "You try to root your device, but at the same time you are installing a malicious program and later it will download the banking Trojans."