Global Internet security company Group-IB has assisted the Directorate K of the Russian Ministry of Internal Affairs to investigate and suppress the activities of a criminal group that specialized in stealing funds from the bank accounts of individuals.
Towards the end of 2013, the security service of Sberbank detected a cyber-attack on owners of Android smartphones. The attackers infected the phones with malicious software through mass mailing of MMS messages from “RomanticVK” or “VK_Gift” with the promise of a “romantic gift.”
When the unsuspecting users clicked the links, a virus was downloaded to their phones. The virus recharged the mobile phone account from a bank account linked to that mobile number. After that, it used an SMS service to withdraw the funds to the account of other subscribers of mobile operators and electronic payment systems.
The first wave of the attack was successfully repelled thanks to the rapid response by the security division of Sberbank and interaction with mobile operators. The mailing containing the virus was blocked, while the Bot-Trek service, developed by Group-IB, detected compromised devices. A well-coordinated work by the security services of Sberbank and Group-IB helped in gathering materials and evidence for law enforcement agencies.
After a short pause, the attackers resumed their illegal activity, having improved the malware. This time around, their actions were documented by the law enforcement agencies.
Investigations led to the detention of two residents of Arkhangelsk, aged 25 and 24. A criminal case – Part 2 of Article 158 (Theft) – was filed against them. One of the attackers was arrested for a period of 2 months, while the other was placed under house arrest.
“At a request by Sberbank, Group-IB provided support to the investigation at all stages. Our security incident response center CERT-GIB closely monitored and promptly blocked new malicious resources. Computer hardware seized from the criminals during the arrest was sent to Group-IB’s forensic lab for investigation and additional evidence,” said Ilya Sachkov, CEO of Group-IB.
For reference: The organizer of this criminal group started his illegal activities back in 2010 as a malware developer and owner of a mobile payment aggregator site. The skills gained in working with mobile platforms enabled him to quickly create a large botnet of mobile devices. The attacker was known on the Internet as “ItBill” and “tripfon.”