Thefts of funds through RB of Sberbank have become more frequent

[Агентство. PrivacyGuard.]

Good afternoon, colleagues!

Over the past two weeks, the number of write-offs via Sberbank's banking accounts has sharply increased. The scheme is old, virus infection, certificate theft, etc. Transfer to a physicist, they throw him on two or three people further. Depends on the total amount. because ATMs have a daily cash withdrawal limit. According to our observations, the Sberbank banking system was noticed after they made it an Internet bank. Previously, Sberbank RBS was with a hardware firewall, on a dedicated machine, with a hardware key. And now they have made everything easier. Work via the Internet, login, password for entry. In general, security has become lower, thefts have become greater. Be careful. Observe safety measures during the work with any RBS.

 

[Матушкин Андрей Николаевич]

Thank!

 

[Group-IB]

Good afternoon, colleagues! there are frequent cases of theft of funds not only through the SBE of Sberbank, but also a number of other banks. Be carefull!

 

[Group-IB]

ESET and Group-IB experts found a new threat to RBS systems
ESET, an international developer of antivirus software and computer security solutions, reports that ESET's Center for Virus Research and Analysts has discovered a new threat - Win32 / Sheldor.NAD, which is a modification of the popular program for remote computer administration - TeamViewer.
This information was obtained by the Center's employees during the examination as part of the Group-IB investigation into the incident involving fraud in remote banking systems (RBS).

Over the past two months alone, Group-IB specialists recorded a 30% increase in incidents related to fraud in remote banking systems. “A common cause for such incidents is a weak information security policy in small and medium-sized businesses,” comments Ilya Sachkov, Group IB CEO. - Also, the trend of recent incidents in this area shows an increase in the professionalism of attackers in the development of malware. Therefore, a constant analysis of new types of fraudulent programs is the key to successful investigation of crimes in the banking system. ”

During the investigation of the incident that occurred in one of the Russian banks, the Win32 / Sheldor.NAD malware (according to ESET classification) was detected, which is a modified version of the software for remote administration of the computer - TeamViewer 5.0. At the same time, one of the modules of the legal program was modified, which is used in the process of network interaction with TeamViewer servers. The modification allowed sending authentication data of the current TeamViewer session to the attackers' server, who had the opportunity at any time to gain access to the user's active session on the infected PC. This means that fraudsters not only had access to the user's confidential data, but also could perform a number of actions on the infected computer, including transactions in remote banking systems, which led to financial loss for the user.

Since most of the components of the modified version of TeamViewer were legally digitally signed and were legal components, with the exception of one module, the number of antivirus products that detected the threat at the time it was detected was small. It is also worth noting that a modified version of TeamViewer was installed on the user's system using a specially developed Trojan installer that created all the necessary registry keys for Win32 / Sheldor.NAD to work: it copied TeamViewer components to the% WINDIR% system folder and added it to autorun.

“This is not the first time we have encountered the use of legal remote administration programs for various types of malicious activities,” said Alexander Matrosov, director of the Center for Virus Research and Analytics at ESET. - However, in this incident we are talking about modifying the functionality of the popular TeamViewer program, which suggests that the attackers clearly pursued the goal of maximum similarity with legal software. This allowed them to go unnoticed by most anti-virus solutions. ”
ESET NOD32 antivirus solutions reliably protect users from the Win32 / Sheldor.NAD malware. Thanks to ThreatSense.Net early detection technology, ESET products prevent the computer from becoming infected with new versions of this malicious software.

 

[Ева]

Thank you for the info.

 

[Частный детектив. Ростов-на-Дону.]

Thank you, noted.

 

[Агентство. PrivacyGuard.]

Good afternoon, colleagues!

Actually, viruses used to be able to remotely control the victim’s computer. Both Zeus and SPyEye had backConnect modules to bypass firewall and NAT protection. Communication was initiated from within the victim’s network and unhindered security measures passed. However, using TeamViewer is an interesting solution. And as for antiviruses, everything is decided by the speed with which they update the virus database. And there are no obvious leaders. Someone previously found one infection, someone else. If there are suspicions, it is best to check with several antivirus programs. And it’s more correct to use layered protection using solutions from several developers.