Alleged members of a gang of "cyber-fascist" Android malware-slingers have been arrested in Russia.
The alleged perps behind the scam targeted customers of Russian bank Sberbank with software they called "Fifth Reich", which used Nazi symbols in the management system. Fraudsters targeted malware attacks at Android-operated mobile devices belonging to customers of Russian banks.1.
"They used a Trojan that was requesting account balances of the credit card tied to the mobile device, hiding incoming SMS-notifications and making payments to the accounts of fraudsters," according to Group-IB, the Russian computer forensics firm that assisted in the investigation.
An investigation by Administration “K” of the Russian Ministry of Internal Affairs led to the arrest of four suspects in the Chelyabinsk Region. Several laptops, along with a dozen cellphones and a large number of SIM cards were seized when the suspects were cuffed.
The quartet are said to be accomplices – phishing mules, by all accounts – in the scam. The illicit income from the scam remains undisclosed, much less who might have masterminded it.
Malware used by this group first appeared in July 2013. The attack has gone through several phases since then, including attempts to intercept SMS messages authorising and confirming payments. Later, credit card details were targeted, before the group moved on to more complex scams involving both malware and fake websites, as Group-IB explains in a statement containing screenshots and more details of the operation.
The hackers created phishing websites for a couple of Russian and Ukranian banks, but this time they were not collecting credit card information but online banking account credentials. When a user was launching [a] banking application, the Trojan would switch the original window to a phishing one, where the user would type in all sensitive information to immediately send it to the fraudsters. Having logins, passwords and access to all SMS-messages in their hands, the fraudsters were able to successfully make payments.
The malware was distributed via SMS-mailing, with a fake link to a supposed Adobe Flash Player download that in reality was packed full of malicious code – a common malware distribution trick that's most often used against Windows PC users. ®
1 The details of the scam are something of a propaganda coup for the Kremlin, which has been pushing the line that Russian language speakers in eastern Ukraine, the Crimea and elsewhere are under assault from fascist elements egged on by the West.