Members of a gang of “cyber-fascist” behind Android phishing attacks have been arrested in Russia.
The scam targeted customers of Russian bank Sberbank with software they called “Fifth Reich”, using Nazi symbols in the management system. The cybercriminals targeted malware attacks at Android mobile devices belonging to customers of Russian banks.
According to Group-IB, the Russian computer forensics firm that assisted in the investigation:
They used a Trojan that was requesting account balances of the credit card tied to the mobile device, hiding incoming SMS-notifications and making payments to the accounts of fraudsters.
An investigation by Administration “K” of the Russian Ministry of Internal Affairs led to the arrest of four suspects in the Chelyabinsk Region.
Malware used by this group first appeared in July 2013. The attack has gone through several phases since then, including attempts to intercept SMS messages authorising and confirming payments.
In the summer of 2014, Kaspersky reported that while the Trojan’s main version was still primarily used to target Russians, a new variant of Svpeng had been targeting users in the United States and Europe. This new variant leveraged ransomware functionality to help its operators make money.
Later, credit card details were targeted, before the group moved on to more complex scams involving both malware and fake websites, as Group-IB explains in a statement containing screenshots and more details of the operation.
The hackers created phishing websites for a couple of Russian and Ukranian banks, but this time they were not collecting credit card information but online banking account credentials. When a user was launching [a] banking application, the Trojan would switch the original window to a phishing one, where the user would type in all sensitive information to immediately send it to the fraudsters. Having logins, passwords and access to all SMS-messages in their hands, the fraudsters were able to successfully make payments.
The malware was distributed via SMS-mailing, with a fake link to a supposed Adobe Flash Player download that in reality was packed full of malicious code – a common malware distribution trick that’s most often used against Windows PC users.
This is yet another example to demonstrate why apps should have a URL reputation lookup capability by adopting a Security API to check the validity of links to ensure they’re not classified as malicious. As it happens, no email, chat or sms app has any form of protection against this type of attack.
As regular readers of this blog will know, the risk of phishing attacks can only be mitigated with the MetaCert Security API (or the Google Safe Browsing API). The MetaCert Security API makes it easy for app developers to add a thin, but very powerful layer of security to mobile apps. The Security API checks the reputation of web links in real time, providing an invisibly secure experience by blocking malicious web pages from loading or navigating to.