Malware gang nets $30 million in one month

RT has posted a story from Moscow titled Police bust hacker gang who made $30 million in one month.

Operatives of the city police directorate for fighting economic crimes have told journalists that the suspects created a computer virus that blocked all programs on the users’ computers and put a pornographic picture on the screen together with a demand to send an SMS to a certain number to receive a code that would supposedly unblock the computer. For the SMS the victims were billed about 300 roubles or $10. However, sending the SMS never led to any results and some users have sent it repeatedly.

I detect hyperbole. Let me count the ways I find this story hard to follow.

  1. Even if users hit the SMS repeated times there still were over a million users affected. I searched the source and found no mention of the malware incident. My Russian is not great but a million people with inoperable computers seems like it should be a headline story long before the police report catching the people responsible. The software in this case is not named but it probably is related to WinLock and LockScreen
  2. Malware that tries to lock a system and demand payment is nothing new. Ransomware-A by name alone made it pretty clear in 2006 that you should not give in to demands for money. Are so many users in Russia really unaware of this class of malware and attack vector? Do they not realize they could use a free tool to get the unlock code or just figure out the unlock code themselves?
  3. Russians are said to be familiar with or even seasoned by news of fraud and crime linked to blackmail. Why did they forgo all the other options and instead believe in a ransom note — give their money to someone without any guarantee of getting an unlock code in return?
  4. The Telecom companies facilitated the crime. They must have detected something amiss when that many SMS messages flooded their system for so long and so much in revenue. Is there no fraud detection? No early-warning system in operation? Did they send a giant check to the gang as a prize, like a lottery winner, or did they just freeze the account and refuse payment? Perhaps I should ask this a different way. Do infrastructure operators in Russia have any incentive to detect and block this kind of obvious criminal activity or are they just taking a cut of the profits (apparently 50%) and walking away clean even after the criminals are caught?

The failure of the fraud detection system and the awareness of users is the real story I see in this report. Two or three days after the attack started it could have been shut down completely. Nothing glamorous or clever about it, and very easy to stop/prevent, which makes it so hard to believe it could have been as successful as claimed just as malware. I therefore think this amount of money must only be possible with the cooperation of those who could stop the attack.

An ITAR-TASS report gives a very different estimate of harm over a much longer period of time.

According to preliminary calculations, more than 3,000 Internet users fell victims of fraudsters in April alone, including in CIS countries. According to police data, the annual profit of law-breakers topped one billion roubles.

Perhaps something is being lost in translation with the first report. The same amount over a year is far more believable, but still begs the question of corruption and presence of simple controls.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.