If you’ve ever sat in on a cybersecurity hearing on Capitol Hill or attended a security conference , then you’re no doubt familiar with the oft-preached need for information sharing and private-public partnerships. So frequently repeated are these refrains that they’re almost as meaningless as the acronym “APT.”

However, the security firm Group-IB and the Russian government’s cybersecurity investigatory unit, Department K, claim to have curbed the theft of a billion rubles by doing just that: sharing information and partnering.

Russia’s largest bank, Sberbank of Russia, suspected that someone was attacking its online banking operation and reached out to Group-IB to carry out a forensic analysis of its networks. Group-IB determined that the attacker was stealing money from the bank’s customers by circumventing its SMS-based payment verification feature.

In the end, the Russian cybersecurity police known as Department K used information provided by Group-IB and Sberbank of Russia to arrest an unnamed 40-year-old man from the Volga River city of Togliatti. According to Group-IB, the prolific Russian cybercriminal exploited the online banking systems of various Russian banks in order to perform more than 5,000 fraudulent transactions from as far back as August 2011.

Group-IB’s analysis determined that the attacker, who has been since arrested, deployed the popular the Carberp malware against his targets. The perpetrator of the attack campaign installed the Carberp Trojan on the machines of Sberbanks’ unknowing online customers. The malware then used Web-injection functionality to display spoofed banking pages to users on infected systems. In this way, users willingly submitted their banking log-in information and cell phone numbers into web forms that appeared to come from their bank, but actually communicated back to the attacker. Using this information, the man managed to clone his victims’ SIM cards and bypass SMS-based mobile payment confirmations.

GoupIB department k collab

“The investigation of this case — from the first moment when Group-IB received a complaint from a victim to when the perpetrator was apprehended — was conducted in record time, in less than six months. Thus, we managed to prevent thefts from Russian banks on the amount of 1 billion Roubles ($34 Million)” said Group-IB CEO, Ilya Sachkov. “This was the first case investigated within the European Cyber Security Federation (ECyFed) union, which includes Group-IB, CyberDefcon, and CSIS.”

*Image of Sberbank of Russia bank in Krasnodar, Russia via Helen Flamme‘s Flickr photostream

Categories: Malware