Edition "Kommersant”Reports that last week FinCERT specialists sent out a bulletin to banks describing a new scheme to steal user funds. For this unnamed attackers used the Fast Payment System (FPS) and a vulnerability in one of the banking systems. According to market participants, this is the first case of theft of funds using UBS.
His own source explained to reporters that through the vulnerability, the hacker obtained customer account data. Then he launched the mobile application in debug mode, logged in as a real client, sent a request to transfer funds to another bank, but before making the transfer, instead of his account of the sender of funds, he indicated the account number of another client of this bank. RBS, without checking whether the specified account belongs to the sender, sent a command to the SBP to transfer funds, which it carried out.
The FinCERT bulletin noted that the victims' account numbers were brute-forcing in a successful attack using an undocumented Remote Banking API (RBS) feature.
“The problem was identified in the software of one bank (mobile application and remote banking system) and was of a short-term nature. It was promptly eliminated, ”the representatives of the Central Bank comment. At the same time, the name of the bank was not disclosed, but it is emphasized that the SBP itself is reliably protected.
It is interesting that, according to the publication, the vulnerability was so specific that it was almost impossible to discover it by accident: “Someone who is well acquainted with the architecture of the mobile bank of this credit institution could know about it. That is, either someone inside the bank, or a software developer, or someone who tested it, ”a source in a large bank told reporters.
Grop-IB experts explain that the fraud consisted in the fact that the sender field was not checked in the mobile application. The cybercriminals made the transfer on their own behalf, but instead of their account number from which the funds were to be debited, they substituted the victim's account number (you can specify the phone number in the SBP). As a result, the bank received a message about the transfer from someone else's phone number to the fraudster's number. And the bank accepted this operation.
“The problem is not in the fast payment system, but in its implementation in a specific application of a particular bank,” says Sergey Nikitin, Deputy Head of the Group-IB Laboratory. “The fraudsters managed to pull off this scheme because they carefully studied the mobile banking application and found that the sender field is not updated and can be changed. Does anyone else have such vulnerabilities? I hope that the fraud has not become widespread, and such a bug is rather an exception. Unfortunately, in this scheme, users cannot protect themselves, but banks can and should conduct an independent audit of their mobile applications and implement behavioral analysis systems that protect mobile banking. "