May 24, 2017
The Cron gang was looking for a few good cybercrooks when it posted a help wanted ad on an underground hacking forum. What it got instead was the attention of security firm Group IB and Russian law enforcement. A series of raids led to 20 arrests and the recovery of numerous computers, payment cards and SIM cards registered to fake identities.
Russian police aren't always keen to move against local cybercriminals -- that is, unless they get reckless and start targeting their fellow countrymen. According to the report from Group IB and the Russian Ministry of the Interior, that's exactly what happened with the Cron gang.
The Cron gang's heists followed a tried-and-tested technique. They distributed Trojanized version of banking and other popular mobile apps. Once a user's device had been infected, the malware watched for login credentials to be entered or for two-factor verification codes to be received via SMS.
Money was stolen from victims in relatively small amounts -- typically just over a hundred dollars -- so as not to attract too much attention. The gang's malware was reportedly responsible for stealing around $890,000 from its Russian victims. Accounts at both Sberbank, Alfa Bank, and online payment company Qiwi were hit.
A haul of less than a million dollars is a fairly small take in the world of malware, but it's believed that the gang was just testing the waters. According to a Reuters report, the hackers were getting ready to go international. It's believed that the next stage in the Cron gang's operation was to target account holders at as many as eight French banks.
To expedite its expansion, the gang was prepared to fork over $2,000 a month for access to malware-as-a-service. Cron planned to tap Tiny.Z, an Android Trojan that's pre-configured to target in a number of countries -- including the U.S.