Site is loading,
please wait

Global Cyber Security Company

Founded in 2003

1 2 2 7 8 9 0 0 2 3 4 5 6 7 1 2 5 6 7 8 9 3

Group-IB establishment

Entering international markets

The largest forensic laboratory in Eastern Europe

Launch of Computer Security Incident Response Team CERT-GIB

Global Cyber Security Company

Group-IB conducted an investigation on the state and dynamics of today’s market of computer crimes and current cyber threats for the year 2012 and first quarter of 2013. This investigation was assisted by experts from computer incidents response center CERT-GIB.

This report examines current information security threats, analyzes the trends in the cybercrime world, gives statistical assessments of the cybercrime market and forecasts regarding its change in the near future (2014-2015).

Get your personal download

One-time link for your download will be sent to your email address

Assessment of the cybercrime market

Internet fraud

Online banking fraud

Caching other illegal profits


Electronic money theft

$490 MM

$122 MM

$55 MM

$30 MM

$697 MM


Medicines and various counterfeit products

Counterfeit and fake software

Other (dating, education, travel, etc.)

$142 MM

$135 MM

$553 MM

$830 MM

Internal market (C2C)

Selling of traffic

Selling of exploits

Selling of installs


$153 MM

$41 MM

$27 MM

$9 MM

$230 MM


$130 MM


$168 MM

Internet fraud

Online banking fraud

Caching other illegal profits


Electronic money theft

$446 MM

$89 MM

$57 MM

$23 MM

$615 MM


Medicines and various counterfeit products

Counterfeit and fake software

Other (dating, education, travel, etc.)

$173 MM

$120 MM

$493 MM

$786 MM

Internal market (C2C)

Selling of traffic

Selling of exploits

Selling of installs


$167 MM

$52 MM

$33 MM

$9 MM

$261 MM


$109,8 MM


$166 MM
Internet fraud decrease
The cybercrime market in Russia reduced by 6% in 2012, while experiencing multidirectional movements inside. A drop in online bank theft was the most important factor that led to reduction in cybercrime. In analyzing the causes of decline in thefts, Group-IB analysts highlighted the following factors.
  • Successful operations aimed at dismantling criminal groups.
  • Organization of interbank list of drops.
  • Deployment of antifraud solutions by banks.
  • Botnet monitoring and compromised data extraction.
Counterfeit spam growth
In spite of general descrease of spam, it should be noted that there was a 22% increase in the sale of various counterfeit products through e-mail spam: counterfeit medicines, drugs, accessories. The increase was caused by general development of this illegal business and emergence of new affiliate programs.
Growth of cybercriminal expences
It is also noteworthy that the domestic C2C market grew by 13%, meaning there was an increase in infrastructure spendings on botnets and malware distribution. This trend is related to a general increase in the security level of client workstations and to the technological improvement of the software used.

According to Group-IB, there was an average of 44 thefts carried out from online banking systems in 2012

In 2011, auto-stealing module for the Carberp malware was developed and actively deployed

«DUMP MEMORY GRABBER” steals dumps (credit card information) directly from the memory of vulnerable POS terminals.

Targeted attack on banks

Within last year and a half Group-IB has registered at least 6 cases of unauthorised access to IT-infrastructure of major financial intitutions in Russia resulting huge money thefts and losses (millions of dollars). Noteworty, that in 70% cases malware and banking trojans played major role.

Growing use of "avtozaliv" technology

Even though online banking fraud in Russia has decreased, the total amount is still very high. In many respects it could be accounted for use of new money theft techniques, particularly active deployment of "avtozaliv" (automated unauthorised money transfer transaction) functionality against popular remote banking systems.

Attacks on online-trading clients

In 2012 Group-IB, for the first time, registered targeted attack on computers with the goal of stealing access credentials and keys for online trading systems, such as QUICK and FOCUS IV online. Even though no thefts were registered, these cases show cybercrimes new point of interest.

Trojans for POS-terminals

In March 2013, Group-IB experts found new malware called Dump Memory Grabber in one of the underground sites. This malware is aimed at infecting cash computers that have POS terminals attached to them, which are common in retail trade and catering networks in the United States. As a result of operation, a few thousands of compromised banking cards were found and transferred to payment systems, affected banks and law enforcement agencies for investigation.

Mobile platforms attack

Mobile devices utilization for transaction confirmation forces criminals to attack mobile platforms. In December, 2012 Group-IB registered and stopped an attack on customers of major Russian banks through fake mobile malicious applications.

Security audit and pentest

Within last year and a half Group-IB performed security audit and penetration testing of dozens online banking systems, web-services and mobile applications.

Activity on this field turned out very helpful for Group-IB clients: on average in each analysed resource 6 serious security flaws were found.

The cybercrime gang rented an office in central Moscow under the guise of a data recovery center

The botnet grew by an average of over 30,000 newly infected computers

More than 5 000 individuals and companies were robbed by this cybercrime gang

Dismantling criminal groups

One of the most important direction in Group-IB work is investigations and cybercrime elimination. Below a few interesting cases from Group-IB practice is described.

Cybercrime gang "Carberp"

Carberp gang was created in 2008 and had at least 8 active members. During next 4 years they commited thousands of thefts from corporate banking accounts in Russia.
During investigation, it was found out that the attackers used the Carberp malware to replicate digital signature keys, intercept passwords and make screen shots being used by users in an online banking system. On 14 March 2012, the FSB and the Russian Ministry of Internal Affairs, assisted by Group-IB arrested members (8 people) of Carberp organized criminal group

Cybercrime gang "Hodprot"

This criminal group began its activities in 2009 and specialized in stealing money from corporate bank accounts. The fraudsters used a malicious program called Hodprot at the beginning of their criminal activities, and later changed to Carberp in 2011.

As of 14 October 2011, the size of the botnet was about 700,000 computers, and by 20 December 2011, it reached 1.5 million computers. A total of 19 people who were mostly pourers had access to the botnet control panel. They manually checked each bank customer, left comments to interact with each other and carried out unauthorized were transfers. Germes had big plans to develop the illegal business and so planned to hire skilled developers from China who he will offer to relocate to Russia.

On 16 May 2012, the Economic Security and Anti-Corruption Department of the Russian Ministry of Internal Affairs for Moscow with support from Group-IB experts made the first arrest of members of this criminal group. Six people were arrested. Among those arrested were pourers, traffers, server administrators, and those maintaining exploit packs. On 5 June 2012, the organizer of the criminal group Germes alias Arashi was detained. At the time of his arrest, there were over 6 million computers in his botnet.

Hameleon arrest

There was an upsurge in cases of theft against individuals at the end of December 2011 and January 2012. These thefts had the following common features: just before the theft, user phone numbers that received SMS messages with onetime passwords stopped working.

As a result of conducted investigation Group-IB revealed whole fraud scheme, which included many steps: customer infecting, collection of additional information with the help of web-injects, illegal re-issuing of SIM-card and finally money theft.

On 29 May 2012, the Russian Ministry of Internal Affairs, assisted by Group-IB experts, arrested the author of the web injects and server administrator where the stolen data were sent to. It was a forty-year old resident of Tolyatti, a programmer by training, who was involved in criminal business in August 2011. The attacker confessed immediately after arrest.

Report on the work of CERT-GIB

Within 2012 incident response and security team CERT-GIB 2012 processed more than 3200 requests.

Botnets shutdown

Preventing the functioning of botnets and shutting down botnet command servers are one of the important achievements of Group-IB. Below we consider four of the most interesting examples.


At the end of 2012, some banking networks suffered DDoS attacks. Investigations carried out established that a botnet called Dragon was involved in the attacks. After establishing the exact location of the attacker, a group of special agents, assisted by Group-IB forensic experts, was dispatched to that location and the cybercriminal (a 24-year-old man) was arrested. The Dragon botnet, which caused an estimated loss of tens of thousands of U.S. dollars, was shut down.


In the summer of 2012, in cooperation with malware intelligence company FireEye, experts from Group-IB and CERT-GIB shut down21 Grum botnet servers, which were regarded as the third largest in the world. This botnet was used extensively for sending pharmaceutical spam e-mails through its work with affiliate programs involved in counterfeit medicines (Viagra, Cialis, etc.).


The botnet built with the Slenfbot worm, which was distributed through compromised websites and instant messaging clients (Windows Live Messenger, AOL Instant Messenger (AIM), Yahoo! Messenger, Google Chat, Facebook Chat, ICQ and Skype) has an estimated size of 600,000 compromised computers. In June 2012, incidents response center CERT-GIB identified the control servers of Slenfbot botnet. Through international cooperation, this botnet was successfully shut down.


In January 2013, the Spamhaus Project announced it has shut down Virut botnet – a worm that spreads through removable drives and network shares. Virut was first detected in 2006 and became a serious threat with an estimated size of more than 300,000 compromised computers. Spamhaus has made numerous unsuccessful attempts before to shut down the botnet. In the process of shutting down Virut, the Spamhaus Project reached out to, Austrian CERT and CERT-GIB. All the Virut domains within the .ru ccTLDs. were shut down within some hours as a direct result of cooperation with Group-IB.