How the methods of fraudsters changed during the war and can the Russian hackers “put down” Ukrainian banks πŸ”’


The column was first published for on December 5, 2022

Drastic times call for drastic measures, says a well-known expression. And during the war, this applies both to the citizens \ state, and to the criminals of various caliber – from Russian hackers to phishers.

I am the Chief Technical Officer at bill_line fintech company and now I will briefly talk about how the financial sector protects our money and what we should pay attention to for information hygiene.

Can hacker attacks “put down” the Ukrainian financial system

There are two questions in one:

  1. First, could Russian hackers theoretically “put down” any major bank, thereby exposing our country to huge problems and instability, and leaving customers without money? Yes, they can.
  2. Second, can the same hackers “put down” a large Ukrainian bank? No , because if they could, they would already do this .

The largest Ukrainian banks, which are often serious players in the Internet acquiring market, perfectly understand all the risks.

The full-scale war on the cyber front began on February 15 2022: the hackers of the terrorist country launched a massive DDoS attack on the entire financial and administrative system of Ukraine. For five hours, hackers damaged the largest banks (monobank, Oschad, Privat, Alfa, Raiffeisen) and state digital services (Diia, Ukrainian Radio and all sites in the domain zone).

They managed to “put down” online banking “Oschad 24/7” and “Privat 24” for some time, while only the NBU website survived. It’s too early to judge the extent of the data breach, and I don’t have enough sources to do so. It is clear they achieved some result, but judging by the fact the system works and the money did not disappear from the bank cards, this result was very poor.

Not only Ukraine can suffer from this attacks, but also our closest allies. On November 19 2022, hackers attacked Estonia: the websites of the Ministry of Economy and Communications, the Bank of Estonia, the Estonian National Fund and the energy company Eesti Energia were attacked. Estonia managed.

The next day, the Killnet group tried to “put down” the White House site and Starlink. Here the situation was worse: the POTUS website was “down” for half an hour, and the Starlink authorization form did not work for a couple of hours, after which authorization was still impossible.

All attacks have one basis – to overcome the filtering system of user requests (error 429) and damage / steal the database.

Their estimate minimum: to paralyze the operation of the service due to the impossibility of authorization/registration. Their estimate maximum: to get access to customer data and use it for their own purposes.

War became a security test for many products, which are primarily associated with fundraising initiatives:

  • transfers from card to card;
  • donations to Ukrainian Armed Forces;
  • well-known mono “piggy banks”, in which millions of Ukrainians collect for cars, thermalΡ‹, uniforms and other means of accelerating the victory of Ukraine.

Attacks on the bank in the smartphone were regular: in September, and especially in October, when the Prytula foundation started a mega fundraise in revenge for terrorist attacks on the energy infrastructure. And the monobank almost did not lose full functioning.

Therefore, every time you use such services, you need to understand what work is behind them and how high the level of qualification of our specialists is.

Have new phishing schemes and methods emerged during the war?

No, but there are new interpretations of old methods that are constantly increasing in performance.

Let’s simulate classic phishing situations:

  • The attacker copies the landing page of a well-known brand, on which customers used to pay with bank card. It describes the service and offers to pay for it. If earlier you could find grammatical errors or very artisanal work of the copywriter on such sites, now everything is copied, including the brand font. Sites even manage to purchase an SSL certificate, but looking at the certificate issuer will show that most of the them are free SSLs with no legal entity or any domain details.
  • Phone calls about a huge winnings, a new line of credit, a payment problem, a card being blocked – I think almost everyone has received a call from “their bank” at some point. This year, this phishing scheme received a significant upgrade. Now it is almost impossible to hear a “live” voice on the other end of the phone that could have hung up after the first uncomfortable question. Operators have been replaced by an answering machine, which in some cases imitates the voice of a robot assistant that we are used to hear when we call aΒ  bank hotline. This means our phishers already use voice generation.

What to do with all this?

Does this mean all is lost? No. The elementary rules of information hygiene for the security of your payment data are the same:

  • check the pages on which you enter card data;
  • do not click on suspicious links;
  • store card data only in applications that you fully trust.