Hackers stole money from Kukuruza(Kykyryza) cards using Apple Pay
83 Kykyryza(Kukuruza) cardholders suffered from the theft of funds. The fraudsters gained access to the logins and passwords from the mobile and Internet banking, and then they connected Apple Pay and withdrew funds. Now the problem is solved, the money is returned.
The Kykyryza card is a multifunctional bonus payment card, which is offered to its customers by the United Russian company Svyaznoy/Euroset. The card works in the Mastercard payment system.
Since May 2 complaints of Kykyryza cardholders about the theft of their funds began to appear on the website Banki.ru. Victims of the attack received SMS that their card is connected to Apple Pay, immediately after that, the money was withdrawn to the Tele2* number. All victims indicate that they did not receive SMS or Push-notifications with a verification code to connect to Apple Pay.
It turned out that hackers attacked a social service, where they received data about the owners of Kykyryza cards to log into the account and then they checked if the victims used the same username and password in the mobile or Internet Bank. If the data was the same, then the attackers connected mobile application Kykyryza to the Apple Pay and proceeded to withdraw money.
The company Svyaznoy/Euroset confirmed the theft of funds from Kykyryza card owners, noting that the number of victims is small, as only 20 million cards were issued. According to Alexander Malis, the SEO of the company, only 83 cardholders suffered.
“The hackers stole about 2 million rubles ($ 31 000),— said Mr. Malis.— The stolen funds were already returned to all the victims.”
Vladimir Dryukov, the Director of the Solar JSOC Cyber Attack Monitoring and Response Center, noted that the mobile application with this method of theft showed two serious vulnerabilities — the lack of protection from the change device when you log in to the mobile Bank and the lack of protection from the selection of the numbers.
However, according to Mr. Malis, Kykyryza card showed a high level of security in the conditions of a mass attack. He also clarified that a special update has already been released, which will not allow an unauthorized user to change the mobile device.