Finance data leak exposes Russian citizens


A dataset thought to belong to a payment services provider in Russia left a trove of sensitive information open to the public, the Cybernews research team has discovered. Threat actors could have used this to build victim profiles and scam them out of funds.

The 130GB-strong dataset contained payments, transcripts, invoices, and other financial information belonging to ordinary Russians who transferred money to pension funds and the Treasury.

The team also discovered information on internal company monitoring, two-factor authentication (2FA) logs, and 3DS bank authentication – a technical standard that adds a layer of security in online credit and debit card transactions, often by asking users to confirm payments via a bank website.

ADVERTISEMENT

"Not only would paying a fake invoice put money directly in the scammer's pocket, but it will also give the scammer access to payment/account information that can be used for further theft,"

Alex Hamerstone, advisory solutions director at cybersecurity firm TrustedSec, said.

The data

One index within the dataset held a whopping 10GB of invoice data and references to invoices in PDF format, including payee and payer, the amount being paid, and the time of payment.

Another 5GB consisted of indices prefixed with sms, paybank, oglogs, mplogs, and mdwallet logs, and contained smaller clusters of sensitive financial data. The latter stored information about 3DS bank authentication, other 2FA authentication logs, and transactions.

The open dataset also included close to 24GB of financial services data that included Simple Object Access Protocol (SOAP) XML request and response logs. SOAP is a messaging protocol specification for exchanging structured information on the web.

Another 1GB of data consisted of SOAP requests and responses for websites with .ru top-level domains. An additional 90GB was dedicated to information detailing the usage of monitored computers. Since the data is related to financial services, the logs likely come from a bank or from within the service provider network.

The payment data included personal identifiable information (PII), such as the amount transferred, transfer descriptions, recipients, their information, and sensitive technical information.

Saint-Petersburg-Russia
Cashless payment in Saint Petersburg, Russia. Image by Shutterstock.
ADVERTISEMENT

Whose data is it?

The leak was discovered on a database in St Petersburg, Russia, hosted by Xelent, a Moscow-based cloud solutions provider. The team has discovered that the open instance was hosted on a server with an IP address registered by tprs.ru, a domain name belonging to St Petersburg-based software firm Accounting Systems (Расчётные системы). The company is a Russian government contractor for IT solutions.

According to the information listed on the firm's website, several large Russian companies and institutions have partnered with Accounting Systems. Among them are Russia's major telecommunications company, Rostelecom, the local governments of Moscow and St Petersburg, and Russia's second-largest independent handset retailer Svyaznoy.

Accounting Systems (Расчётные системы) lists platforms in Russia that facilitate payments to Russia's Federal Tax Service, and serves as Mobi.Dengi's center of competence for public sector projects.

Mobi.Dengi, short for “mobile money,” offers payment solutions throughout Russia. The logs prefixed mdwallet might indicate that the information is related to the payment services Mobi.Dengi provides.

Our team also found that the accessible datasets included SOAP logs of the Russian Treasury and those from services hosted on government and financial services domains.

Cybernews researchers spotted the dataset during a routine OSINT investigation on April 25, on an open Elasticsearch instance. This is a popular search engine favored by enterprises dealing with large, constantly updated volumes of data.

The leak was closed nine days after the initial discovery, suggesting the company responsible for the dataset noticed it after running a security check.

"Users should also verify any invoices they receive. Contacting the company should be standard practice for any unexpected invoice,”

Hamerstone said.

Dangerously personal

ADVERTISEMENT

Leaks with financial information are particularly dangerous, as they provide threat actors with information that can be leveraged to scam victims out of funds.

According to Alex Hamerstone, advisory solutions director at cybersecurity firm TrustedSec, attackers with information found on invoices could use it to send realistic-looking fake invoices. The more convincing the scam, the more likely a potential victim will pay up.

"Not only would paying a fake invoice put money directly in the scammer's pocket, but it will also give the scammer access to payment/account information that can be used for further theft," Hamerstone told Cybernews.

Meanwhile, losing 2FA logs can turn sour very quickly for the owner. If the logs include the authentication method, scammers could leverage this information to concoct a more believable attack, tricking the victim into revealing all sorts of financial data.

Losing 3DS data is equally bad, since threat actors could use this to carry out more focused attacks against potential victims.

Though Accounting Systems has closed the database, users whose information may have been compromised are advised to keep a close eye on their bank and other payment accounts.

"Users should also verify any invoices they receive,” said Hamerstone. “Contacting the company should be standard practice for any unexpected invoice.”