Just a few days ago, security researcher Brian Krebs reported that the FBI is warning banks of cybercriminals about to carry out a “highly choreographed, global fraud scheme known as an “ATM cashout,” in which crooks hack a bank or payment card processor and use cloned cards at cash machines around the world to fraudulently withdraw millions of dollars in just a few hours”.
The massive campaign is expected to happen any day now, following a tip that the FBI received about hackers planning to hack ATMs and/or banks on a global scale.
According to the researcher, the FBI has shared a confidential alert with Banks last Friday. The alert says that the Bureau has obtained unspecified reporting that indicated hackers are planning to carry out a global ATM cash-out scheme.
How Would the Cash-Out Happen?
The masterminds behind this cybercriminal operation would compromise a bank or card processor via malware. Once the malware is dropped onto the targeted systems, a process that will most likely have several stages before the payload, criminals would remotely alter ATM withdrawal limits and account balances. This would allow them to obtain all money available in each targeted ATM, Krebs says.
Small-to-Medium Size Banks at Risk
“Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities,” the FBI alert reads. “The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.”
Attacks are also expected to be launched on weekends, as indicated by previous ATM cashout operations. Typically, these malicious campaigns are initiated after banks and financial institutions begin closing for business on Saturday. There’s also a fresh example of such an operation which was reported by Krebs last month. An “unlimited operation” brought a total of $2.4 million to cybercriminals – a sum that was extracted from accounts at the National Bank of Blacksburg in Virginia in two separate ATM cashouts.
Both cases started the same way – via a phishing email sent to someone working at the bank.
How to Counter ATM Cashout Operations
The very first thing every bank should do is review their security mechanisms and evaluate how effective they actually are. Strong passwords and two-factor authentication via a physical or digital token should be considered, the FBI says.
Other tips the FBI suggests to banks and financial institutions the separation of duties or dual authentication procedures for account balance as well as application whitelisting to prevent malware infections. Some other tips include:
- Monitor, audit and limit administrator and business critical accounts with the authority to modify the account attributes mentioned above.
- Monitor for the presence of remote network protocols and administrative tools used to pivot back into the network and conduct post-exploitation of a network, such as Powershell, cobalt strike and TeamViewer.
- Monitor for encrypted traffic (SSL or TLS) traveling over non-standard ports.
- Monitor for network traffic to regions wherein you would not expect to see outbound connections from the financial institution.