A recent FBI warning about ATM attacks was quickly followed by a large heist in India, but the danger has by no means passed. Over the last several years cyberthieves have honed their techniques to make ATM attacks less work on the ground, untraceable and close to a perfect crime, experts say.
Last Friday the FBI sent a confidential notice to U.S. banks warning them to watch out for a coming wave of ATM cashouts, in which criminals break into a network through malware, direct ATMs to do their bidding and hire on-the-ground “money mules” to withdraw substantial amounts of money from the machines.
The FBI says the warning was “provided in order to help systems administrators guard against the actions of persistent cybercriminals.” Translation? The threat is not over, experts say. Bloomberg News
The very next day, hackers broke into an ATM network operated by Cosmos Bank in India, set up a proxy server to which ATM transaction approval requests were redirected, then directed 14,849 ATM withdrawals in 28 countries in about two hours. The bank lost $13.5 million. The hackers also transferred 139 million rupees to a Hong Kong company’s account by issuing three unauthorized transactions over the Swift global payments network, according to Reuters.
Asked if the India ATM attack was what the FBI referred to in its recent warning, an FBI spokeswoman reiterated the bureau’s earlier statement: “In furtherance of public-private partnerships, the FBI routinely advises private industry of various cyberthreat indicators observed during the course of our investigations. This data is provided in order to help systems administrators guard against the actions of persistent cybercriminals.”
Several security experts say the attack in India was what the FBI was warning about, but that the alert still remains in effect.
“The FBI in its notice said medium to small banks should be particularly aware of this,” said Martin Bally, chief security officer at Diebold, the largest ATM manufacturer in the world. “And I think the potential is there.”
Diebold responded to the warning by having account managers forward the FBI’s notice to clients. It also posted the message to all members of the Financial Services Information Sharing and Analysis Center.
Robert Villanueva, former transnational cybercrime, fraud and cyber-intel supervisor at the U.S. Secret Service, used to investigate this type of crime. The attackers have not been identified in news reports, but he suspects the Cosmos raid was orchestrated by Russian hackers, not a nation-state, and that more attacks on other banks are likely to occur over time.
“The warning still holds,” said Villanueva, who is now executive vice president of operations at the security intelligence and analyst firm Q6 Cyber and also a member of the Florida International Bankers Association’s technology committee. “The FBI didn’t single out any financial institution, and the attack methodology still holds. Meaning, it could happen again to any other bank they’re targeting. It just so happened that this FBI warning was put out on a Friday and that weekend the attack happened.”
‘Thirteen million is a lot of money to lose over a weekend.’
Like the FBI, Q6 Cyber gets some of its intel by monitoring underground chatter in private forums and on the dark web.
“You have to have a presence in some of these forums and know where to look to be able to gain knowledge and learn the techniques, tactics and procedures of these cybercriminals,” Villanueva said. “A lot of times, they’re communicating about upcoming events, upcoming targets, vulnerabilities, financial institutions or clients. That’s how you pick up a lot of intelligence.”
Hackers use a variety of techniques in ATM and debit card attacks, including phishing, compromising employees and administrators at financial institutions, and hacking payment card processors, he said. The hackers often set up their ATM attacks by temporarily inflating debit card balances, and the attacks often come on weekends or holidays.
Banks could better protect themselves by not only monitoring their ATMs over weekends, but also monitoring activity levels on bank identification numbers.
“If there’s an unusual high amount of withdrawals on a specific BIN, they can flag that,” Villanueva said. “They can put alerts on BIN numbers over a weekend. They can see and stop this, but they have to be proactive about it. Most of these banks are reactive. Thirteen million is a lot of money to lose over a weekend.”
Not your father’s ATM crime
But ATM crime has evolved to the point where thieves can get around even these controls, pointed out Mark Gazit, CEO of ThetaRay, whose artificial intelligence software is used to spot ATM theft, money laundering and other financial crimes.
Criminals once relied on skimming — attaching a physical device to an ATM that would read each card as unsuspecting ATM customers used the machine.
Skimming still happens, but “it’s a dangerous job because the camera will take your picture,” Gazit said. “There’s a much easier way.”
That easier way involves getting remote control of the ATM through malware and making it dispense cash at a given time, when the money mules can grab it.
“What people don’t know is every ATM is just an [internet of things] device, just like your home router,” Gazit said.
In the early days of malware-based ATM attacks, hackers would break into the Windows computer on an ATM directly, infect its hard drive with malware (possibly using a malware-laden thumb drive), and make it dispense cash. This is also hard to do without getting caught.
As hackers became more sophisticated, they began attacking ATMs remotely through malware injected into an ATM network. They would also access debit card account data, temporarily raise the balances on the accounts, withdraw the difference with the use of counterfeit cards, then reinstate the original balance, all before the bank or customer noticed what had happened.
Lately, ATM hackers have been using a more advanced method, Gazit said.
“They hack into an ATM’s computer and make it a remote slave, then they put a server somewhere in a remote country,” he explained. “And then every time you push a button, commands over the internet bypass everything, instruct the motor on the ATM dispenser and it spits out money. The only thing you need is for someone to pick up the money on a certain day. They don’t even need to touch the ATM [or create a fake card]. It’s all done remotely, you can shut down the camera, so no pictures are taken, [and] you erase all the traces.
“It’s almost like a perfect crime — no one can discover it.” And there is no way of tracking how much money was stolen.