Global Cash-Out Scheme

A warning on a highly orchestrated fraud scheme targeting ATMs worldwide have been circulated by many international government agencies. The attack is carried out with the use of malware and cloned cards, and has the potential to cause millions of dollars in losses through multiple ATMs. Attackers can even alter the account balances and bypass security measures to make a virtually unlimited amount of money available for withdrawals. Global Warnings: Many central authorities across the globe have warned financial institutions about this global attack which has been termed as an ‘unlimited operation’, with similar attacks being imminent if no improvements are made to banking security systems. Associated Incidents: Cosmos Bank, the second largest cooperative bank in India was compromised where hackers reportedly breached servers and transferred more than $13.4 million. The attackers used a malware attack to implement a proxy switch in the bank’s main banking software to bypass the legitimate switching system to approve all fraudulent payments. This incident occurred between the 11th-13th of August 2018 across approximately 28 countries, planned during the weekend as the hackers knew this would give them more time to execute their attacks without being detected. A total of $11.44 million was withdrawn on the 11th of August, in a time frame of around 2 hours. In addition, the remaining $1.98 million was transferred a to a Hong-Kong based account by the hackers through three unauthorized SWIFT global payment transactions on the 13th of August. As sophisticated attacks improve, it is important for banks to stay up to date with their security precautions and employee training to prevent the spread of malware through internal systems and software. Operation Process: The scheme thrives by targeting banks that appear to have a lower than required budget for cyber security controls. Attackers use phishing attacks or attempt to find vulnerabilities with a bank or a payment card processor to allow them to place malware capable of accessing card information, manipulating balance and withdrawing limits on accounts, removing active fraud controls of the institution, and taking advantage of network access. Once the attackers have access to the bank’s through the malware, they then distribute customer card information to their associates who can imprint the data onto gift cards or other reusable magnetic strip cards. These cards are then used on ATMs with the assistance of other functionalities of the malware, such as removing fraud controls and increasing the balance and withdrawal limits on the compromised cards. The attackers decide a specific time, most likely during a weekend, to implement these changes and a window of a few hours for fraudulent card holders to visit ATMs to withdraw large sums of cash. Recommendations: For Financial Institutions Logical Measures Ensure the latest stable firmware updates and OS patches have been installed on all ATMs. Implement application white-listing to block the execution of malware. Monitor for the presence of remote network protocols and administrative tools used to pivot back into the network and conduct post-exploitation of a network, such as Powershell, Cobalt Strike, VNC, and TeamViewer. Implement separation of duties or dual authentication procedures for account balance or withdrawal increases above a specified threshold. Monitor, audit, and limit administrator and business critical accounts with the authority to modify the account attributes. Ensure to update the operating system, as some ATMs still run Windows XP. Establish a baseline of daily activity for ATMs, monitor the behavior of ATM Machines for suspicious patterns. Monitor for network traffic to regions wherein you would not expect to see outbound connections from the financial institution. Monitor for encrypted traffic traveling over non-standard ports. 2. Physical Measures Keep ATM cables and network devices out of public sight to avoid easy access and manipulation. Inspect each ATM including the dispensers on a regular basis. Ensure the ATM casing is allows the detection of tampering, where tampering causes the machine to become inoperable. Ensure a quick incident response mechanism is in place when tampering or jackpotting is detected. The ATM’s tamper-responsive capabilities should include remote shutdown as well as fallback to backup communication channels. Install CCTV surveillance cameras in place. This will help in detecting any suspicious activity around the ATM. This CCTV footage should be monitored by a central security station. For ATM Users: Ensure to review SMS notifications and bank statements for any malicious activity. Do not share account/card details & security credentials with anyone. Change passwords and PIN on regular intervals Be cautious about any SMS, emails & calls, especially communications through Instant Messaging apps claiming to be from your bank. Please make sure such communications are from legitimate sources and cross check with the bank directly.