The FBI has alerted banks that in the coming days cybercrooks are planning to spring a highly choreographed, multinational “ATM cashout” that could drain their cash machines of millions within the span of hours.
In an ATM cashout, cybercrooks hack a bank or payment card processor, lift fraud controls such as withdrawal limits and/or account balances and/or number of daily withdrawals, outfit so-called “casher crews” with cloned cards, and send them out to simultaneously descend on cash machines and strip them of money before the banks sound the alarm and slam down the window of opportunity.
Cybercrime journalist Brian Krebs on Sunday reported that the FBI alert to banks indicated that the plot could be triggered any day now.
From the confidential alert, which was privately sent to banks on Friday:
The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an ‘unlimited operation’.
According to Krebs, the FBI said that “unlimited operations” compromise a financial institution or payment card processor with malware to access bank customer card information and exploit network access, enabling large-scale theft of funds from ATMs.
Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities. The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.
What kind of vulnerability, you may well ask? We have no idea. Perhaps it’s a vulnerability that’s got an inch or two of dust on it? In January, the US Secret Service sent out an alert about ATM “jackpotting” attacks that used malware known as Ploutus.D: a malware to which ATMs running Windows XP are particularly vulnerable.
Windows what, now? Yes, Windows XP. Ahem. As we noted then, it’s way past time to update – even extended support for the stripped-down Windows XP Embedded ended more than two years ago.
At any rate, back to that FBI alert, which gave more details on ATM cashouts:
The cyber criminals typically create fraudulent copies of legitimate cards by sending stolen card data to co-conspirators who imprint the data on reusable magnetic strip cards, such as gift cards purchased at retail stores. At a pre-determined time, the co-conspirators withdraw account funds from ATMs using these cards.
As Krebs notes, ATM cashouts are typically launched on weekends, often just after banks begin closing up shop on Saturday. Krebs reported on one such last month: in this case, $2.4 million was withdrawn from accounts at the National Bank of Blacksburg in two separate ATM cashouts over the course of eight months.
In one of the heists, the robbers hit the bank on Memorial Day weekend 2016: a federal holiday in the US. It began on Saturday, 28 May, and continued through the following Monday. The crooks drained almost $570,000 in the 2016 attack, plus nearly $2 million in another cashout operation that started on Saturday, 7 January, 2017 and ended on Monday 9 January.
The FBI said that the next ATM cashout is coming soon: if the timing on previous heists is indicative, it could well hit over the coming Labor Day weekend.
How to fortify now
The FBI is telling banks to bolster their security, including implementing strong password requirements and two-factor authentication (2FA) using a physical or digital token when possible for local administrators and business-critical roles.
Other tips for financial organizations from the FBI alert:
- Implement separation of duties or dual authentication procedures for account balance or withdrawal increases above a specified threshold.
- Implement application whitelisting to block the execution of malware.
- Monitor, audit and limit administrator and business critical accounts with the authority to modify the account attributes mentioned above.
- Monitor for the presence of remote network protocols and administrative tools used to pivot back into the network and conduct post exploitation of a network, such as PowerShell, Cobalt Strike and TeamViewer.
- Monitor for encrypted traffic (SSL or TLS) traveling over non-standard ports.
- Monitor for network traffic to regions where you wouldn’t expect to see outbound connections from the financial institution.
0laf
Is this mainly a problem for the USA due to the lack of chip and pin on many ATM cards? Imprinting data onto a mag strip wouldn’t be good enough in the UK for instance with it’s ubiquitous CnP cards. Unless the accounts were being emptied form abroad.
Pssst Doff
Every major bank and credit card company in the US has issued replacement chipped cards to all its customers. Banks, however, do not own or operate or service “their” ATMs. They contract with outside companies such as the ATM services company Diebold Nixdorf. I’ve watched as ATMs outside banks are serviced. I wouldn’t trust the carefree, lax folks I’ve seen doing it to guard my cash.
Jim Gersetich
Windows XP Embedded. Wow. At a BANK? Good grief, do these people have nobody who understands security?
Companies that refuse to upgrade their ATMs (and PoSs, etc.) from XP Embedded (or worse, XP) should just factor in a few million dollars into their budget every year, because they WILL get hacked.
And, it’s like they don’t even care. Probably another “the CIO reports to the CFO” problem, like Target and numerous other companies which have been hacked.
Some day someone is going to grab billions from them. I suppose then they’ll cry and fire the scapegoat CIO.
Pssst Doff
Banks have horrible security. Apprehension and prosecution after the commission of a robbery is NOT security, prevention is. If bank security (including how they operate) weren’t so horrible, then the local police, not the FBI, would have primary responsibility for investigation of breaches. If banks were secure, accounts wouldn’t need to be insured by the Federal government.
Windows XP isn’t the cause of this vulnerability. A lack of due diligence is.
Poor software design, poor hardware design and poor software administration are the primary causes. Poor physical security combined with lack of integrity in the screening of ATM providers and their staff is the secondary cause.
Provided that an ATM is well protected physically and cannot be remotely programmed, it’s entirely possible to have it running on Windows XP, and still secure But ANY ATM that runs on ANY OS that isn’t protected from remote programming and unauthorized physical access can have its firmware compromised. The recent spate of Intel processor vulnerabilities was the result of chip level issues that make MOST computers vulnerable.
Jim Gersetich
Agreed. It’s not XP specifically that’s the culprit. It’s the horrid attitude of banks towards security, and specifically prevention security.
Bank Security
The bank “I work at” has not had an XP system since I have been here (nearly 6 years) and our security is top notch. Not ALL banks suck at security. We also have thee most secure ATMs with multiple intrusion alarms that work. No skimmers ever, but did catch someone trying to put one in once. However, most people suck at home security and most bank thefts are due to customers that fall for phishing- giving out access, and sending money to scammers.
J oB
Heck, I’ve seen card readers INSIDE the bank which don’t even take the chip –MUST BE SWIPED! How dumb is that
Pssst Doff
It’s more arrogance than stupidity.
Jim Gersetich
I’m not so sure. I agree that both are involved (and a few other pejoratives). I think apathy is probably the biggest problem. They have SO much money that losing a few million isn’t important enough.
What about the banking SYSTEM? Individual decision-makers at banks only consider their own bank, but they forget that the banking system itself is built on confidence. One sufficiently-large collapse can bring the whole house of cards down. They need to remember 1929 and 2008. And, quite a few other less-known events of the past.
Pssst Doff
I thought that chipped cards were supposed to block schemes that use strip card copies.
Since Oct. 1, 2015 merchants have been liable for use of a non-chipped card, or a non-chipped card whose stripe has been cloned from a chipped card. It seems reasonable that the backs will be similarly liable. The combination of a strip, chip and PIN should be enough to block withdrawals -provided that a bank’s ATM provider requires the latter two.
BS Indicator
Well, all I got out of this article was “hey, let us scare the heck out of you and then you can by our product and feel all safe and protected.” (A code generator with an authenticator app such as Sophos Authenticator – also included in our free Sophos Mobile Security for Android and iOS can help out. Just sayin’!). Quite the coincidence how the article is written by the same people who sell an app that can protect the banks
Paul Ducklin
Well, our Mobile Security app is free – if someone is trying to sell it to you please let us know so we can stop them :-)
I don’t think mentioning our free products is scary (or even really commercial) and don’t have a problem with that bit of the article at all, but I’ll remove it anyway – there’s set of free download links at the bottom of every article, after all.
Jim Gersetich
I don’t think it’s a coincidence. It’s part of NakedSecurity’s charter. They are, after all, funded by Sophos.
And, it’s not a bad thing to have scary articles, either. I don’t consider this one scary, but that’s because I’ve seen a lot more scary things. Frankly, banks are so apathetic towards security that articles like this are just “more of the same”.
Still, NS’s purpose for existence is to expose these kinds of things. And, frankly, I think they do a heck of a job at it.