FBI Warns Of Pending Large Scale ATM Cashout StrikeAttack May Pivot On A Data Breach At 'Unknown Card Issuer' Agency Says
The FBI warns that cybercriminals are planning a large-scale operation aimed at emptying ATMs of their holdings, a type of attack that has caused swift and costly losses for financial institutions.
The confidential alert was shared privately with banks on Friday, reports security blogger Brian Krebs, who obtained it.
The alert says that the scheme is likely associated with a data breach at an "unknown card issuer." The FBI says it obtained the tip through unspecified reporting.
"This data is provided in order to help systems administrators guard against the actions of persistent cyber criminals."
The FBI's alert will give banks a heads-up, but there's been plenty of fair warning already as multiple incidents of ATM fraud have affected financial institutions. ATM cashout schemes are referred to as "unlimited" operations due to their high takings.
The FBI's alert says small- to medium-size financial institutions have historically been targeted "likely due to less robust implementation of cybersecurity controls, budgets or third-party vendor vulnerabilities."
The FBI declined to provide the advisory to ISMG but says: "In furtherance of public-private partnerships, the FBI routinely advises private industry of various cyber threat indicators observed during the course of our investigations. This data is provided in order to help systems administrators guard against the actions of persistent cyber criminals."
Unlimited operations kick off with cybercriminals penetrating into banking systems, often with the initial intrusion enabled by spear phishing.
Once inside a bank's financial systems, the attackers install malware that helps monitor and study how an organization manages ATMs, accounts and login credentials, according to the Federal Financial Institutions Examination Council, which develops reporting standards for U.S. banks.
They then seek access to the control panels that allows them to remove limits on payment card accounts, modify ATM systems and meddle with card issuer authorization systems.
"These control panels, often web-based, manage the amount of money customers may withdraw within a set time frame, the geographic limitations of withdrawals, the types and frequency of fraud reports that its service provider sends to the financial institution, the designated employee that receives these reports, and other management functions related to card security and internal controls," the FFIEC says.
Payment Card Cloning
In order to withdraw cash, the cybercriminals use account data that's been obtained through point-of-sale compromises, payment processor data breaches or skimming.
The data can be used to create cloned payment cards, which then can potentially be used at ATMs around the world to withdraw money. The stolen data is encoded on the magnetic stripe on the back of the card.
"Criminals may conduct their operations during holidays and weekends to take advantage of increased cash levels in ATMs and limited monitoring by financial institutions during non-work hours."
Cloned cards don't have the microchip that's part of the system known as EMV or "chip and PIN." If a chip-enabled card is used at an ATM that is equipped to check for its presence, a transaction should be rejected.
But not all ATMs check for the microchip, and in certain configurations, the ATM may default to reading the magnetic stripe and allow a transaction to proceed.
The cashouts involve withdrawing large amounts of money from multiple ATMs in short periods ranging from four hours to two days, the FFIEC says. Those actions are also timed to maximize their effectiveness.
"Criminals may conduct their operations during holidays and weekends to take advantage of increased cash levels in ATMs and limited monitoring by financial institutions during non-work hours," it says.
In one of the most infamous unlimited schemes, one group stole an estimated US$55 million between 2010 and 2013. In February 2017, one member of the group, Ercan Findikoglu of Turkey, was sentenced to eight years in U.S. prison.
Findikoglu was accused of attacking credit and debit card processors and then gaining network administrator privileges. The withdrawal limits on prepaid debit cards were removed, and the PINs for compromised debit cards were stolen, the U.S. Department of Justice said.
The largest of three operations Findikoglu was accused of participating in took place in February 2013. The gang withdrew an astounding $40 million from 36,000 ATMs in 24 countries.
More recent attacks have taken less money, but are no less impressive. In May 2016, attackers stole $19 million from South Africa's Standard Bank via ATMs in Japan.
That strike took place in less than three hours. The money mules used 1,600 counterfeit mag-stripe debit cards cloned from card data stolen to withdraw the money from 1,400 ATMs located in 7-Eleven convenient stores (see Lessons From ATM Cash-Out Scheme in Japan).
Then just two months later that year, Taiwan's First Commercial Bank saw $2.2 million from stolen from dozens of ATMs using three types of malware. It was believed that the attackers gained inside access to the bank's network and installed three types of malware (see Taiwan Heist Highlights ATM Weaknesses).
Three Eastern European men who were part of a group of money mules who withdrew the cash were sentenced to jail time, but more than a dozen others fled the country (see Taiwan Sentences Money Mules in ATM Attacks).