A leading cyber security firm is advising financial institutions to take extra precautions to protect themselves against the growing threat of ATM ‘cash-out’-type attacks. Foregenix, which serves banks across the globe, warns the rise in these attacks can cause extensive financial and reputational harm within a matter of hours.
The growth of these attacks has led to unprecedented joint alerts by US-CERT, the US Department of Homeland Security and the FBI.
ATM ‘cash-outs’, referred to as the FASTCash Campaign, are attacks by cyber criminals labelled as ‘Hidden Cobra’ (with strong links to nation state attackers from North Korea) on issuing banks or payment card processors. The initial access mechanisms are varied, but are often through phishing or unpatched Internet-facing systems. The cyber criminals subsequently exploit the poor architecture as well as a lack of security relating to internal systems, manipulate limits or intercept transactions on the back end and use stolen or cloned cards at ATMs to fraudulently withdraw large amounts of money.
The ‘cash-outs’ are typically executed using fraudulent copies of legitimate cards by sending stolen card information to associates or “mules” who imprint the data on re-usable cards and then perform the physical cash withdrawals.
Foregenix has performed Digital Forensic and Incident Response engagements and built a significant understanding of how ‘cash-outs’ are performed, the motives of the attackers and when such episodes are likely to occur.
Andrew Henwood, CEO of Foregenix, commented: “The attacks are not opportunistic, but extremely well-planned. The attackers are patient and strike with their mules often during the weekend or on national holidays. This ensures their activity isn’t quickly detected as after-hours staff are typically working and the maximum value is extracted as quickly as possible, in hard currency, with almost zero risk.”
‘Cash-outs’ have affected regions across the globe. High-profile ATM ‘cash-out- attacks include an India-based bank’s system being accessed through malware which resulted in over US$13 million being stolen and an attack in Japan which saw another US$13 million stolen through ATMs in three hours as 14,000 fraudulent withdrawals were made.
Henwood feels it’s highly likely there will be many more ATM ‘cash-out’ attacks this year and believes strongly that banks need to take action now. “Banks can substantially reduce their risk through taking proactive measures such as performing security reviews of payment switches and servers in the cardholder environment, improved monitoring of critical payment infrastructure plus network traffic and close monitoring of typical ATM transaction withdrawals. Unless financial businesses understand and act, the problem will worsen. Cyber criminals look for the easiest and most profitable opportunities for their activities and ATM ‘cash-out’ attacks are pretty much the most lucrative attack there is.”