“New wave of ATM ‘cash-out’-style cyber attacks hitting banks” warns Foregenix

Andrew Henwood

Andrew Henwood

A leading cyber security firm is advising financial institutions to take extra precautions to protect themselves against the growing threat of ATM ‘cash-out’-type attacks. Foregenix, which serves banks across the globe, warns the rise in these attacks can cause extensive financial and reputational harm within a matter of hours.

The growth of these attacks has led to unprecedented joint alerts by US-CERT, the US Department of Homeland Security and the FBI.

ATM ‘cash-outs’, referred to as the FASTCash Campaign, are attacks by cyber criminals labelled as ‘Hidden Cobra’ (with strong links to nation state attackers from North Korea) on issuing banks or payment card processors. The initial access mechanisms are varied, but are often through phishing or unpatched Internet-facing systems. The cyber criminals subsequently exploit the poor architecture as well as a lack of security relating to internal systems, manipulate limits or intercept transactions on the back end and use stolen or cloned cards at ATMs to fraudulently withdraw large amounts of money.

The ‘cash-outs’ are typically executed using fraudulent copies of legitimate cards by sending stolen card information to associates or “mules” who imprint the data on re-usable cards and then perform the physical cash withdrawals.

Foregenix has performed Digital Forensic and Incident Response engagements and built a significant understanding of how ‘cash-outs’ are performed, the motives of the attackers and when such episodes are likely to occur.

Andrew Henwood, CEO of Foregenix, commented: “The attacks are not opportunistic, but extremely well-planned. The attackers are patient and strike with their mules often during the weekend or on national holidays. This ensures their activity isn’t quickly detected as after-hours staff are typically working and the maximum value is extracted as quickly as possible, in hard currency, with almost zero risk.”

‘Cash-outs’ have affected regions across the globe. High-profile ATM ‘cash-out- attacks include an India-based bank’s system being accessed through malware which resulted in over US$13 million being stolen and an attack in Japan which saw another US$13 million stolen through ATMs in three hours as 14,000 fraudulent withdrawals were made.

Henwood feels it’s highly likely there will be many more ATM ‘cash-out’ attacks this year and believes strongly that banks need to take action now. “Banks can substantially reduce their risk through taking proactive measures such as performing security reviews of payment switches and servers in the cardholder environment, improved monitoring of critical payment infrastructure plus network traffic and close monitoring of typical ATM transaction withdrawals. Unless financial businesses understand and act, the problem will worsen. Cyber criminals look for the easiest and most profitable opportunities for their activities and ATM ‘cash-out’ attacks are pretty much the most lucrative attack there is.”

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts