FBI warns of choreographed ATM drainage

The FBI has alerted banks that in the coming days cybercrooks are planning to spring a highly choreographed, multinational “ATM cashout” that could drain their cash machines of millions within the span of hours.

In an ATM cashout, cybercrooks hack a bank or payment card processor, lift fraud controls such as withdrawal limits and/or account balances and/or number of daily withdrawals, outfit so-called “casher crews” with cloned cards, and send them out to simultaneously descend on cash machines and strip them of money before the banks sound the alarm and slam down the window of opportunity.

Cybercrime journalist Brian Krebs on Sunday reported that the FBI alert to banks indicated that the plot could be triggered any day now.

From the confidential alert, which was privately sent to banks on Friday:

The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an ‘unlimited operation’.

According to Krebs, the FBI said that “unlimited operations” compromise a financial institution or payment card processor with malware to access bank customer card information and exploit network access, enabling large-scale theft of funds from ATMs.

Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities. The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.

What kind of vulnerability, you may well ask? We have no idea. Perhaps it’s a vulnerability that’s got an inch or two of dust on it? In January, the US Secret Service sent out an alert about ATM “jackpotting” attacks that used malware known as Ploutus.D: a malware to which ATMs running Windows XP are particularly vulnerable.

Windows what, now? Yes, Windows XP. Ahem. As we noted then, it’s way past time to update – even extended support for the stripped-down Windows XP Embedded ended more than two years ago.

At any rate, back to that FBI alert, which gave more details on ATM cashouts:

The cyber criminals typically create fraudulent copies of legitimate cards by sending stolen card data to co-conspirators who imprint the data on reusable magnetic strip cards, such as gift cards purchased at retail stores. At a pre-determined time, the co-conspirators withdraw account funds from ATMs using these cards.

As Krebs notes, ATM cashouts are typically launched on weekends, often just after banks begin closing up shop on Saturday. Krebs reported on one such last month: in this case, $2.4 million was withdrawn from accounts at the National Bank of Blacksburg in two separate ATM cashouts over the course of eight months.

In one of the heists, the robbers hit the bank on Memorial Day weekend 2016: a federal holiday in the US. It began on Saturday, 28 May, and continued through the following Monday. The crooks drained almost $570,000 in the 2016 attack, plus nearly $2 million in another cashout operation that started on Saturday, 7 January, 2017 and ended on Monday 9 January.

The FBI said that the next ATM cashout is coming soon: if the timing on previous heists is indicative, it could well hit over the coming Labor Day weekend.

How to fortify now

The FBI is telling banks to bolster their security, including implementing strong password requirements and two-factor authentication (2FA) using a physical or digital token when possible for local administrators and business-critical roles.

Other tips for financial organizations from the FBI alert:

  • Implement separation of duties or dual authentication procedures for account balance or withdrawal increases above a specified threshold.
  • Implement application whitelisting to block the execution of malware.
  • Monitor, audit and limit administrator and business critical accounts with the authority to modify the account attributes mentioned above.
  • Monitor for the presence of remote network protocols and administrative tools used to pivot back into the network and conduct post exploitation of a network, such as PowerShell, Cobalt Strike and TeamViewer.
  • Monitor for encrypted traffic (SSL or TLS) traveling over non-standard ports.
  • Monitor for network traffic to regions where you wouldn’t expect to see outbound connections from the financial institution.