Fraud attacks on banks are becoming more common and attackers use sophisticated methods to steal big amounts of money. We have witnessed several large attacks on ATMs globally over the past few months; in Thailand, India, Latin America, across Europe, and other countries around the world. In these incidents, attackers managed to steal millions of dollars.
Bank attacks are divided into two main categories: Those that target the consumer, and those that target financial institutions.
The first and older category are attacks that mainly target bank customers and online banking software. Some techniques attackers use include:
However, in this blogpost, I will focus on the second category of attacks: Attacks that directly target banking institutions and their internal systems; bank employees’ computers and internal networks, which gives attackers access to other parts of the entire infrastructure, such as payment terminals (POS), ATMs or international bank transfers; and critical logs.
Attackers often use advanced persistent threats (APTs), social engineering, or spear-phishing on internal and external bank employees, in order to gain access to internal systems. In some cases, the attackers manage to attack only the ATM-internal network, and eventually, physically attack one ATM and spread the infection to all other machines on the same network.
One of the latest attacks of this type was a massive infection of Russian ATMs via a bank institution’s internal network. According to information in Russian media, the attack was especially interesting, as it used fileless malware that runs in the machine’s memory, and it is resistant to the restart of the infected ATM’s operating system, which are commonly Windows-based.
From this information, we presumed that the malware can be stored, for example in the master boot record of the machine’s hard disk (MBR), inside firmware (BIOS/UEFI), or as poweliks malware, which is malware known for hiding in the Windows registry.
After entering a special code, the infected ATM will give out all the money from the first dispenser, where the banknotes of the largest nominal value are usually stored. This method is also called “ATM jackpotting attack”, and has already been used several times in the past.
Infections of ATMs happen more and more frequently and are gradually replacing skimming methods, where the attackers had to place their equipment on a specific ATM, making the risk of being discovered high.
The most infamous bank fraud groups are Metel, GCMAN, Carbanak, Buhtrp/Cobalt, and Lazarus. All these groups are very skilled and consist of professionals with deep knowledge about banking technology, hacking, and programming. They are probably linked to underground mafia and money laundering groups and might have access to corrupt bank employees and insiders. All these groups have been on the list of several law enforcement institutions like the FBI or Europol for many years, but their masterminds and members still remain hidden somewhere in the infinity of the Internet and Dark Net.
Their work is very time consuming and the preparation of “One Big Heist” could take months of monitoring, intrusion into new systems, servers, and networks, and studying internal systems, verification mechanisms, and other rules and regulation quotas. Any little mistake the bank fraud groups make could be fatal to them, and lead to the detection of their suspicious activities. To protect themselves during their final attack, they are meticulous about properly wiping all traces and logs of illegal activities away – an important step which requires carefully planned actions.
With every successful theft, the attackers raise money to fund their entire infrastructure, develop malware, gather exploits, and pay money mules, launder money, and corrupt banking insiders.
Although ATMs are usually well-protected against physical attacks, almost all use Windows OS (CE/2000/XP/7). We don’t know if the ATMs’ operating systems are regularly updated and patched, and ATMs probably rely on the security software installed in the internal network. A network is only as secure as their weakest link, so once the internal network is breached, the ATMs in the network are an easy target. Therefore, to protect their ATMs and systems from such attacks, banks should focus more on their internal security policies and technology, as well as their ATM security.
Times have changed, and it seems that it has gotten easier to rob an ATM electronically than using the old rough methods. This may bring us more physical security, but exposes new issues and challenges that banks must address.