Mere days after the Feds warned banks about an impending ATM cash heist, hackers managed to siphon $13 million from the Pune, India-based Cosmos Bank – using cloned versions of the bank’s debit cards over the course of two days. It’s unlikely to be the last ATM theft that makes news, given how widely available debit-card information is on the Dark Web – and how lucrative the efforts can be.
Fraudulent debit cards are at the center of many ATM heists, according to the FBI: “The cybercriminals typically create fraudulent copies of legitimate cards by sending stolen card data to co-conspirators who imprint the data on reusable magnetic strip cards, such as gift cards purchased at retail stores. At a pre-determined time, the co-conspirators withdraw account funds from ATMs using these cards.”
Cloud security provider Armor has been tracking hacker activities on different underground markets, both English and Russian, and found that accordingly, the market for cloned ATM cards is on the rise. Multiple outlets are offering details for bank accounts located in the U.S., U.K. and Europe with balances ranging from $3,000 to $50,000, the firm said; and, prices for these cloned, physical cards begin at $200 on average.
“A criminal can spend $750 and get the ATM card for an account with $50,000,” a spokesperson said via email.
Cosmos Bank, the Latest Victim
Perhaps it’s no wonder that the FBI alert, reported publicly Sunday, proved to be prescient: “The FBI has obtained unspecified reporting indicating cybercriminals are planning to conduct a global automated teller machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach. Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cybersecurity controls, budgets or third-party vendor vulnerabilities. The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.”
That’s exactly what happened to Cosmos Bank, which saw large-scale fraudulent transactions carried out on Saturday and Monday.
“In India, 2,800 false transactions of Rs 2.5 crore using 400 debit cards took place,” Cosmos Bank chairman Milind Kale told reporters on Tuesday. “It’s an international attack on banking system. No customer accounts are affected; dummy cards were used, and the switching system of the bank was hacked.”
He explained that the malefactors had created an interloping proxy switch that they used to approve debit card requests within the core banking system. Then, using 450 fake international Visa debit cards, 12,000 transactions took place in two hours and 13 minutes from ATMs and other locations across 21 countries on Saturday alone.
“In two days, hackers withdrew a total Rs 78 crore from various ATMs in 28 countries, including Canada, Hong Kong and a few ATMs in India, and another Rs 2.5 crore were taken out within India,” Kale said.
ATM Heists – A Brief History
ATM theft as an activity is nothing new – though attack vectors vary. The public first became aware of it after the famed, late researcher Barnaby Jack demonstrated an ATM heist at Black Hat 2010, coining the term “jackpotting.” He exploited vulnerabilities in Triton and Tranax machines to install malicious firmware, and eventually was able to withdraw cash from the ATM without needing to use an authenticated bank account.
An analysis in 2016 uncovered the Cobalt Group, a.k.a. Carbanak, which carried out raids in 40 countries resulting in cumulative losses of over $1 billion for the financial industry. It used phishing emails to infect the targeted banks’ networks, before pivoting to the individual ATMs to plant malicious code and then send a remote command to start spewing cash.
In 2017, the FBI caught three men visiting ATMs in Wyoming, Colorado and Utah, stealing tens of thousands of dollars — $24,000 from one machine alone. Surveillance camera footage from one attack showed the men opening the top of an ATM in order to physically deploy Ploutus.D malware.
Just in February, two men were arrested and charged in Connecticut with using malware for jackpotting. The Department of Justice said that a search of their vehicle revealed “tools and electronic devices consistent with items needed to compromise an ATM machine to dispense its cash content.”
And in July, a regional Virginia bank, the National Bank of Blacksburg, lost $2.4 million in a cyber-heist that affected the STAR ATM and debit network, following a successful phishing attack that compromised the institution’s internal networks. Ultimately, the hackers made withdrawals at hundreds of ATMs.
As the Cosmos Bank and Cobalt Group incidents demonstrated, the more sophisticated of these attacks bring an array of criminal activity to bear.
“A combination of malware, ATM jackpotting, money mules, money laundering, e-payment and crypto currency fraud – all performed by organized crime groups – presents a daunting task for financial crime prevention units,” said ThetaRay CEO Mark Gazit, via email. “For many years, we have been talking about cross-channel fraud challenges and now is the time for banks to act.”
Narrowing the Threat Aperture
One thing is clear: Aging infrastructure and operating systems lie at the heart of most of the issues – as does lax physical security.
For instance, the Ploutus family of malware is installed when criminals acquired access to the ATM’s CD-ROM drive and inserted a new boot CD into it. Many ATMs use a simple lock that is easily picked, which is likely how the attackers gain physical access to the machines.
“ATM manufacturers like Diebold, Tranax, and Triton must work with Microsoft to deploy better patches against jackpotting malware,” Comodo researchers said in a posting Thursday. “Also, ATM manufacturers and banks should never use operating systems that are no longer supported with security patches. That’s been a common problem all around the world.”
For remotely enabled hacks such as what Cosmos and the National Bank of Blacksburg faced, debit and other kinds of banking networks must also be subverted, not just the ATM endpoint.
Ofer Israeli, founder at Illusive Networks, also told Threatpost that the financial messaging systems that control electronic payment transactions, plus often-overlooked legacy systems such as mainframes, all remain high-value targets because they control such large amounts of cash and are often out of date.
Echoing the FBI’s warning, “gaining access to these networks via small and medium-size banks such as Banco de Chile or the National Bank of Blacksburg proves highly successful as these type of institutions generally have smaller budgets for cybersecurity so their defenses are less sophisticated to protect their most sensitive assets and legacy systems,” he said.
He added, “Unless the entire financial ecosystem does it utmost to minimize the attack surface and proactively detect attacks on the endpoints, these offensives are highly likely to continue.”