Sophisticated and Stealthy Bank Attack Combines Cyber and Organized Crime
Organized crime and cybercriminals are working together to steal large amounts of cash from banks. The money is taken in multiple but relatively small amounts from ATMs. Organized crime sets up the accounts and collects the cash, while cybercriminals hack the banks and manipulate the accounts.
The details come from a study (PDF) published today. In mid-to-late 2017, Trustwave SpiderLabs was asked to investigate a number of bank breaches that had occurred in post-Soviet countries — and found a series of common features. Money was being stolen via ATMs from what appeared to be legitimate accounts. Because the accounts were ‘legitimate’, alarms were not raised; and in many cases the thefts only became apparent long after the event.
The process requires an alliance between organized crime (such as Mafia, Yakuza, etc) and cyber criminals. Organized crime controls the manpower — the mules. The mules are supplied with fake IDs. They establish rogue accounts with the targeted banks, and request debit cards. Once the debit cards are received, they are sent outside of the country — part of keeping the attack low profile is not to steal money via ATMs in a country where the bank has a presence.
The next stage is for the cybercriminals to compromise the target bank. This would normally be by phishing and social engineering. “While the physical activities involving application for accounts and debit cards were taking place at the bank’s various branches in the country,” notes the report, “the cyber attackers gained initial entry, moved laterally and compromised multiple systems inside the bank’s network.”
From here the attackers crossed over to the bank’s third-party processor using the established connectivity between bank and processor. The next stage was privilege escalation within the processor, and the delivery of multiple payloads. Key was Mipko, which is advertised as an ’employee monitor’. This enabled them to locate the privileged accounts that could alter customer card conditions.
This allowed the attackers to locate and alter the conditions on the rogue accounts. They activated the overdraft settings and changed the limit from the default value of zero to ranges varying from $25,000 to $35,000. All of this was coordinated with the cash withdrawals via overseas ATMs.
“The physical counterparts stationed at various locations in Europe and the Russian Federation” notes the report, “then cashed out substantial amounts of money for each of these cards from ATM terminals. Cash withdrawals across the region began within minutes of the first OD property change made to the debit cards on the card management application… Within the next few hours the operation concluded, removing up to USD$10 million from each bank.”
The process from account manipulation to foreign cash withdrawals took only about five hours. But the withdrawals were not the final act of the attack. “Almost two hours after the last withdrawal occurred the criminals wiped the server,” Thanassis Diogos, SpiderLabs managing consultant, told SecurityWeek. “They were sure that their actions would trigger an investigation, so they were most probably trying to remove evidence from the crime scene. And they succeeded to a point because the internal server used for maintaining external connections had nothing to do the with card processing infrastructure. So the IT department never associated the failure of that system with the incident — it was only at the point of log analysis that it pointed to that system.”
SpiderLabs has seen the same process in four separate banks (two in Russia, and two in post-Soviet states); and is investigating a possible fifth in Africa. It is not clear whether it is the same gang in all cases. “The malware used differs per case but methodology was the same,” said Diogos. It could be the same gang using different malware under different conditions, or it could be different gangs altogether, since “underground forums share these ideas.”
One thing that is clear is the growing cooperation between organized crime (feet on the street) and criminal hackers — although at this stage it is not clear whether hacking crews are contacting criminal gangs, or criminal gangs are recruiting hacking crews. “One way or another,” said Diogos, “the spread of electronic devices and data digitization has come under crime’s scope.”
The total amount lost to this particular methodology is not known. It is generally believed that financial institutions do not own up to all of their losses in order to maintain faith in their brand.
“Our investigations have revealed victim losses currently around approximately USD$40 million. However, when taking into account the undiscovered or uninvestigated attacks along with investigations undertaken by internal groups or third parties, we estimate losses to be in the hundreds of millions in USD. All global financial institutions should consider this threat seriously and take steps to mitigate it.”