New wave of ATM cashout cyberattacks hitting banks

Cybersecurity firm, Foregenix, is advising financial institutions to take extra precautions to protect themselves against the new threat of ATM ‘cashout’ cyberattacks.

Foregenix has warned banks across the globe the rise in these attacks can cause extensive financial and reputational harm within a matter of hours.

The growth of these attacks has led to unprecedented joint alerts by US-CERT, US Department of Homeland Security (DHS) and the FBI. ATM cashouts, referred to as the FASTCash Campaign, are attacks by cyber criminals known as Hidden Cobra (who have strong links to nation-state attackers from North Korea).

The initial access mechanisms are varied but access is often achieved through phishing or unpatched internet-facing systems. The cyber criminals subsequently exploit the poor architecture as well as a lack of security of internal systems, to manipulate limits or intercept transactions on the backend and use stolen or cloned cards at ATMs to fraudulently withdraw large amounts of money.

The cashouts are typically executed using fraudulent copies of legitimate cards, by sending stolen card information to associates or ‘mules’ who imprint the data on reusable cards and perform the physical cash withdrawals.

Foregenix has performed Digital Forensic and Incident Response (DFIR) engagements as the leading PCI Forensic Investigator on the majority of known attacks in the region and has built a significant understanding of how they are performed, the motives of the attackers and when they are likely to occur.

Andrew Henwood, CEO of Foregenix, said: “The attacks are not opportunistic but extremely well-planned. The attackers are patient and strike with their mules often during the weekend or national holidays. This ensures their activity is not quickly detected as after-hours staff are typically working and the maximum value is extracted as quickly as possible, in hard currency, with almost zero risk.”

High profile ATM cashout attacks include an India-based bank system being accessed through malware which resulted in over US $13m being stolen and an attack in Japan which saw another US$13m stolen through ATMs in three hours as 14,000 fraudulent withdrawals were made.

Henwood says it is highly likely there will be many more ATM cashout attacks this year and banks need to take action now: “Banks can substantially reduce their risk through taking proactive measures such as performing security reviews of payment switches and servers in the cardholder environment, improved monitoring of critical payment infrastructure plus network traffic and close monitoring of typical ATM transaction withdrawals.

“Unless financial businesses understand and act, the problem will get worse. Cyber criminals look for the easiest and most profitable opportunities for their activities and ATM cashout attacks are pretty much the most lucrative attack there is.”