Breach, Content, Vertical markets

FBI Bank Warning: ATM “Cash Out” Hacker Attack Pending

The Federal Bureau of Investigation (FBI) is warning banks that hackers could hit automated teller machines (ATM) in the next few days in a well-planned heist to siphon off huge sums of cash.

The attack is known as an “ATM cash out” or what the FBI calls an “unlimited operation,” in which hackers infect a bank or payment card processor with malware to gain network access and pilfer customer bank card information. Smaller banks, which may have weaker defenses than larger institutions, could be a likely target. The FBI cautioned it's just the start of this type of hack attack.

Krebs On Security Gets the Memo

Here’s what the FBI is telling banks in a confidential alert (via Krebs On Security, which first reported the warning):

“The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an ‘unlimited operation.’”

“Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities.” 

“The cyber criminals typically create fraudulent copies of legitimate cards by sending stolen card data to co-conspirators who imprint the data on reusable magnetic strip cards, such as gift cards purchased at retail stores. At a pre-determined time, the co-conspirators withdraw account funds from ATMs using these cards.”

ATM Cash Out Attack Timing - This Weekend?: Timing may be a major factor in the success of the attacks, Krebs reported. The weekend is a likely time, when most banks are closed. In similar hacks in 2016 and again last year, cyber thieves stole $2.4 million from a bank in Virginia over the Memorial Day holiday and on a Saturday.

ATM Cash Out: Potential Anatomy of the Hacker Attacks

According to Krebs, the attackers will first remove some fraud controls, such as maximum withdrawal amounts and restrictions on the number of ATM transactions, and may modify account balances, just before springing the “cash out.”

The FBI is recommending banks add these precautions (via Krebs):

  • Strong password requirements and two-factor authentication.
  • Separation of duties or dual authentication procedures for account balance or withdrawal increases above a specified threshold.
  • Application whitelisting to block the execution of malware.
  • Monitor, audit and limit administrator and business critical accounts with the authority to modify the account attributes mentioned above.
  • Monitor for the presence of remote network protocols and administrative tools used to pivot back into the network and conduct post-exploitation of a network.
  • Monitor for encrypted traffic traveling over non-standard ports.
  • Monitor for network traffic to regions wherein you would not expect to see outbound connections from the financial institution.

A version of "ATM Cash Out" called "jackpotting" appeared earlier this year when more than than $1 million was hijacked from ATM machines across the United States. The jackpotting heists, reminiscent of a winning slot machine, had been confined to Asia, Europe and Mexico but now pose a serious threat to U.S. banks. The gangs are said to be using sophisticated jackpotting malware called Ploutus.D first deployed in attacks four years ago, Krebs reported in January.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.