August 12, 2018

The Federal Bureau of Investigation (FBI) is warning banks that cybercriminals are preparing to carry out a highly choreographed, global fraud scheme known as an “ATM cash-out,” in which crooks hack a bank or payment card processor and use cloned cards at cash machines around the world to fraudulently withdraw millions of dollars in just a few hours.

“The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an ‘unlimited operation’,” reads a confidential alert the FBI shared with banks privately on Friday.

The FBI said unlimited operations compromise a financial institution or payment card processor with malware to access bank customer card information and exploit network access, enabling large scale theft of funds from ATMs.

“Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities,” the alert continues. “The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.”

Organized cybercrime gangs that coordinate unlimited attacks typically do so by hacking or phishing their way into a bank or payment card processor. Just prior to executing on ATM cashouts, the intruders will remove many fraud controls at the financial institution, such as maximum ATM withdrawal amounts and any limits on the number of customer ATM transactions daily.

The perpetrators also alter account balances and security measures to make an unlimited amount of money available at the time of the transactions, allowing for large amounts of cash to be quickly removed from the ATM.

“The cyber criminals typically create fraudulent copies of legitimate cards by sending stolen card data to co-conspirators who imprint the data on reusable magnetic strip cards, such as gift cards purchased at retail stores,” the FBI warned. “At a pre-determined time, the co-conspirators withdraw account funds from ATMs using these cards.”

Virtually all ATM cashout operations are launched on weekends, often just after financial institutions begin closing for business on Saturday. Last month, KrebsOnSecurity broke a story about an apparent unlimited operation used to extract a total of $2.4 million from accounts at the National Bank of Blacksburg in two separate ATM cashouts between May 2016 and January 2017.

In both cases, the attackers managed to phish someone working at the Blacksburg, Virginia-based small bank. From there, the intruders compromised systems the bank used to manage credits and debits to customer accounts.

The 2016 unlimited operation against National Bank began Saturday, May 28, 2016 and continued through the following Monday. That particular Monday was Memorial Day, a federal holiday in the United States, meaning bank branches were closed for more than two days after the heist began. All told, the attackers managed to siphon almost $570,000 in the 2016 attack.

The Blacksburg bank hackers struck again on Saturday, January 7, and by Monday Jan 9 had succeeded in withdrawing almost $2 million in another unlimited ATM cashout operation.

The FBI is urging banks to review how they’re handling security, such as implementing strong password requirements and two-factor authentication using a physical or digital token when possible for local administrators and business critical roles.

Other tips in the FBI advisory suggested that banks:

-Implement separation of duties or dual authentication procedures for account balance or withdrawal increases above a specified threshold.

-Implement application whitelisting to block the execution of malware.

-Monitor, audit and limit administrator and business critical accounts with the authority to modify the account attributes mentioned above.

-Monitor for the presence of remote network protocols and administrative tools used to pivot back into the network and conduct post-exploitation of a network, such as Powershell, cobalt strike and TeamViewer.

-Monitor for encrypted traffic (SSL or TLS) traveling over non-standard ports.

-Monitor for network traffic to regions wherein you would not expect to see outbound connections from the financial institution.

Update, Aug. 15, 11:11 a.m. ET: Several sources now confirm that the FBI alert was related to a breach of the Cosmos cooperative bank in India. According to multiple news sources, thieves using cloned cards executed some 12,000 transactions and stole roughly $13.5 million from Cosmos accounts via 25 ATMs located in Canada, Hong Kong and India.


110 thoughts on “FBI Warns of ‘Unlimited’ ATM Cashout Blitz

  1. Jim

    The warning was published, because of the upcoming holiday weekend coming up.
    But, good article, informative, and timley. If I remember correctly, there are new vectors to worry about for ATMs. Nfc, and Bluetooth. About the beginning of summer, there was an article on those being incorporated I to the payout models. And the rollout of new style of motherboards to the machines, seems to make one wonder.

  2. aabay

    I stumbled on this article through CNN and had just read about an attack on a bank in India over this weekend and looks exactly similar approach. This is a regional bank but money was withdrawn internationally!

  3. Klaus

    This is a not a bad thing, IMO. It doesn’t hurt individual bank’s customers but it forces banks to improve their ATM security. This makes “less robust implementation of cyber security controls” a competetive disadvantage for banks ignoring security.

    1. Frank

      Lol, or they wouldn’t need to improve ATM security if the hacks didn’t happen? Seems like a self justifying cycle under your logic

    2. Steve Tyler

      IMHO – ANYTHING that increases a company’s cost of doing business (including theft) will sooner or later be passed on to the end customer to pay for. There is no ‘free lunch’.

  4. Bob

    I find this suspicious. Millions of dollars from an ATM? It doesn’t say how many machines were compromised, but if I recall correctly there is only about $20,000 in each ATM. If that is correct, that would mean 50 machines per 1 million dollars. Are there that many branches of the National Bank of Blacksburg, Virginia? (The article said 2.4 million in a total of two attacks, so average of 1.2 million each, so 60 branches) Even assuming 50,000 in each ATM, that is still 24 branches. Sounds fishy to me.

    1. James Beatty

      Bob, they don’t take the money just from one bank’s ATMs – they pull it from any ATM they can access, nationwide (perhaps worldwide at this point).

      We’re way past the era when you can only get money from your bank’s ATMs.

    2. Mel

      I’m with you, Bob. As a clear example:

      “Update, Aug. 15, 11:11 a.m. ET: Several sources now confirm that the FBI alert was related to a breach of the Cosmos cooperative bank in India. According to multiple news sources, thieves using cloned cards executed some 12,000 transactions and stole roughly $13.5 million from Cosmos accounts via 25 ATMs located in Canada, Hong Kong and India.”

      The addendum specifically gives numbers — $13.5 million from 25 ATMs is, essentially, half-a-million dollars per machine. The average ATM “can” hold around $200k but general service would be +/- $20k. What the crazy kind of cash transactions are happening in Canada, Hong Kong and India wherein the ATM’s are sitting around with half-a-mil each in them?

      Also, how does even a team execute 12,000 transactions on 25 machines? In person? With the stack of cloned cards? Who is waiting in line behind you at the giant $500k ATM while you stand there for 24 hrs. swiping your card / filling your luggage with cash?

      1. James Beatty

        More details, from another source – the bottom line is that this DID happen… it’s not some mysterious non-event:

        According to the bank and local media, the first two thefts occurred on Saturday, August 11. Hackers withdrew 805 million rupees ($11.4 million) in 14,849 ATM transactions across 28 countries.

        The first stage included 12,000 ATM withdrawals via the VISA card system for 780 million rupees ($11 million), with the vast transactions taking place mainly overseas.

        A second stage of the attack took place two hours later when hackers also withdrew an additional 25 million rupees ($400,000) via 2,849 ATM transactions via the Rupay debit card system at ATM locations across India.

        Cosmos Bank said it detected these suspicious withdrawals while they were taking place and intervened to stop the attack and secure its system.

        But hackers remained in the bank’s network, and on Monday, August 13, they initiated a third theft by using the bank’s SWIFT inter-banking system to send three transactions to a bank account in Hong Kong for another 139 million rupees ($2 million).

  5. Curious, busy mind

    A lot of off-topic “political noise” in the comments here. For politics (which I enjoy) I go elsewhere. It would be a service for the moderators (who might not actually be Brian Krebs himself) to delete off-topic comments and issue a stern warning.

    Oh, yeah, in the clean-up, delete THIS comment, too. It does not add to an understanding of the security issues.

    1. Congrats Grandpa

      Good call thanks for policing comments. You are the import important thing to happen to this articles comment section since its creation. Thank you for your continued dedication to our reading material.

  6. patrick

    Magnetic stripe for cash withdrawal, really? In Europe we used to have that as well, I think back in the ’90ies. Feels like still relying on wax seal; no wonder they get hacked.

  7. wally osgood

    In the main brain of an ATM a five minute hold between any transfer of cash would slow down these meatballs

  8. Unknown

    last we saw in Dark Web some developers publish tools hacking ATM’s from Ploutus-D to Perlata and they notice grow up it with some functions allow attacker to get access without crash ATM or do any physical hacking .

  9. Chris Demeur

    Banks generally have much better security than hospitals and medical firms. I would think that a coordinated attack would work better against medical firms. I guess the appeal of instant cash is more appealing.

    1. Mikey Doesn't Like It

      Of course cash is more appealing! Especially when it comes direct from the bank itself, rather than going through multiple steps to try to get the same amount of $$.

      Think about it — cash in hand, right away (direct from the bank), or go through the motions of stealing medical records, storing them on a “safe” server, trying to sell them, and converting any bitcoin you can actually receive into cash?

      Sadly, there are still more than enough weak links that allow this to happen. And as others have pointed out, although the banks will replace $$ stolen from your account, all bank customers ultimately pay for it in higher fees, etc.

  10. Wil-I-Am_Not

    My co-worker found this article and warned us after his wife’s card was hit for $200 in SFO. Now my wife’s card has been hit from Paris for $150. Another co-worker’s wife’s card was hit for several hundred from Indiana. ATMs need to institute Chip readers and PIN necessity to increase their security ASAP.

    1. Mikey Doesn't Like It

      You’re right. But meanwhile, here are a couple of suggestions…

      1. If your bank isn’t already providing ATM or debit cards with a chip, you need to switch banks.

      2. If your cards already have chips, suggest you avoid any ATMs except those from legitimate banks, most (if not all) of which have chip readers. (As opposed to, e.g., ATMs from private companies — the types you’ll find in 7-11, gas stations, etc.) This, of course, reduces opportunities for fraud.

  11. oldfatguy

    wow the criminals are getting more and more daring.

  12. L Allen

    This type of fraud is nothing new. For years banks have been attacked with this method which uses spear phishing and social engineering attacks to get credentials which are then used to control the authorisation system. Carbanak was 1 billion dollars. This fraud has little or nothing to do with the ATM aside from it being used to cash out, there are no security measures to apply on the ATM for this method, it has much more to do with security of authorisation and other transaction processing solutions. If you are concerned about your payment software then ensure they are compliant with the applicable pci dss requirements or are pa dss certified, and monitor all third party providers. Information security is still often taken as an afterthought, i get weekly questions from vendors asking about certification and you would be verrryyyyyy surprised at how little infosec best practices even exist in many organisations. There rant over, 10+ years in payment security can do that 😉

  13. Gary Singh

    Simple and effective solutions exist, such as card controls by Ondot which allow users to set the rules like block card, block by merchant or transaction type such as decline ATM Txs. The banks that offer this service could simply notify their users with in-app notifications and users could immediately in seconds turn off ATM Txs . To learn how to prevent against this threat in a simple yet effective way, visit ondotsystems.com

    1. L Allen

      You are right, but that is on the Authorisation side for cards issued by a bank: Geoblocking, AI, etc all are useful.

    2. AllwaysLearning22

      I think you are forgetting that the attackers are able to manipulate the data/settings for the end user’s account.

      They could easily disable the notification. And even with notifications in place, it does not help you if the transactions are not denied.

      As the article stated the criminals use the access they have gained to alter the daily withdrawal limits, etc.

  14. CashoutKingpin

    Funny! SWIM cashed UK FR MX cards in US cause CUs don’t put EMV also ATM don’t do POS purchase so they only read T1 T2 to very it matches magstripe! Takes 1 min to put data on JCOP cards. After they got banged for 1 ATM added EMV and rest 2 just put logo and in example card with EMV but they didn’t read EMV. Banks these scare tactics don’t work for old school guys haha. SWIM stood on ATM with 500 blanks and pin on back not even one person noticed come on its obvious! )))
    Shout out to UK guys and banks for being easy have fun with.

    1. IGotSteelInPants

      Also these idiot banks small CU and local banks have mostly no region block. Thanks to that even track data people look up ssndob then call and ATO saying they out of state and go swipe for max credit for gift cards then sell for BTC. This just to show even region block is getting fucked cheers to People’s Choice and BBVA

Comments are closed.