August 12, 2018

The Federal Bureau of Investigation (FBI) is warning banks that cybercriminals are preparing to carry out a highly choreographed, global fraud scheme known as an “ATM cash-out,” in which crooks hack a bank or payment card processor and use cloned cards at cash machines around the world to fraudulently withdraw millions of dollars in just a few hours.

“The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an ‘unlimited operation’,” reads a confidential alert the FBI shared with banks privately on Friday.

The FBI said unlimited operations compromise a financial institution or payment card processor with malware to access bank customer card information and exploit network access, enabling large scale theft of funds from ATMs.

“Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities,” the alert continues. “The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.”

Organized cybercrime gangs that coordinate unlimited attacks typically do so by hacking or phishing their way into a bank or payment card processor. Just prior to executing on ATM cashouts, the intruders will remove many fraud controls at the financial institution, such as maximum ATM withdrawal amounts and any limits on the number of customer ATM transactions daily.

The perpetrators also alter account balances and security measures to make an unlimited amount of money available at the time of the transactions, allowing for large amounts of cash to be quickly removed from the ATM.

“The cyber criminals typically create fraudulent copies of legitimate cards by sending stolen card data to co-conspirators who imprint the data on reusable magnetic strip cards, such as gift cards purchased at retail stores,” the FBI warned. “At a pre-determined time, the co-conspirators withdraw account funds from ATMs using these cards.”

Virtually all ATM cashout operations are launched on weekends, often just after financial institutions begin closing for business on Saturday. Last month, KrebsOnSecurity broke a story about an apparent unlimited operation used to extract a total of $2.4 million from accounts at the National Bank of Blacksburg in two separate ATM cashouts between May 2016 and January 2017.

In both cases, the attackers managed to phish someone working at the Blacksburg, Virginia-based small bank. From there, the intruders compromised systems the bank used to manage credits and debits to customer accounts.

The 2016 unlimited operation against National Bank began Saturday, May 28, 2016 and continued through the following Monday. That particular Monday was Memorial Day, a federal holiday in the United States, meaning bank branches were closed for more than two days after the heist began. All told, the attackers managed to siphon almost $570,000 in the 2016 attack.

The Blacksburg bank hackers struck again on Saturday, January 7, and by Monday Jan 9 had succeeded in withdrawing almost $2 million in another unlimited ATM cashout operation.

The FBI is urging banks to review how they’re handling security, such as implementing strong password requirements and two-factor authentication using a physical or digital token when possible for local administrators and business critical roles.

Other tips in the FBI advisory suggested that banks:

-Implement separation of duties or dual authentication procedures for account balance or withdrawal increases above a specified threshold.

-Implement application whitelisting to block the execution of malware.

-Monitor, audit and limit administrator and business critical accounts with the authority to modify the account attributes mentioned above.

-Monitor for the presence of remote network protocols and administrative tools used to pivot back into the network and conduct post-exploitation of a network, such as Powershell, cobalt strike and TeamViewer.

-Monitor for encrypted traffic (SSL or TLS) traveling over non-standard ports.

-Monitor for network traffic to regions wherein you would not expect to see outbound connections from the financial institution.

Update, Aug. 15, 11:11 a.m. ET: Several sources now confirm that the FBI alert was related to a breach of the Cosmos cooperative bank in India. According to multiple news sources, thieves using cloned cards executed some 12,000 transactions and stole roughly $13.5 million from Cosmos accounts via 25 ATMs located in Canada, Hong Kong and India.


110 thoughts on “FBI Warns of ‘Unlimited’ ATM Cashout Blitz

  1. frank kelly

    “The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.”

    Ubiquitous: present, appearing, or found everywhere.

    So, more than everywhere? If the FBI can’t think more clearly than this, no wonder they aren’t preventing such fraud.

    1. Joe

      Somewhat off topic but focusing on precision in English. I think it is possible for an activity to be ubiquitous, i.e. present everywhere and still increase. That can occur if the intensity of the activity were to increase. Trying for a example that will offend no one: The growth of the moss in my lawn appears ubiquitous (in my lawn anyway), and the growth increases in spring. 🙂

      1. Other Joe

        Joe: The FBI expects the ubiquity to increase, not the intensity of the ubiquity, but the ubiquity itself.

      2. jarvir

        But they are saying the ubiquity is increasing not the activity or its intensity. I’m a non-native English speaker, but I’d have to say I agree with frank kelly.

      3. Xander

        Joe – “…trying for a example”? How about “an example”.?
        Tsk tsk to the grammarian.

    2. John

      Regardless of whether or not the word was used correctly, the FBI didn’t write this article, even if they did assuming it has anything to do run the cyber crime division is a bit of a leap.

    3. Chris

      Excellent observation Frank. I love to see people called out for their mid use of the English language. Not being sarcastic here at all. I wish people could be corrected more often. It is totally nonsensical to add a qualifier to a superlative… like more ubiquitous, or more infinite; such statements do reflect poorly on the speaker/author.

      1. somguy

        Did you perhaps mean “misuse” instead of “mid use?”

    4. Pete

      frank, The FBI did not use the word “ubiquitous”, they said ubiquity.

      u·biq·ui·ty. NOUN
      the fact of appearing everywhere OR of being very common.

      It’s disingenuous to throw ubiquitous up there and say they didn’t use it correctly. And this sort of disingenuous grammar policing is very common, and seems to be getting worse.

      1. Layla

        Pete-the first person to even recognize the form of the word. Thanks, Pete. Kudos! I read the initial comment and thought- no-it’s not the correct meaning quoted here and it is being used just fine.

    5. chip douglas

      The FBI has their resources tied up in perpetrating a coup on Donald Trump. Preventing real crime is just a hobby and secondary to their political agenda.

      1. Anon404

        Do you really have to bring the political BS to these boards? Besides that, Trump is a crook, has always been a crook, and anyone who thinks he ever been honest his entire life hasnt been paying attention. The first impression he has given to people since the 80’s and 90’s is that of con man.

        1. Chip Douglas

          I hear you Anon404, but I have to ask you, do you approve of all the illegal BS by the Clintons and the DNC as well as the FBI? There is getting to be a long list of FBI people fired and DT did not do that; they were forced by lawsuits by Judicial Watch and the FOIA that exposed there illegal actions and political bias. If not for the FOIA and Judicial Watch the crimes would remain covered up. DT was legally elected by the citizens of the US. Supposedly unbiased government workers are using their privilege and power to perpetrate a soft coup on the president of the US. How would you feel if the roles were reversed? Today. Peter Strok was fired for this. When your accuser is worse than you are, how is that better? Trump is a long way from the ideal president but he has turned the economy around, (something Obama said could not be done) and in every way seems to be a patriot. You may not like him but he is a hell of a lot better than any president we have had in a long, long time.

      2. Notme

        Total BS – must be one of those Q’ed flat earth folks. They have plenty of resources dedicated to fraud. You may be right about the resources assigned to preventing foreign powers from influencing our elected representatives through bribery and extortion.

        1. Chip Douglas

          Some people will believe anything if it coincides with their politics. Very sad when the truth has been proved and they still refuse to acknowledge it.

      3. Jose Guatalupe

        If the FBI weren’t so busy trying to frame the President, maybe they could do more than warn about such an attack and maybe prevent it. But…there are only so many hours in a day.

  2. Robert Scroggins

    I read this as meaning that the usefulness of the described hack(s) to hackers will continue/increase in the future.

    Regards,

  3. Rich

    They managed to hit the same bank TWICE? Six months apart?

  4. yyz

    I’m baffled as to why so many financial institutions, even big ones, such as Zions Bank, Fidelity Investements and Voya Financial don’t even make 2FA required, let alone offer it.

    Zion Bank still pops up a notification that Flash isn’t installed, although lack of Flash doesn’t prevent it from working.

    How is this not required by regulators, FDIC, or SEC? No wonder they get compromised like this.

    1. Gary

      My interpretation is they want bank employees to use 2FA, not necessarily bank customers.

    2. Larry

      Reporting as a Fidelity customer, they do offer 2FA using an authenticator app for smartphones. However, a customer can disable it by calling a security center and providing some sort of personally identifiable information. I’ve never tried to disable it, so I don’t know how secure it is.

      1. KB toys

        Hard to make universal statements about big companies like Fidelity – some systems seem to have robust controls and others…show unacceptable compromise of convenience for security.

        For example, Fidelity interfaces with a third-party system that offers multiple 2FA methods. While some of them, like one time pass codes via SMS messaging are not robust, the one Fidelity insists partner firms use is Knowledge Based answers.

        This option should have been suspect even before the Equifax hack, but it seems supremely incompetent after it. Disappointed Fidelity! Do better!

      2. Paul

        The problem with the Fidelity 2FA solution is that their own API doesn’t enforce it. Third-party apps including Fidelity’s own trading platform doesn’t enforce 2FA. So it’s effectively useless.

    3. Some Joe

      My bank only just recently allowed me to specify a password longer than 8 characters. It’s a small credit union with a handful of branches, and 8 character passwords.

      1. old school

        My guess is the 8 character password goes back to the IBM mainframe days….the bank might have still been running a mainframe on the backend.

    4. Dave

      While 2FA should be more ubiquitous (ha) in online/mobile banking, compromising the login to your account has nothing to do with the compromise the FBI is warning against. It’s like saying you hacking into my gmail account will give threat actors access to google’s internal network. That isn’t how it works.

  5. The Sunshine State

    ATM cash-out fraud is becoming more common in The Sunshine State

    1. jstackpo

      In these times of global warming, sunshine is becoming ever more ubiquitous (!?!) in all the states – which state is “The” sunshine state?

      1. Ashleigh

        The Sunshine State refers to Florida (pays homage to is citrus industry).

  6. msean

    Maybe another reason not to keep cash in your bank but instead use the bank’s safe deposit boxes to keep copies of password protected paper bitcoin wallets.

  7. Bank Associate

    I work for a fairly big bank and the steps you have to take in order to increase your daily limit of cash out of an ATM is pretty thorough and secure. Sometimes if even you are the actual owner of the account, it’s pretty difficult to increase the cash limit. On top of the steps you have to take to increase your limit, the system won’t even allow you to go past anything over a specific amount. Even if there was an “insider”, there’s barriers and alerts in place to prevent fraud and quickly catch those who try. If you are still worried, only use major banking institutions.

    1. edgarwhiltshireiii

      This is about 5 years ago, with CitiBank. I was in another country and needed 4 grand to buy a car. My limit was $1k I think, or maybe even $500. In any case I called them up and they lifted the limit for 2 hours. I could only get $1000 per transaction, so I had to go to 4 ATM machines, but I got the $4k, no problem.

      At least at that time, it seems that it would’ve been hackable (in theory).

  8. nick

    jstackpo- r u serious right now about “which state is the sunshine state” —- I HOPE U R NOT! SMMFH!!!!!

  9. Royce

    They still have to put their hands on the money and it’s still an old fashioned bank robbery, which means they will get caught. My question is why is my money less safe on a weekend or holiday? Because THAT is the real issue. Essentially, I trust a bank with my money and they screw me.

    1. somguy

      Because many banks are closed or not staffed on weekends (or at least part of it).

      Obviously if they had a clue, they’d have monitoring in place to alert someone on call if things go sideways, unusual activity, and an escalation path to a manager. But they just as obviously have no clue if they got hit with this TWICE in 6 months. The first time should have been a warning wake up call to fix things.

      1. Robert

        Even if the bank does have after-hours, weekend, and holiday staff, usually these are the least desirable shifts and therefore staffed with the lower quality people.

  10. Doug

    Brian, thanks, great heads-up. Can you tell us (consumers) more about what WE can do to protect ourselves; beyond trying to choose a responsible bank?

  11. Whoever

    @royce,
    How many US customers have lost money when the bank itself has been broken into? Cyber or physical? Not one. A least not since 1933.

    1. Greg

      Well, pretty much EVERY U.S. customer has lost money. If the back goes bankrupt, we taxpayers lost money. If the bank takes losses, they pay less in interest, so every customer lost money. If other insurance covered it, the insurance company raises rates.
      Just because your account was reimbursed does not make it a victimless crime.

      1. Doug

        Excellent point, Greg. Just because your account isn’t reduced or returned to pre-theft levels doesn’t mean you’re not losing something. Bottom line, it always comes down to the consumer loosing. If the employees, starting with the CEO, had to pay for those losses, you’d see a different world.

        The consumer looses with lower interest rates because the bank uses the float to pay for these higher “costs,” such as higher insurance rates.

  12. IT Banker

    “Whoever” is exactly right! Banks are required to reimburse their customers for losses both cyber and physical. Let’s get to the real problem. Cyber fraud will not decrease until merchants are being held financially responsible for their breaches! They institute shoddy security or no security at all on their POS systems and banks are left to clean up the mess!

      1. Doug

        Exactly correct. The consumer always foots the bill in the end. Until management is held financially responsible, you won’t see a change.

    1. Bobby Jr

      Except that, in this case, the security issue isn’t with the POS, it’s with the bank’s internal security and controls. The attackers phish credentials and then use their access to make changes from within the bank’s internal systems.

  13. Jeff Simmon

    Brian,

    anything the public can do to help stop/slow this? (other than following the safe computing practices you’ve been telling us about for years?)

  14. Rob

    Did they also get that info from the Russian government along with there Trump info? Must be true i read it online.

  15. Lisa DeJarnette

    So glad that this was a CONFIDENTIAL memo. It will assist in the capturing of the hackers. Since they are completely unaware that the FBI and the banks are ” on to them”. Sometimes people just continue to make less and less sense. Smfh.

  16. Kyp

    Nothing happens when somine in high places not allowing.
    Many criminal organizations are run by secret services as we all know this allready

  17. Patrick Harbauer

    Would it make sense for consumers to keep a minimum amount of cash in any account tied to an ATM card so that if this happens the impact to the consumer is minimized?

    1. Robert

      Patrick stated: “Would it make sense for consumers to keep a minimum amount of cash in any account tied to an ATM card so that if this happens the impact to the consumer is minimized?”

      Years ago I opened a high(er) interest account at the bank that I already had two accounts with. I asked them not to connect that account with my other two on the debit card, they obliged. My debit card only shows the two “smaller” accounts so I assume a thief who got hold of my debit card would never know about the $$$ I have in the third account.

      Someone breaking in via a hack probably could/would find that third account but at least I don’t have to worry about the debit card issue. Just trying to make life harder for the bad guys hoping they’ll target easier prey.

      It would be nice if “all” banks allowed customers to “lock” certain accounts out from online manipulation. If you need to access the account, you must do so in person. That would inconvience some folks, not me. I only move my direct deposits from one of the accessable accounts to the high interest one, which holds the bulk of my money. I’d love to lock that $$$ account as I do keep a few thousand in one of the other accounts in case I need the money.

      Theft would be minor “if” I can also set a $$$ withdrawal limit, hard wired into the bank’s system that could not be changed via a hack (only in person). Unkown if such a system exists but if it did and everyone (never gonna happen) used it, hackers would be eating chicken bones for dinner everyday.

      So far, no one has ever hacked any of my accounts and they are all FDIC insured but why not make life hard for the bad guys to begin with? An ounce of prevention anyone?

    2. Readership1 (previously just Reader)

      No.

      This “Unlimited Operations” hack affects internal bank systems and ATM machines.

      It has nothing to do with individual account holders, individual ATM cards, or your account balances.

      Consumers can learn from the warning, but it’s not intended for them.

      You can read a similar bank warning from 2014.

      (PDF) http://www.ffiec.gov/press/pr040214.htm

  18. Dnk

    I find it hard to leave thousands in a bank, because of hackers
    and banks dont catch them in time of cybering, but banks still require a 1500 stay in bank or they dock you 35 .00 fee if you dont keep it in either way you loose, cause u cant use it.

    1. Bob

      Try a credit union instead of a bank. I can’t remember when I last had to keep a minimum balance or pay a fee / penalty for my checking account.

  19. Too Late

    My wife’s card was used last week at an ATM in San Francisco to withdraw $200, fraudulently. Guess they were a day late a $200 short for us 😉
    God Bless USAA!!

  20. vb

    To those asking what you can do: You can set up alerts on your bank accounts such that you receive a text/email whenever anything leaves your bank account.

    You can also set up alerts on your bank credit cards such that you receive a text/email whenever anything is charged to your card account.

    1. Readership1 (previously just Reader)

      Irrelevant.

      This malware doesn’t target individual accounts.
      It hacks the bank.

      1. Brad Rose

        Actually it does target one or more accounts. The game is to clone the cards, pass them around. Then at a predetermined time they all spam the ATMs pulling as much cash out as possible. The inside hook keeps putting money into the account or the card… until they run out of ATMs or the bank catches wind of it.
        This could hit banks or credit unions. Going to be interesting.

        1. Thored

          Actually, in this case, the attackers did not access systems tied to customer attacks, the money was taken directly from the banks operating accounts.

          1. Thored

            That should be “customer accounts” vice “customer attacks”

  21. Franz

    Hello,
    Any link to the original content from FBI? I can’t find anything on their website.

    1. roger tubby

      Excellent question, Franz. I am surprised Brian did not include some background information so we can get more details without relying on some search engine.

      Also, my reading of the warning is that the miscreants (sounds like naughty little boys) are able to change some of the parameters that financial institutions use to limit withdrawals, etc. The “Bank Employee” suggested there are checks-and-balances but I bet updating the software/configuration does not leave much of a trail of permission slips.

  22. L T

    This story doesn’t make it entirely clear, but I’m somewhat curious if this exploit is half in part due to compromised ATMs themselves, or if it’s malware/backdoors on the bank’s bavkend that are being exploited (or both!)

    1. Thored

      This particular scheme did not physically compromise the ATMs. They were only used to pull out the cash once changes to the authorization system were made.

  23. Candy

    Mr. Krebs, I do have to disagree with the timing of this posting. The FBI alert was sent privately so as not to tip off the criminals. You’ve now posted it for the good guys and the bad. Will this change their behavior? Or just delay it?

    And for those commenters who think only the big banks have security? Your community bank has big boy “toys” to fight crime with as well, and we know you…not a number. Don’t let one FI color your view of all community banks.

    1. vb

      I don’t understand your concern over tipping off the criminals. Wouldn’t it be a good thing if the criminals decided not to engage in this crime because of an increase in vigilance? Also, giving the banks more time to harden their operations.

    2. KB Toys

      Let’s see…Brian wrote an investigative report that probably led to the FBI publishing its warning. Only fair that Brian reports on the FBI warning that happened after his story.

      Besides, the bad guys read Brian’s columns for many reasons, including: 1) hints he’s using / compromised dark web forums they use, 2) amusement, 3) ego….

  24. BillTed

    Why don’t people know the difference between the words lose and loose? I don’t understand.

    1. edgarwhiltshireiii

      Don’t loose your mind about it. What, do you have a screw lose or something?

  25. ALBERT

    I THINK THESE HACKERS SHOULD COME TO AFRICAN BANKS TO HACK DIRTY MONEY LONDERING BANKS

  26. PJ London

    Pre-programming.
    The war on cash just took the next giant step. Any excuse to reduce the use of currency and force people to move to exclusively electronic payments. Without cash or cash being available you will have at most 48 hours of resources and be unable to escape any surveillance.
    Total Recall just came closer.

  27. Mandar Kale

    I don’t understand your concern over tipping off the criminals. Wouldn’t it be a good thing if the criminals decided not to engage in this crime because of an increase in vigilance? Also, giving the banks more time to harden their operations.

  28. Mandar Kale

    I find it hard to leave thousands in a bank, because of hackers
    and banks dont catch them in time of cybering, but banks still require a 1500 stay in bank or they dock you 35 .00 fee if you dont keep it in either way you loose, cause u cant use it.

    1. somguy

      Banks tend to have protection though in case they lose money from hackers. Also, it’s safer than keeping it under a mattress at home.
      As for keeping a minimum balance or else getting a fee charged, that depends on bank. And sometimes banks have special accounts that don’t get charged that fee. Like maybe the checking would, but not savings.
      I suggest you look into opening an account with a credit union instead of a bank, they often have less fees.

    2. Brad Rose

      Unlike cybercurrency, if you tell your bank that your account was hacked-in a reasonable amount of time (30-90 days-hopefully much shorter, you can get the money back – days dependent upon last statement drop. It’s called Regulation E.
      Brad

Comments are closed.