On Sunday, Aug. 12, KrebsOnSecurity carried an exclusive: The FBI was warning banks about an imminent “ATM cashout” scheme about to unfold across the globe, thanks to a data breach at an unknown financial institution. On Aug. 14, a bank in India disclosed hackers had broken into its servers, stealing nearly $2 million in fraudulent bank transfers and $11.5 million unauthorized ATM withdrawals from cash machines in more than two dozen countries.
The FBI put out its alert on Friday, Aug. 10. The criminals who hacked into Pune, India-based Cosmos Bank executed their two-pronged heist the following day, sending co-conspirators to fan out and withdraw a total of about $11.5 million from ATMs in 28 countries.
The FBI warned it had intelligence indicating that criminals had breached an unknown payment provider’s network with malware to access bank customer card information and exploit network access, enabling large scale theft of funds from ATMs.
Organized cybercrime gangs that coordinate these so-called “unlimited attacks” typically do so by hacking or phishing their way into a bank or payment card processor. Just prior to executing on ATM cashouts, the intruders will remove many fraud controls at the financial institution, such as maximum withdrawal amounts and any limits on the number of customer ATM transactions daily.
The perpetrators alter account balances and security measures to make an unlimited amount of money available at the time of the transactions, allowing for large amounts of cash to be quickly removed from the ATM.
My story about the FBI alert was breaking news on Sunday, but it was just a day short of useful to financial institutions impacted by the breach and associated ATM cashout blitz.
But according to Indian news outlet Dailypionneer.com, there was a second attack carried out on August 13, when the Cosmos Bank hackers transferred nearly $2 million to the account of ALM Trading Limited at Hang Seng Bank in Hong Kong.
“The bank came to know about the malware attack on its debit card payment system on August 11, when it was observed that unusually repeated transactions were taking place through ATM VISA and Rupay Card for nearly two hours,” writes TN Raghunatha for the Daily Pioneer.
Cosmos Bank was quick to point out that the attackers did not access systems tied to customer accounts, and that the money taken was from the bank’s operating accounts. The 112-year-old bank blamed the attack on “a switch which is operative for the payment gateway of VISA/Rupay Debit card and not on the core banking system of the bank, the customers’ accounts and the balances are not at all affected.”
Visa issued a statement saying it was aware of the compromise affecting a client financial institution in India.
“Our systems were able to identify the issue quickly, enabling the financial institution to take appropriate action,” the company said. “Visa is working closely with the client in supporting their ongoing investigations on the matter.”
The FBI said these types of ATM cashouts are most common at smaller financial institutions that may not have sufficient resources dedicated to staying up to date with the latest security measures for handling payment card data.
“Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities,” the alert read. “The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.”
In July 2018, KrebsOnSecurity broke the news of two separate cyber break-ins at tiny National Bank of Blacksburg in Virginia in a span of just eight months that led to ATM cashouts netting thieves more than $2.4 million. The Blacksburg bank is now suing its insurance provider for refusing to fully cover the loss.
As reported by Reuters, Cosmos Bank said in a press statement that its main banking software receives debit card payment requests via a “switching system” that was bypassed in the attack. “During the malware attack, a proxy switch was created and all the fraudulent payment approvals were passed by the proxy switching system,” the bank said.
Translation: If a financial institution is not fully encrypting its payment processing network, this can allow intruders with access to the network to divert and/or alter the response that gets sent when an ATM transaction is requested. In one such scenario, the network might say a given transaction should be declined, but thieves could still switch the signal for that ATM transaction from “declined” to “approved.”
One final note: Several news outlets have confused the attack that hit Cosmos Bank with another ATM crime called “jackpotting,” which requires thieves to have physical access to the inside of the cash machine and the ability to install malicious software that makes the ATM spit out large chunks of cash at once. Like ATM cashouts/unlimited operations, jackpotting attacks do not directly affect customer accounts but instead drain ATMs of currency.
Update, 8:10 p.m. ET: An earlier version of this story incorrectly stated that there were only 25 ATMs used in the cashout against Cosmos. The figure was meant to represent the number of countries with ATMs that were used in the heist, not ATMs, and that number is 28 at last count.