On August 10, 2018, the Federal Bureau of Investigation (FBI) issued a private warning to banks that cybercriminals are planning to “conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an ‘unlimited operation.’”
A typical unlimited operation uses a phishing campaign to insert malware into the financial institution or payment card processor’s system so the cybercriminals have access to customers’ accounts, which allows the criminals to then steal large amounts of money through ATMs.
After the cybercriminals get into the financial institution or payment card processor’s system, they alter customer accounts so there are no limits on the account for ATM withdrawal, sometimes altering the balance, and then removing any fraud detection systems the financial institution or card processor put in place to prevent large amounts of cash from being withdrawn through the ATM or that a customer can only withdraw money from their account through an ATM on so many occasions in one day. This allows the criminals to withdraw large amounts from accounts have altered to look like there is more money in them than is actually in the balance, and so the accounts can be wiped out in one ATM transaction. Then the criminals create fraudulent cards based on the legitimate ATM cards and simultaneously withdraw large amounts from ATMs around the country, usually on a holiday weekend.
The FBI provides these considerations for banks and card processors:
- review present security measures, including implementing strong password requirements and two-factor authentication using a physical or digital token when possible for local administrators and business critical roles
- implement separation of duties or dual authentication procedures for account balance or withdrawal increases above a specified threshold
- implement application whitelisting to block the execution of malware
- Monitor, audit and limit administrator and business critical accounts with the authority to modify the account attributes
- Monitor for the presence of remote network protocols and administrative tools used to pivot back into the network and conduct post-exploitation of a network, such as Powershell, cobalt strike and TeamViewer
- Monitor for encrypted traffic (SSL or TLS) traveling over non-standard ports
- Monitor for network traffic to regions wherein you would not expect to see outbound connections from the financial institution or card processor
With the three-day Labor Day weekend right in front of us, banks would do well to pay attention to the FBI warning.