FBI alerts FIs to potentially imminent ATM cash-out attack

The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an «unlimited operation»

This alert sent to banks on Friday by the FBI and later posted in a blog on the Krebs on Security website, warns of a «highly choreographed» and large-scale global ATM cashout scheme in which criminals fraudulently withdraw millions of dollars from ATMs within just a few hours.

Such attacks have been seen in the past, including a massive attack approximately two years ago that netted $2.4 million in a months-long series of ATM cash-out episodes, the Krebs blog said.

Weekends and federal holidays are favored times for cash-out attacks, in part because financial institutions are closed and the ATM attacks are less likely to be noticed, but also because ATMs are generally stocked at these times.

Attacks usually begin with a phishing attack on a bank or payment processor. Once the criminals obtain access to the organization's internal systems, they can download card data and disable fraud controls, such as ATM withdrawal limits and number of transactions allowed daily. In at least one previous incident, attackers also changed account balances in order to make unlimited withdrawals.

According to the Krebs blog, the FBI alert advised banks to:

• Implement separation of duties or dual-authentication procedures for account balance or withdrawal increases above a specified threshold.
• Implement application whitelisting to block the execution of malware.
• Monitor, audit and limit administrator and business critical accounts with the authority to modify the account attributes mentioned above.
• Monitor for the presence of remote network protocols and administrative tools used to pivot back into the network and conduct post-exploitation of a network, such as Powershell, cobalt strike and TeamViewer.
• Monitor for encrypted traffic (SSL or TLS) traveling over nonstandard ports.
• Monitor for network traffic to regions wherein you would not expect to see outbound connections from the financial institution.

Source: ATM Marketplace