The Growing Scourge of ATM Cash-Outs

Foregenix is leading the way as one of the eminent global experts delivering specialised Digital Forensics and Incident Response services to financial institutions, especially in ATM cash-out scenarios.

What makes these attacks so unusual is that the attackers are organised and sophisticated criminals.They have profound knowledge of the inner workings of issuing banks, they’re patient in their lateral movement across the estate, once they gain access to an environment, and meticulous in their final global coordination of the physical cash-out at ATMs; utilising a handful of “stolen” payment cards, across multiple continents and even time-zones. On top of all this, the attack and final cash-out is performed with relatively little risk to themselves!

It should be noted that this is not the type of ATM cash-out known as “jackpotting”, where the individual ATM itself is often physically, sometimes logically compromised and manipulated. The jackpotting attack is performed on a fairly localised scale and typically not high-tech, unless an entire ATM estate is compromised through software, from the inside, which we’ve seen happen but not frequently.

Foregenix has worked as a Payment Card Industry (PCI) Forensic Investigator (PFI) for the past ten years.  Our team consists of the pioneers of the global PFI industry, dating back to the start of the PCI; we're also one of the largest, with global coverage for PFI work. We have been extremely busy over the past few years and during the period from July 2018 to early portion of 2019, we’ve identified a significant increase, in the region of one ATM cash-out attack per week, occurring somewhere across the globe.

Holiday periods like Memorial Day in the USA, Christmas, New Year and Easter are particularly busy as the attackers are aware that most payment businesses are running skeleton staff and therefore more vulnerable. 

Foregenix have investigated hundreds of cases over the years where the primary aim of the attacker is to breach an entity, typically a merchant or payment service provider and compromise often hundreds of thousands, even millions of payment cards. These must then be monetized by selling on the black market and (dark) web or converted into services and sold onto secondary markets. For example, airline tickets purchased with stolen cards and then subsequently sold on online forums.

We also see evidence of collusive merchants, who take a cut of the fraud or even opening up of “bust out” merchant accounts at acquiring banks, whose sole purpose is to process as many stolen cards as possible and then run with the money before they are shut down. Compromise and theft of payment card data is not immediately monetizable but is often a chained process to generate cash. It’s not impossible, but criminals like it easy and certainly don’t favour the hard route, which is why we’re seeing an increase in ATM cash-out type attacks. Hence, the evolution of attackers over the past three years in focusing on entities where the end result is cold, hard cash-in-hand, without the rigmarole of dealing with significant volumes of payment card data, be it mag-stripe or primary account number with expiry and CV2. We see evidence that the banks are being carefully and thoughtfully targeted, patiently exploited and then hit hard and fast in extracting as much cash as possible. An added bonus is that there is very little risk of the attackers being caught - although we do hope this will change in the future.

The attackers risk is low because the initial exploited vulnerability is often performed through a network of already compromised hosts, leap-frogging from one to another, thus making it very difficult to trace. Additionally, the cash-out itself is often performed by relatively oblivious money mules or stooges. They have little idea of the crime they’re involved in and simply extract the cash, retain a small percentage for their efforts and pass the balance to the real criminals -- at least that’s how it appears to play out.

The situation was so bad that the Department of Homeland Security (DHS), the Department of the Treasury (Treasury) and the Federal Bureau of Investigation (FBI) issued an alert through US-CERT around the HIDDEN COBRA - FASTcash campaign, with links to activity by the North Korean government. Yes, we’re now talking aspertions to nation state type attacks. We’ve not identified any direct evidence relating to this but that absolutely does not confirm their lack of involvement. We’re certainly seeing massive coordination for the actual ATM withdrawals, on an unprecedented scale, that may allude to a nation state type attack. We find it difficult to coordinate ten-person phone-call meetings across the globe, these guys are synchronising thousands of individuals across multiple continents and timezones. Certainly an impressive yet nefarious endeavour!

To be specific, we’ve seen coordination across more than twenty (>20) countries, over three (3) continents involving thousands (>1,000) of individuals in a meagre two (2) hours, in performing the cash-out!!! 

That is no mean feat! And in some cases, they have withdrawn north of $20million in risk-free, hard cash!

Foregenix has long proclaimed that organisations should focus on minimising the dwell time of an (successful) attacker. This means ensuring you know about the (potential) breach as early as possible, to mitigate the impact of an attacker on your network. It pains me to confirm that we see average dwell time across our investigations of compromised entities averaging around four (4) months. This is a horrific statistic, knowing an attacker is poking around getting to know your environment, moving laterally and gravitating towards your sensitive data, very likely undetected. 

Additionally, most of the entities we investigate are (disappointingly) informed of the attack by 3rd parties, i.e. typically the card brands. They (the card brands) have sophisticated statistical models and alerting mechanisms that monitor for this type of behaviour indicating a cash-out attempt but the criminals rely on the fact that there will be delays in reaction from the entity being attacked. For example, the card brands will often struggle to contact the entity to confirm blocking the transactions within the two (2) hour window of them extracting as much hard cash as possible, since as mentioned previously, often the attacks are performed on holidays or out of hours. In addition, we often find that these organisation’s Incident Response plans are not geared for detecting incidents and responding sufficiently early. 

More focus needs to be placed on cutting through the noise and (to coin a phrase from our friends at Thinkst, artists of the awesome Canary honeypot) Know. When it Matters!
Assuming you’ve now been alerted, Foregenix adds the reaction portion to the puzzle. We strongly encourage our customers to deploy honeypot-type technology and implement Managed Detection and Response services (shameless plug for our financial-industry focused Serengeti technology) so that you cut through the noise and are able to react and respond to any incident. These technologies avoid the proverbial drinking from a fire-hose and glass eye effect where thousands of unnecessary alerts are hitting security teams everyday. This is unsustainable and we all need to think-clever to detect earlier and react quicker as this problem is only becoming bigger, much bigger, with the amount of connected systems!

At this point it should be noted that the crown jewels for issuing banks falling victim to ATM cash-out attacks are the Card Management System (CMS) and card processing platforms. The attackers are focusing on these platforms, as once they have gained access, typically through compromise of administrator credentials, they manipulate a handful of payment cards or accounts to unlimited balances (subsequently duplicated hundreds of times) on the CMS itself. Alternatively, the attackers insert a “shadow transaction switch” type of malware that authorises certain, known (to the attackers) ATM transactions, without the respective bank card processing switch software having any visibility. In this instance, specific authorisation requests are being intercepted and responded to by the malware and not the official card processing platform, which never “sees” the transaction, as it never arrives at the official switch.

The authorisation flow systems to and from the CMS and the processing switch should be super protected, but in our investigations, they are simply not well protected at all.

Additionally, it should be emphasised that the CMS application and/or card transaction processing switch itself is not vulnerable nor being compromised, it is typically surrounding aspects such as operating system and/or unrestricted network placement that are the common issues and points of intrusion of the card payment systems.

The platforms on which these business critical switch applications run upon are frequently out-of-date and not patched at an operating system level, almost always connected to the wider corporate network and very rarely (if ever) properly audited, even though they are the crown jewels of an issuer’s environment. We’ve even seen cases where previous ”closed” incidents from years back, were actually linked to the current compromise. In this instance the same attackers likely remained in-situ, were not completely remediated out of the environment and had full access to the back-end systems of the bank for more than three years!

Often, the initial ingress point for the attackers are internet facing, unpatched systems, with minimal (non-existent) monitoring that were exploited or the easiest methods are targeted phishing attacks containing remote access trojans. These provide the initial entry for the attackers into the environment and typically sets up their pivot point into the wider environment.  

Some quick wins to focus on protecting your most sensitive assets (and yes, you should be doing this already):

• Patch (and maintain) critical and sensitive systems including applications and operating systems
• Strong network segmentation of CMS and payment switch systems 
• Regularly audit CMS and payment switch systems (users, administrators known typical expected software, whitelists etc.)
• Multi-Factor authentication for logins
• Implement effective logging on critical and sensitive systems, but don’t forget that these logs need frequent and regular review.
• Consult with 3rd party card brands for alerts, advice and enhanced protection services as well as ensuring your corporate contact details are current for any out of hours alerts.

And highly-recommended, investigate and deploy technology such as:

• Honeypots
• Managed Detection and Response
• Ensure your anti-malware tools’ signatures are current with the latest bank-focused Indicator of Compromises (IoCs)

Focusing your attention around the items listed above will ensure you’re significantly more prepared, and will stand you in great stead in protecting your most sensitive assets now, and in the future.

Want to understand more around these risks and issues? Please reach out to any of the Foregenix team. 

If you:

• Are recommended to perform a scan against bank-targeting malware by the card brands
• Wish to perform periodic Threatsweep, in which we deploy our bank-focused tool Serengeti and perform a        Threat hunt to determine 
• Experiencing an incident or even want to perform a sanity check Threatsweep, please reach us on IR@foregenix.com