Criminals have managed to pull off a $40 million bank heist using both cyber intrusion techniques and physical access. The cybercriminal gang primarily targeted banks in Eastern Europe, withdrawing large sums of money from ATMs, located in countries outside of the respective banks' originating countries. Stealing millions without causing alarm, criminals combined a number of elaborate techniques, including hacking into the banks' networks, manipulating overdraft limits, and disabling fraud alerts, among others.
A well-organized international crime syndicate pulls off one of the most sophisticated ATM heists
The latest cyber-bank job is being considered as one of the most sophisticated bank roberies reported to date. Appearing first in March this year, security researchers at Trustwave SpiderLabs revealed that criminals hired "mules" to physically visit the targeted banks to open new accounts and get debit cards. These cards were sent out to several criminals outside of the originating countries of the banks.
At the same time, hackers breached into bank networks to access "internal systems and manipulated the debit cards' features to enable a high overdraft level and removed anti-fraud controls that had been placed for the specific accounts." On some specific nights they would need to withdraw money, hackers would modify the overdraft limit on these debit cards.
The next stage was to withdraw the money. The debit cards were used to get cash from multiple ATMs in several different countries at the same time. "The physical counterparts stationed at various locations in Europe and the Russian Federation then cashed out substantial amounts of money for each of these cards from ATM terminals," the report says. "Cash withdrawals across the region began within minutes of the first OD property change made to the debit cards on the card management application." Different people stationed in multiple locations will withdraw amounts between $25K and $35K from ATMs.
In the final stage of this well planned and executed bank heist, to make sure their intrusion won't be detected by any bank employees, hackers would install a malware to destroy the Master Boot Table of infected PCs to leave no trace of their activities and interrupt any subsequent investigations.
Trustwave reports seeing criminals taking between $3 million and $10 million from five different banks in the same attack period. The ATM attacks appear to be accelerating and some of them may have gone unnoticed. "Other banks may have come to other vendors or may not have noticed the theft yet," Brian Hussey, vice president of cyber threat detection and response at Trustwave Spiderlabs, said.
The firm added that while the losses are currently at $40 million, considering the undiscovered or uninvestigated attacks, the losses could be in the hundreds of millions of dollars. Researchers warned that while the attacks are focused in Eastern Europe right now, others won't be safe as "Eastern Europe is often the canary in the mineshaft, used as a testing ground for techniques used elsewhere."