New attack on ATMs

Krebs on Security is reporting a new method of extracting money from bank accounts.  So far, this has been reported as being accomplished in eastern Europe and Russia, but there is certainly no reason why this cannot be accomplished in the U.S.

The group starts by sending spear phishing emails to bank employees that look like they are from bank regulators.  The emails contain infected Microsoft Office documents that take advantage of recently patched Office flaws (with the assumption that it takes the banks a while after the patch is out to apply the patch).  Once inside, the malware now looks like an insider and can gain access to additional resources such as the ATM subnet, downloading malicious software to specific ATMs.

In addition, the gangs “buy” already infected desktops inside the banks and add their malware to them.  This is the classic “buy vs. build” argument.  It’s apparently easier than asking people to install your malware.

In one case, using ATMs that contained multiple bill denominations, the hackers told the ATMs that trays had been swapped and when the ATM thought it was dispensing 10 Ruble notes, it was actually dispensing 5,000 Ruble notes.  So when the ATM thought you were getting 10 – 10 Ruble notes (for 100 Rubles), you actually got 10 – 5,000 Ruble notes or 50,000 Rubles.  Combine this with a stolen ATM card and good luck getting your money back.  Not only does the bank lose 50,000 Rubles, but it has to reimburse the actual card owner for the 100 Rubles deducted from his or her account.

This seems a lot easier than snarfing up all those credit cards and trying to figure out who has money on their card or in their account, worrying about the card being shut off and so on, but these gangs are entrepreneurial and do both – steal credit cards and hack the banks.

Apparently, this gang has stolen millions from the Russian and eastern European banks.

So far, this has not affected U.S. banks, but hopefully the banks are on the alert.

The good news is that there are a number of things that you can do (as the bank) to protect yourself given that you understand this M.O.  The question is whether the banks will take the lead and be proactive or wait until they have lost millions.