Hackers have stolen millions of dollars from banks in former Soviet states by breaking into their IT networks to increase overdraft limits on fraudulently opened accounts and then making ATM withdrawals. TrustWave, which uncovered the scam, says that it has found around $40 million in fraudulent withdrawals but expects the total losses to be in the hundreds of millions of dollars.
“Our Trustwave SpiderLabs team has uncovered a new attack campaign targeting several banks and resulting in estimated losses of $100 million. This incredibly well-orchestrated operation demonstrates the patience and sophistication of organized cybercrime groups. They coordinated efforts between physical teams, who opened bank accounts to be used in the heists, and online criminals, who hijacked and manipulated bank and processor networks. Although these attacks originated in Russia and Eastern Europe, our experts believe the worst of this “hybrid-style” campaign is yet to come.”, Trustwave say.
The gang sent mules with fake identities to bank branches to set up accounts and request debit cards. Then, the hackers manipulated the overdraft limits associated with these cards, removing any restrictions in the core card processing system. Finally, the cards were sent to new mules abroad, who withdrew massive amounts of cash from ATMs despite the fact the accounts were virtually empty.
The crooks used an old-fashioned phishing campaign to install remote access malware on bank staffers’ computers in order to increase the overdraft limits.
TrustWave says that because legitimate debit cards, rather than stolen ones, were used, and the attackers removed anti-fraud controls for the accounts, the cash-outs did not trigger any alarms in the bank systems.
The overdraft limit changes and ATM withdrawals were carried out almost simultaneously, the kind of coordination which TrustWave says is a “strong indicator of organised crime activities”.
Says the firm: “Organisations need to expand their defensive security strategy to assume that they have “already been compromised” and actively search for threats to detect and minimise damage.
“This is known as Threat Hunting and helps businesses detect existing adversaries moving laterally within their infrastructures and mitigate these threats before they have a chance to realize their full potential.”
Download the full report here: Post-Soviet Bank Heists – A Hybrid Cybercrime Study