The Spotted ATM Skimming
This article is a part of, “The Curious Case of Banking Frauds” series. This is a set of case studies published by NetSentries Cyber Threat Management Team on the various banking frauds committed, to create awareness of the importance of interweaving security with the banking infrastructure, to be a part of the business strategy, and to better the overall security posture of the financial institution and its associated service components.
1. United Arab Emirates ATM Fraud
Breach reported: 2008
Target Location: UAE
Initial Threat Vector: Human Factor
In September 2008, cybercriminals targeted several banks in UAE and compromised an ATM over a period of seven days. The banks notified their customers to alter the PINs and other credentials. The attackers managed to steal the card credentials by installing a card reader inside the ATM. They also equipped a video camera to record the PINs of users.
The Central Bank sent notifications to the banks to block the ATM cards of affected users and replace with new cards or PINs. The strategy of the hacker was to replace the normal card reader in an ATM with a fake one inside or outside the machine. The fake card reader would collect the card credentials from the card’s magnetic strip. They also managed to engage a shoulder surfer to pilfer the PINs.
Skimming fraud is very popular worldwide. The banks usually take preventive measures like regular machine monitoring, installing plastic guards to avoid the installation of cameras, card readers, etc. One bank in Middle East stated that they were installing additional devices on their ATMs to prevent skimming activities.
Another bank in UAE, claimed that the breach didn’t affect them and still they were investing to install anti-tampering devices and 24 hours of camera surveillance for the ATMs. The banks stated that they already notified their customers to stay vigilant and report suspicious activities to the bank authorities promptly.
There are cybercriminal lobbies who act as strangers hovering in and around the ATMs. These people would offer help and the customers should be aware of these frauds. Older people ask for help to cash-out from ATMs, and these scammers easily steal the PINs and credentials from them.
The attackers mostly target the high usage ATMs to loot more card credentials within a short time and the machines in remote areas where they could fix the readers easily and unnoticeably. The attackers and the purpose of the theft are still anonymous.
Failed Security Control : Secure Data Storage
2. Skimmer ATM Malware Attack
Breach reported: 2019
Target Location: Worldwide
Initial Threat Vector: Skimmer Malware
Nowadays, cybercriminals are extensively targeting ATMs to steal large amounts of money. The modern ATMs can be infected with malware to cash-out even without stealing the cards of original customers. Cybersecurity researchers had already found out several ATM malware used to loot money and card credentials. In 2009, the researchers detected an advanced multifunctional malware named Skimmer which is used to steal money from the ATMs over the globe.
The malware was advanced enough to generate more than twenty malicious commands such as cash withdrawals, collection of customer credentials like PINs, username, card types, etc. The Skimmer malware is difficult to detect and it can also collect the user credentials when the card is inserted.
The attackers managed to install Backdoor.Win32.Skimmer to access ATMs which works on Windows operating system. This malware can infect the ATM’s core that helps to communicate with banking infrastructure and cash processing. This will help the attackers to turn the entire ATM to a Skimmer and withdraw any amount they needed or gather the data of users. A normal ATM user cannot recognize when a machine is compromised as there will not be any signs externally. The attackers will always carefully erase the tracks and use the malware continuously and carefully without cashing out the ATM for several months.
The hackers collect the data by inserting particular cards with a magnetic strip on it. They manage to run and execute the commands through a special menu and there is another tab which lasts for 60 seconds to enter the PIN. The hacker can execute 21 different commands through this menu. They can also store the details on the cards and later they can make counterfeit copies of it.
Failed Security Control : IDS, Secure Data Storage
3. A global investment banking advisory firm Breach
Breach reported: 2018
Target Location: Worldwide
Initial Threat Vector: Phishing Attack
The cyber attackers targeted a global independent investment banking advisory firm in December 2018 and accessed numerous sensitive documents from a global investment bank. The attacker’s strategy was to send a phishing email to one of the staff’s inbox. Finally, the attackers managed to loot more than 160,000 data files which include emails, documents, and diary invitations. It is suspected that the stolen data also included sensitive merger deals of the company.
The anonymous hacker appeared to have the information on a considerable portion of upcoming M&A deals. But the misuse of the stolen data was not reported anywhere. The attacker’s priority was to gain access to the administrator’s address book and send more phishing emails. The motive behind the breach is still unknown. The bank immediately reported the breach to the Financial Conduct Authority.
The bank also managed to inform their prominent Japanese clients who were effected about the details of stolen documents. The bank had no idea about what the demand of attackers would be. Therefore, the bank kept the confidential processes unveiled. But if the attackers had access to the inside track, they could effortlessly force the bank to pay the ransom or cause a loss of billions in the next merger deal.
If the hackers were able to gather the information regarding the upcoming merger deal, then both authorities would be forced to abandon the transaction. The advisory firm authorities were vigorously trying to mitigate the incident as it affects these big businesses.
Failed Security Control: Secure Data Storage, Employee education and best practices