‘Unlimited’ ATM Cashout Attack on ATMs

PUBLISHED:
17 August 2018

‘Unlimited’ ATM Cashout Attack on ATMs

Cyber-criminals are preparing to carry out a highly choreographed, global fraud scheme known as an “ATM cash-out,” in which crooks hack a bank or payment card processor and use cloned cards at cash machines around the world to fraudulently withdraw millions of dollars in just a few hours. One of the oldest co-operative banks of Pune, India, Cosmos co-operative bank has become the latest victim of cyber attack. The ATM switch system of the bank was hacked and INR 94.42 crore was siphoned off between August 11 and August 13.

According to the FBI, cyber-criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an ‘unlimited operation’. Unlimited operations compromise a financial institution or payment card processor with malware to access bank customer card information and exploit network access, enabling large-scale theft of funds from ATMs.

TechCERT Recommends to:

  • Implementing strong password requirements and two-factor authentication using a physical or digital token when possible for local administrators and business critical roles.
  • Implement separation of duties or dual authentication procedures for an account balance or withdrawal increases above a specified threshold.
  • Implement application whitelisting to block the execution of malware.
  • Monitor, audit and limit administrator and business critical accounts with the authority to modify the account attributes mentioned above.
  • Monitor for the presence of remote network protocols and administrative tools used to pivot back into the network and conduct post-exploitation of a network, such as Powershell, cobalt strike and TeamViewer.
  • Monitor for encrypted traffic (SSL or TLS) traveling over non-standard ports.
  • Monitor for network traffic to regions wherein you would not expect to see outbound connections from the financial institution.
16 April 2024 [NO.TCSA : 20240416-1-1-P]

Critical Command Injection Vulnerability Found in Palo Alto Networks GlobalProtect

READ MORE READ MORE
9 February 2024 [NO.TCSA : 20240209-1-1-P]

Critical Remote Code Execution Vulnerability Found in FortiOS SSL VPN

READ MORE READ MORE
13 July 2023 [NO.TCSA : 20230713-1-1-P]

Fortinet Patches Critical Remote Code Execution Vulnerability in FortiOS/FortiProxy

READ MORE READ MORE
Read More BACK TO THREAT BULLETIN