August 15, 2018 By Charles Henderson 2 min read

A new ATM fraud scheme has surfaced, and it’s more sophisticated than any other ATM attack we’ve seen.

First reported by Krebs on Security, the fraud scheme, known as an “ATM cash-out,” goes well beyond the typical threat of attackers planting physical skimmers on ATM machines. The criminals have upped their game, compromising ATMs and their surrounding infrastructure virtually — and they are reaping an exponential increase in revenue.

Why This Is Not Your Typical ATM Attack

Until now, criminals have mainly compromised ATMs using physical methods. They might plant skimmers on the front of machines to capture payment card data as customers insert their cards, for example, or install a piece of hardware that manipulates the ATM to spit out money (aka jackpotting). This newly discovered attack is mainly virtual. It is also twofold: Criminals compromise both the front and back ends of the ATM infrastructure.

On the front end, criminals are compromising financial organizations’ people, processes and technologies to collect customer payment card data in bulk and create fraudulent cards. They use various methods, such as socially engineering an employee who manages the ATM network or exploiting an infrastructure vulnerability to plant malware. However they get in, they are using high-efficiency card collection techniques and gathering thousands of customers’ payment card information in one swoop.

On the back end, they’re manipulating components of the ATM network to change the maximum amount of money a customer can withdraw. With an endless amount of cash at their disposal, they could potentially drain a customer’s entire bank account.

The pairing of these attacks — coupled with the fact that they are virtual and much more efficient than previous ones — makes this scheme more dangerous than the typical ATM compromise.

How Can Organizations Protect Themselves Against ATM Fraud?

To protect themselves from this attack, organizations should monitor customer withdrawal limits. It’s not unusual for customers to change their withdrawal limits. However, if they see a few customers a day skyrocket to 500 customers a day changing their limits, that should raise a red flag.

Companies should also test their infrastructure vigorously and frequently. Security teams can stay one step ahead of fraudsters by conducting penetration tests against employees, searching for holes in organizational practices and implementing technology to uncover security vulnerabilities. By finding and fixing vulnerabilities within their ATMs and surrounding infrastructure quickly, organizations can minimize attackers’ opportunity to exploit them.

From 2017 to 2018, X-Force Red, IBM Security’s team of veteran hackers, saw a 300 percent increase in banks requesting ATM testing. The team is hired by financial organizations globally to hack into their applications, hardware, devices, personnel, ATMs and surrounding infrastructure using the same methods and tools criminals use. Once X-Force Red discovers these weaknesses, the team helps the organization to remediate them before criminals have a chance to compromise its systems.

When it comes specifically to ATM cash-out attacks, X-Force Red can test ATMs and their ecosystem, meaning the people, processes and technologies that connect to those ATMs. The team can also identify vulnerabilities that criminals would exploit in order to steal card data and manipulate the ATM’s network so that larger sums of money can be withdrawn. Finally, and most importantly, X-Force Red can help organizations remediate those vulnerabilities before criminals are able to exploit them.

Learn more about the newly announced X-Force Red ATM Testing Practice

Source: Krebs on Security

More from

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

What should an AI ethics governance framework look like?

4 min read - While the race to achieve generative AI intensifies, the ethical debate surrounding the technology also continues to heat up. And the stakes keep getting higher.As per Gartner, “Organizations are responsible for ensuring that AI projects they develop, deploy or use do not have negative ethical consequences.” Meanwhile, 79% of executives say AI ethics is important to their enterprise-wide AI approach, but less than 25% have operationalized ethics governance principles.AI is also high on the list of United States government concerns.…

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today