Hackers cause ATMs to disgorge cash – hands free

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Byron Acohido, ThirdCertainty

CANCUN – The sleuthing to track down the Carbanak cyber gang began with a surveillance video of an ATM machine outside a Starbucks café.

In the video, an unidentifiable person in a hooded overcoat waits a few feet from the machine, and moves toward the machine, a moment before it spits out a wad of cash.

The person steps back, appears to text message someone, then moves back to the machine in perfect timing to receive another wad of cash, without ever swiping a payment card or reaching to the touchpad.

The video was shown at the Kaspersky Security Analyst Summit here today. It put Kaspersky Lab analyst Sergey Golovanov and colleagues on the trail of the group behind this operation.

The New York Times on Saturday broke details of the profile Kaspersky analysts were able to subsequently build.

The Carbanak gang is a multi-national cybercrime ring that has robbed as much as $1 billion dollars from some 100 banks worldwide in less than two years. They used phishing attacks to infected computers of certain employees at targeted banks, and used that as a foothold to reconnoiter the internal operations of each victim bank.

It made no difference what software the victim banks used. “Once they got into the network, they learned how to hide their malicious plot behind legitimate actions,” Golovanov said. “It was a very slick and professional cyber robbery.”

Golovanov this morning disclosed some fresh details:

  • The gang captured streaming video from employees doing daily internal banking operations. They then created video tutorials on how to manipulate cash balances and cash transfers.
  • Once cash transfers began, large sums moved into accounts controlled by the gang for several hours without anyone noticing. Typical losses ranged from $2.5 million to $10 million per bank.
  • The $1 billion loss estimate breaks down to $300 million taken from Kaspersky financial sector clients, $300 million worth of losses reported through Interpol and another $300 million through Europol, and an estimated $100 million that has gone unreported to any authorities.

Joining Kaspersky researchers on stage was Peter Zinn, senior tech crimes advisor, for the Dutch National Police.

Zinn outlined how Kaspersky analysts approached him with their early findings and how law enforcement worked with private industry subsequently collaborated with the security company, within the limits of Europe’s strict privacy laws, to disrupt Carbanak gang’s operations.

There were no victim banks in the Netherlands, but Dutch police warned Dutch banks to be on alert for the Carbanak gang’s signature attacks. Zinn looped in Europol and formal alerts were sent throughout Europe.

3C’s  newsletter: Free subscription to fresh analysis of emerging exposures