ATM cashout cyber-attacks hitting African banks


Foregenix has warned that a rise in ATM cashout cyber-attacks can cause extensive financial and reputational harm within a matter of hours.

The growth of these attacks has led to unprecedented joint alerts by US-CERT, US Department of Homeland Security (DHS) and FBI.

ATM cashouts, referred to as the FASTCash Campaign, are attacks by cyber criminals labelled as Hidden Cobra (with strong links to nation-state attackers from North Korea) on issuing banks or payment card processors. The initial access mechanisms are varied but are often through phishing or unpatched-Internet facing systems. The cyber criminals subsequently exploit the poor architecture as well as lack of security of internal systems, manipulate limits or intercept transactions on the backend and use stolen or cloned cards at ATMs to fraudulently withdraw large amounts of money.

The cashouts are typically executed using fraudulent copies of legitimate cards by sending stolen card information to associates or ‘mules’ who imprint the data on reusable cards and perform the physical cash withdrawals.

Foregenix has performed Digital Forensic and Incident Response (DFIR) engagements as the leading PCI Forensic Investigator on the majority of known attacks in the region and has built a significant understanding of how they are performed, the motives of the attackers and when they are likely to occur.

Johannesburg-based Andrew Henwood, CEO of Foregenix, comments: “The attacks are not opportunistic but extremely well-planned. The attackers are patient and strike with their mules often during the weekend or national holidays. This ensures their activity is not quickly detected as after-hours staff members are typically working and the maximum value is extracted as quickly as possible, in hard currency, with almost zero risk.”

Cashouts have affected regions across the globe. High profile ATM cashout attacks include an India-based bank system being accessed through malware which resulted in over US $13m being stolen and an attack in Japan which saw another US$13m stolen through ATMs in three hours as 14 000 fraudulent withdrawals were made.

Henwood says it is highly likely there will be many more ATM cashout attacks this year and banks need to take action now: ‘Banks can substantially reduce their risk through taking proactive measures such as performing security reviews of payment switches and servers in the cardholder environment, improved monitoring of critical payment infrastructure plus network traffic and close monitoring of typical ATM transaction withdrawals.’

‘Unless financial businesses understand and act, the problem will get worse. Cyber criminals look for the easiest and most profitable opportunities for their activities and ATM cashout attacks are pretty much the most lucrative attack there is!’