Criminals stole millions from E. Europe banks with ATM “overdraft” hack

Enlarge / Using a network of ATMs and a hack of card management apps, cybercriminals made off with millions from E. European banks. (credit: Sean Gallagher)

Banks in several former Soviet states were hit with a wave of debit card fraud earlier this year that netted millions of dollars worth of cash. These bank heists relied on a combination of fraudulent bank accounts and hacking to turn nearly empty bank accounts into cash-generating machines. In a report being released by TrustWave’s SpiderLabs today, SpiderLabs researchers detailed the crime spree: hackers gained access to bank systems and manipulated the overdraft protection on accounts set up by proxies and then used automated teller machines in other countries to withdraw thousands of dollars via empty or nearly empty accounts.

While SpiderLabs’ investigation accounted for about $40 million in fraudulent withdrawals, the report’s authors noted, “when taking into account the undiscovered or uninvestigated attacks along with investigations undertaken by internal groups or third parties, we estimate losses to be in the hundreds of millions in USD.” This criminal enterprise was a hybrid of traditional credit fraud and hacking. It relied on an army of individuals with fake identity documents, as these folks were paid to set up accounts at the targeted institutions with the lowest possible deposit. From there, individuals requested debit cards for the accounts, which were forwarded to co-conspirators in other countries throughout Europe and in Russia.

Meanwhile, a phishing campaign was used by the attackers to implant remote access malware on bank employees’ computers. The attackers used these backdoors to gain broader access to the banks’ networks, breaking into multiple systems at each bank. The attackers then targeted a third-party payment processing provider, using banks’ virtual private network credentials with the processor to gain access to their network. This allowed attackers to drop multiple malicious software packages onto the processor’s network. “Key amongst them was a legitimate monitoring tool installed on the processor’s Terminal Server,” SpiderLabs investigators reported. “That allowed users to access the card management application via a browser.”