Over the last year, criminals in Russia found a way to steal 252 million Rubles ($3.8 million) from five unnamed banks, using a novel technique called a “reverse ATM attack”, according to Russian digital intelligence firm Group-IB.
It exploited esoteric weaknesses in the international transfer system and involved compromised point-of-sale systems in America as well as a global “money mule” network that would handle the stolen funds before passing them on to higher-ups.
Group-IB, which is helping police with the ongoing investigation, said the criminals could have made off with a lot more if they’d been more persistent. Here’s how the Moscow-based firm said it worked: the mules would deposit sums of 5,000, 10,000 and 30,000 Rubles into legitimate accounts, immediately withdrawing what they’d put in. They also took a receipt from the ATM, which contained a payment reference number and the amount withdrawn.
That information was sent to hackers who would use the data and their access to thousands of point of sale terminals, primarily based in the US and the Czech Republic, to create “a reversal operation” on a terminal that tricked the bank into believing the withdrawal of funds had been cancelled. At the point of sale terminal, this looked as though goods were returned or a payment declined, whilst to the banks it appeared the ATM withdrawal had been cancelled.
Funds were returned to the account, though the crooks had already taken the cash. The process was repeated until there was no money remaining in the targeted ATM. Group-IB said it had seen five incidents at five different banks, the criminal activity starting in summer 2014 and finishing in the first quarter of 2015.
The masterminds took advantage of weaknesses in the withdrawal, transfer and verification stages of credit card use in Russia, bypassing checks recommended by VISA and MasterCard. For instance, as the operation targeted a single bank, certain transaction details provided by VISA were not verified by the affected banks as they should have been. And when withdrawals were made in one country and cancelled in another, certain security checks were again missed.
VISA confirmed it helped bring together the affected banks so they could block reversals when funds were withdrawn from an ATM of the bank and reaccredited through a separate terminal. But that fix only addressed the issue of withdrawals from ATMs, not transfers from one card to another. Russian financial cybercrime: how it works.
Criminals managed to adapt their scheme, carrying out a transfer from a card at one bank to a card registered at another, rather than depositing funds. The details from that transaction were used for the reversal, and the latter card would be used to withdraw the funds from the ATM, thereby allowing the criminals to continue their fraud, said Group-IB.
The company said several court cases had been opened against the perpetrators, though it’s unclear who the charges apply to and if they had been issued against the money mules, who flew in from London, Ukraine, Latvia and Lithuania. For now, the fraud can no longer be perpetrated. Thanks to additional fixes, banks can now properly verify which terminal has sent a cancellation request and check if it matches the terminal where the original operation was conducted.
Despite the assistance from VISA and Mastercard, it’s feared banks might fail to implement recommended fixes and criminals could find fresh ways to exploit the international transfer system. “After the first fix the fraudsters modified the scheme a little bit and then did the fraud again. Then it was finally fixed, but nobody is sure that the scheme could not be modified again and be successful,” said Dmitry Volkov, cybercrimes investigation division leader at Group-IB.
“This scheme could affect non-Russian banks, but we know only about Russian victims.” ATM attacks in recent memory have been less sophisticated. Last year, a pair of ninth-graders used a manual for a cash machine that showed them how to get into its ”operator mode” using a guessable password. They didn’t steal any cash, however, but assisted the Bank of Montreal in closing off the vulnerability.
110 Reykjavik, Iceland