Banks targeted in hybrid debit card scam
Researchers at SpiderLabs, the research arm of Trustwave have released results of their investigations into a major attack targeting Eastern European banks.
The attack uses mules to open new accounts with minimal deposits and, crucially, request a debit card. When the new card is delivered it's shipped elsewhere and hackers then use stolen credentials to manipulate the bank's systems and raise the overdraft limit, allowing cash to be drawn from ATMs.
The clever part of all this is that the cards are sent to countries outside of the issuing bank's operating region. While some targeted banks were in Russia for example, cash was drawn by more mules working in Poland, Romania and the Czech Republic. There's also a high level of coordination in the attacks, with cash being withdrawn minutes after the overdraft limit on the accounts had been raised.
"This whole operation involving around 70 cards lasted for five to six hours," says Thanassis Diogos, managing consultant at Trustwave SpiderLabs. "It seems that there was only one person manipulating the card processing software. As well as raising overdraft limits they also removed anti-fraud controls that would normally flag suspicious transactions."
Credentials for the bank's card processing software were stolen using key-logging software delivered via social engineering attacks. At the end of the attack malware was used to wipe the hard drive of the system in order to cover the criminal's traces.
"It seems like ATMs were not selected randomly either," adds Diogos. "They were using ATMs without cameras and in quieter streets in order to avoid being recorded. Some banks did manage to get recordings and see the mules collecting the cash. By checking CCTV footage from other stores nearby they were able to see the money handed over to someone else a short distance away. The attack therefore involved several people across different countries."
The scam demonstrates that criminals continue to find innovative new ways of exploiting weaknesses in systems. You can find out more about the attack on the Trustwave blog.