Growing number of attacks against banks

In recent years, new techniques have emerged for attacks against banks or POS (Point Of Sale) systems. We present them below. And the year 2018 is probably a milestone year because of:

• the growing number of attacks,
• and also the geographical extension of targets. Originally, the attacks were targeted mainly against countries closed to Russia or in Southeast Asia and South America. But they now seem to also target the rest of the world, and in particular in Europe and the United States.

Jackpotting

This is a technique for attacking ATMs in order to make them flush their cash reserve. A typical scenario is when an attacker comes in front of the cash dispenser, drills a hole in the front panel, and plugs a malicious USB key into the PC that drives the cash dispenser. He can then use this USB key to take control of the PC and have the cash ejected (e.g. via a Rubber Ducky attack).

This technique has been known since 2010 when it was demonstrated at the BackHat USA security conference by Barnaby Jack. The actual attacks appeared few years later. There are now kits available on the underground market, called "black boxes", to carry out this type of attack. According to Europol (see this May 2017 announcement), 15 blackbox incidents were counted in 2015 in Europe and 58 in 2016, which shows a significant increase in these attacks. The mainstream media (see this French article from LCI TV media) indicate that the phenomenon has also been affecting France since 2017. And in January 2018, the US Secret Service issued a public warning about possible attacks in preparation in the United States. There is therefore a clear shift in attacks from their countries of origin (e. g. Romania, Moldova, Russia and Ukraine) to Western Europe and the United States.

For more information:

• Europol + Trend-Micro : Cashing in on ATM Malware (September 2017)
• Kaspersky : 4 ways to hack an ATM (September 2016)
• Positive Technologies : ATM logic attacks: scenarios, 2018 (November 2018)

Advanced intrusions (APT)

These are "cyber-robberies” against banks: hackers illegally infiltrate the bank's internal IT systems (typically with a spear-phishing attack), silently stay there (to monitor internal activity, collect information and wait for the most appropriate time), and perform the robbery typically by issuing illegal interbank money transfers (via SWIFT or AWC - an equivalent of SWIFT used by the Russian National Bank). This type of attack is totally equivalent to the APT attacks seen since 2010 in other industry sectors (industrial espionage). It appeared in the banking world in 2014 with Carbanak and became really significant in 2016 with the attack against the Bangladesh Central Bank. In 2018 we have seen the attack against the PIR bank in Russia (in July 2018, attributed to isolated cyber criminals) and the attack against the Cosmos bank in India (August 2018, now attributed to North Korea). This second attack combined 2 malicious actions:

• Massive withdrawals (for an amount of $11.5 million) made in 28 countries with 450 counterfeit credit cards. The Indian bank's server responsible for validating these debit transactions had previously been altered by hackers to systematically authorize these withdrawals.
• illegal SWIFT transfers for an amount of 2 million dollars

Up to now, these attacks seem to affect smaller financial institutions, in which security measures on computer systems are probably less exhaustive than in larger institutions. But the attackers are obviously very experienced, both in the internal operation of banks (knowledge of the bank procedures) and in computer attack techniques.
Rather than SWIFT transactions (as in 2016 attacks), attackers now seem to prefer massive withdrawals from ATMs (as in 2018 attacks), to steal money. This is probably because during the attacks of 2016, most of the illegal SWIFT transactions had been stopped by the banks while processing them, before the hackers were able to obtain the money.

For more information:

• US-CERT : TA18-275A HIDDEN COBRA – FASTCash Campaign (October 2018)
  Note: Although the US-CERT does not explicitly state this, it is very likely that the FastCash attack described here is the one we are talking about above that affected the Cosmos Bank. At least Securonix clearly makes this link in this report.
• FireShadow : Top Learnings & Detailed Analysis From COSMOS Bank Breach (September 2018) – Registration required.

Form-jacking (aka Software Skimmers)

We have already described these attacks in an article about the Magecart attacks. This is an attack against e-commerce websites. If there is vulnerability on an e-commerce site, a hacker can use it to install a small invisible JavaScript code that waits for the user to reach to the site's payment page and collect all the payment information entered on that page (payment card number, CVV code, etc.). These attacks are generally named server side “Form-jacking”, “Form grabbing”, or even “software skimmer”. They have existed since at least 2015 (but client side form-jacking has existed since at least 2007), and they increased sharply in 2018, with in particular the attack against the TicketMaster ticketing site (from February to June 2018) and the attack against British Airways (380 000 bank card data stolen in 2 weeks in August 2018).

Conclusion

Banks have always been prime targets for cyber criminals. But in recent years new types of attacks have emerged. The first response that comes in mind to prevent these attacks is to strengthen security:

• The PCs that control ATMs seem insufficiently protected (against the plugging in of external devices, the attack at OS level, and the bypass attack against the security software running onthese PCs).
• The banks attacked by APT seems to have a limited level of IT security (and monitoring), too low compared to recommended best practices.
• Websites should more strictly isolate payment forms from the rest of the code (included third party codes hosted on supplier servers) to avoid the installation of skimmers, invisibly dropped by attack in the mass of codes.

It can also be noted that the attackers are becoming more and more experienced. Some knowledge of the banks' businesses and banks’ IT systems is required to carry out the first 2 attacks. It is likely that the attacker teams consist of at least one developer and one pen-tester. But now, it may also include people who worked in the banking sector. It is often said that the internal threat is the most dangerous (because of the damage it can cause in the event of an attack), but the increasing knowledge of attackers in bank business is now changing the situation.