Last month, we posted about a story on Krebs On Security about a single bank being hit by cybercriminals twice in 2016, to the tune of $2.4M. But this wasn't your classic bank robbery, where masked bandits flee from the scene carrying large sacks of cash.
Instead, these modern heists were pulled off with the help of cybercriminals who phished bank employees, installed malware on bank computers to remove fraud protections, then deployed a distributed army of co-conspirators who pulled millions of ill-gotten dollars out of ATMs.
The last sentence of that story about the 2016 hacks stated, "We're just now finding out about these incidents two years later. There's a good chance that this is still going on today, and we just don't know about the latest bank hacks ... yet." Well, it turns out, that type of scam is still around, and thriving.
In an August 12 post, Krebs reported that the FBI warned of an imminent, "highly choreographed, global fraud scheme known as an 'ATM cashout' in which crooks hack a bank or payment card processor." The feds said that these attacks were most likely to target small- to medium-size banks that have less stringent security protocols and controls in place than the larger institutions.
According to the article in Krebs on Security, to prevent against these attacks, which remove daily withdrawal limits on accounts — hence, the "unlimited" cashout — the FBI released the following guidance. Most of these tips can be helpful for organizations of any size in any industry:
The FBI is urging banks to review how they’re handling security, such as implementing strong password requirements and two-factor authentication using a physical or digital token when possible for local administrators and business critical roles. Other tips in the FBI advisory suggested that banks: -Implement separation of duties or dual authentication procedures for account balance or withdrawal increases above a specified threshold. -Implement application whitelisting to block the execution of malware. -Monitor, audit and limit administrator and business critical accounts with the authority to modify the account attributes mentioned above. -Monitor for the presence of remote network protocols and administrative tools used to pivot back into the network and conduct post-exploitation of a network, such as Powershell, cobalt strike and TeamViewer. -Monitor for encrypted traffic (SSL or TLS) traveling over non-standard ports. -Monitor for network traffic to regions wherein you would not expect to see outbound connections from the financial institution.
It's interesting to see tools such as PowerShell and TeamViewer being called out by name in the advisory, which probably means they were used in similar attacks in the past.
What do you think of the guidance provided by the FBI?