A cyber security company has released details of how hackers were able to steal the equivalent of £28,000, overnight, from six ATMs of an eastern European bank.
Positive Technologies says that its findings confirm that the theft could have been far worse as the technique used in the scam fortunately ‘clashed’ with the financial institutions existing NCR ATM software, preventing the attackers from withdrawing further funds. It also warns that it’s likely that this group will soon become active in the west.
Phishing emails are still one of the most successful attack vectors due to insufficient security awareness among staff, the cyber firm warns.
Alex Mathews, Lead Security Evangelist at Positive Technologies, says: “Attacks against ATMs are often a preliminary step, from which attackers aim to infiltrate a bank’s network infrastructure. Modern day ‘bank robbers’ have realised that many financial institutions fail to adequately invest in security, and that some will even do the bare minimum to comply with required standards. The result is that, from an initial compromise, attackers can often move sideways, burrowing deeper into the network and infecting other systems within the banking infrastructure.
“Having gained control over key servers and ATM management systems, these criminals will often hit the jackpot with minimal effort and without tripping any alarms. Our investigation found that, for this Eastern European bank, the initial compromise was facilitated by a phishing scam and was successful as employees were spoofed into deploying the malware. This allowed the bank’s local network to be compromised with the installation of malware on ATMs from the bank’s internal infrastructure.”
Publishing the findings of its investigation in an analytical report titled “Cobalt – a new trend or an old ‘friend’?” Positive Technologies covers the intricacies these modern cyberattacks used when targeting this bank, and that could be used against other financial institutions. The IT firm says that it gathered multiple host and network indicators of compromise, which were sent to the relevant authorities, so that the information could be shared with other financial institutions to prevent similar future attacks.
To view the 12-page report visit: http://www.ptsecurity.com/ww-en/upload/ptcom/analytics/Cobalt-Snatch-eng.pdf.
