It would be like playing a slot machine that you cannot lose. The more you play, the more money spills out. Or at least until the machine goes dry.
That’s just how thieves made off with millions in Russia. How did they do it? Malware. Or to be more specific — a malware known as “Metel” that can make the ATM withdrawals go “back in time” by automatically rolling back ATM transactions shortly after being made, resetting the card balance. Likewise, the “daily limit” or other security measures are never reached, or so the machine thinks.
This story comes out of the Kaspersky Security Analyst Summit going on in Tenerife, Spain. SAS is an annual event connecting anti-malware researchers and developers, global law enforcement agencies and members of the security research community. They gather to learn, debate, share and showcase cutting-edge research, new technologies and discuss ways to improve collaboration in the fight against cyber-crime.
This blog tells how the criminals did it, in simple terms, as told by security researchers with Kaspersky Lab, the security firm that uncovered the Metel attack platform:
The criminals successively infected computers of bank employees either with the help of spear phishing emails that included malicious executable files or through targeting a browser vulnerabilities. Once inside the network they used legitimate software to hack other PCs until they reached the device they were looking for — the one that had access to money transactions. For example, these were PCs of call center operators or the support team.
As a result, each time when criminals picked up the money from a card of the compromised bank in an ATM of another bank, infected system automatically rolled back the transactions. That’s why the balance on the cards remained the same, allowing the cybercriminal to withdraw money limited only by the amount of cash in the ATM. The criminals made similar cash-outs at different ATM machines.
Disclosure of Material Connection: Some of the links in the post above are “affiliate links.” This means if you click on the link and purchase the item, I will receive an affiliate commission.