Russian bank fraud scheme combines physical, cyber elements
An organized crime ring in Eastern Europe has orchestrated sophisticated cyber and physical attacks that have drained millions of dollars from banks in Russia, and banks in other countries could be targeted next.
The crimes have various layers, from "mules" hired to open accounts with fake credentials, to cybercriminals behind the scenes hacking the bank and card management networks to initiate ATM withdrawals in different countries that drain the newly opened accounts.
Trustwave has worked with six midsize to large banks in Eastern Europe that have been hit by this scheme, with losses totaling more than $100 million to date. The Chicago-based vendor released the findings of its SpiderLabs unit Oct. 10, detailing what investigators uncovered.
Because cybercrimes perpetrated in Eastern Europe tend to serve as a signal to what will happen in other parts of the world, including the U.S., banks need to be aware of this latest scheme and have safeguards in place, said Brian Hussey, vice president of cyber threat detection and response at Trustwave.
"This is the first time I have seen such a high level of organization between the physical presence in the bank and the cyber Mafia," said Hussey, who spent eight years working with forensic researchers at the FBI before joining Trustwave.
The scheme starts with the criminal organization finding uneducated citizens in the farms and villages of Eastern Europe who have never opened a bank account and have no internet access. Those people are sent into the bank to open an account with fake credentials and request an ATM card to go with it. When they leave the bank, they turn the ATM card over to the criminals, and go back to their villages with a payment in hand.
The ATM cards are then distributed to a group of "mules" in other countries to extract funds — after the bank's systems have been hacked to allow for higher withdrawals.
Once the fraudsters have ATM cards in hand, their hackers target the bank network through normal phishing techniques, eventually getting into the administrator network of the person responsible for setting risk levels and caps on withdrawals. In each case Trustwave has studied, the hacker was also able to get into the third-party card management network with an identical or similar password.
Once into those systems, the hacker changes the risk category of the targeted account, which was initially set at the highest ranking because it was the first account for these new "customers." Once the account is set at a lower risk and the withdrawal limit is set higher, the ATM mules go to work and make their withdrawals of up to $30,000 in a single stop. They turn the money over to their bosses, and the heist is done.
"Even with zero balances on those cards, the account holder can take that money out of the ATM," Hussey said. "The bank has no real idea at this point, because they are looking at them as legitimate withdrawals."
Trustwave recommends that, if they haven't done so already, banks immediately have a way to differentiate the core banking system and third-party card management system.
The success of these cyberattacks may be attributed to failures in both technical and non-technical controls, Trustwave states in its report. If the core banking system had been integrated properly with the card management system, it would have been easier for changes to the debit card properties to be red-flagged and blocked by the bank.
Also, the request for a change in the account risk level and approval for such a change were allowed through the same card management system, Trustwave noted.
"All of the cases involved one administrator being able to move to both," Hussey said. "They had God-like privileges in that they can raise your credit, approve their own requests and make it all happen based on their authority alone."
A far better approach for banks is to require different passwords and personnel for these tasks, Hussey added.
"This all gets back to the standards of security and approaching it through education and having response programs in place," Hussey said. "It is nothing special, just standard advice that can help minimize this."
A bank with a well documented and tested incident response plan would have a person responsible for every single endpoint in the network, Hussey said.
"We have seen more than $100 million taken from the banks that contacted us, so we imagine there are other banks maybe not reporting this, or unaware of it," Hussey said. "And then consider other fraud prevention companies are handling other cases, and the amount of money being lost is significant."