Why don't criminals rob banks anymore?

Hacked Financial Institutions: Criminals attack the infrastructure of banks

Withdraw money from the machine - and the account balance does not change. A Russian group of cyber criminals has apparently achieved what many have secretly wished for, as the security company Kaspersky writes.

  1. Winkelmann Group GmbH + Co. KG, Ahlen
  2. QUNDIS GmbH, Erfurt

What is new is that the gangs no longer just try to attack individual customers' accounts using Trojans and spear phishing, but rather manipulate the infrastructure of banks in a targeted manner. The Metel group uses vulnerabilities in the browser to install tools such as the Niteris exploit kit on the computers of bank employees. In addition, spear phishing malware is installed on the computers of bank employees.

From there, the criminal groups try to gain access to other systems in the bank in order to enable later attacks. Because in the end they manage to withdraw money from the ATMs without the account balance falling afterwards. The gangs use manipulated cards from a compromised bank, which they then use in another bank's ATMs. The malware ensures that the daily withdrawal limit of the cards is bypassed. In this way, the gangs in several Russian cities are said to have emptied several ATMs from various banks at night.

Attacks so far only in Russia

"Nowadays the active phases of a cyber attack are getting shorter and shorter. As soon as the attackers are sufficiently trained in using a certain method, they only need a few days to take what they want and then disappear.", comments Sergey Golovanov, Principal Security Researcher at Kaspersky Lab's Global Research & Analysis Team. The attacks by the Metel group have so far only been found in Russia.

  1. Microsoft 365 Security Workshop
    9-11 June 2021, online
  2. Penetration Testing Fundamentals
    23-24 September 2021, online
Further IT training

Another gang, called Gcman, uses various electronic payment services to illegally send money transfers. According to Kaspersky, in some cases the criminals do not even use malware, but get by with normal pentesting tools such as Putty, VNC and Meterpreter. In one case, the group allegedly infiltrated a bank network for more than a year and a half before making the first transfers. The transfers had an amount of 200 euros each - the limit for anonymous transfers in Russia. The payment orders did not go through individual accounts, but were sent directly to the "Upstream Payment Gateway" and executed there.

The so-called Carbanak Group has been in business the longest. It no longer only attacks banks, but also targets the accounting departments of companies. In the case of a financial institution, the group allegedly changed information about the ownership of a large company in this way. The name of a money mule was registered as a co-owner.

In addition, the group is said to have developed a technique to induce ATMs to dispense money at a predetermined time without a transaction having been made.

Unsurprisingly, Kaspersky recommends the use of virus scanners to secure the infrastructure. But actually there are numerous standards, especially in the financial sector, which provide very good security mechanisms (for example the EMV procedure), but which are poorly implemented by financial institutions in order to save costs. However, due to the globally networked payment systems, security gaps or a lack of identity checks by foreign banks can also become a problem for German customers.