Ridiculous robbery malware emerging money unlimitedly from ATM emerges

ByLudovic Bertron

Develop and sell security related softwareKaspersky, But in 2015 it revealed that the number of server criminals who steal money directly from the bank increased. According to Kaspersky,APTIt seems that at least 29 of the major Russian banks are damaged by cybercriminals making full use of tools and related technologies.

How three criminal groups - Metel, GCMAN and Carbanak 2.0 - stole millions dollars from dozens of banks |
https://blog.kaspersky.com/metel-gcman-carbanak/11236/

Kaspersky understands that cybercrime aiming at bank accounts is increasing from requests for investigation from banks targeted by cybercriminals. Subsequent investigations have revealed that banks are suffering millions of monetary losses from attacks from three separate hacker groups. As for this one case, investigation report from Kaspersky in Kaspersky Security Analyst Summit (SAS) which is held from 7th to 11th February 2016 is being carried out. Furthermore, in order to prioritize the safety of the victim, the name of the bank that suffered damage has been hidden.

Scene of SAS 2016 venue

It begins# The SAS 2016Pic.twitter.com/T8ez0m3tEW

- Katie Moussouris (@ k8em0)2016, February 8

Malware called "Metel", which is causing the damage, was first discovered in 2011, initially malware targeting users who use online banking system. But in 2015, cybercriminals will use Metel to conduct criminal acts targeting ATM. The content was to change the credit card withdrawal limit of ordinary credit cards to unlimited and to withdraw a lot of money from ATM.

Its way of using emailFishingAnd infecting computers used by bankers with malware making full use of the vulnerability of browsers. Once the computer in the bank network gets infected, after that, hacking other terminals from there, accessing the transaction data in the bank, rewriting the contents makes it possible to withdraw money unlimitedly That's why.

For example, if infecting a PC used by a call center operator of a bank with malware, information on money transactions made at the ATM of that bank is automatically canceled, and the transaction itself is called "transaction not being performed" It can be restored as original. As a result, cybercriminals were able to withdraw cash indefinitely from ATM, although the balance of the account did not change. (As much as it is actually within ATM)

What is phishing and why should you care? Find outhttps://t.co/eNlAvarhAy#iteducation#itsecPic.twitter.com/EJc6vW8YUX

- Kaspersky Lab (@ kaspersky)2015, December 11

According to Kaspersky, the group of cybercriminals who use Metel to steal cash from ATM is relatively small, estimated to be about 10 people per group. And these criminal acts are not confirmed outside Russia at this time. However, in Russia it seems that criminal acts are still being carried out by similar methods.

In addition, criminal groups using GCC compiler-based malware "GCMAN" have also appeared. This group does not draw cash directly from ATM, but it seems to take the method of remitting money transaction to disable money transaction processing. Furthermore, it seems that there was a way of using "cron" which is a script for automatically executing the job, and to remit money to the electronic currency service little by little every minute.

A bank in Russia seems to have been stolen by 200 dollars (about 23,000 yen) per minute.

This is how a victim can lose $ 200 per minute#bankingAPT# The SAS 2016Pic.twitter.com/jEYjuqeh7U

- Eugene Kaspersky (@ e _ kaspersky)2016, February 8

There is also a group of cyber criminals called Carbanak. Carbanak who began activities since about 2013 seems to be a troublesome group that appears again after a while with a new hacking method after thinking about it. Such a Carbanak is acting as a criminal act targeting the finance department of a bank or a specific company. Carbanak is stealing a lot of money from companies all over the world, and the damage is not limited to Russia is different from other groups.

Also using Carbanak is the APT tool that uses phishing to infect computers in the corporate network with malware and installs its own malware developed by Carbanak from there. Once the computer is infected, Carbanak will be able to access the network with system administrator privileges, stealing money from bank accounts, changing company owner information, stealing credentials, hacking domain controllers It will be possible.

In addition, Carbanak is an international criminal group, and it seems that damage has occurred in Russia, China, Ukraine and other European countries.

Full report on the#CarbanakAPT is now livehttp://t.co/KRmjD1GhyLVia@ Secure listPic.twitter.com/5OMzJE0DgS

- Kaspersky Lab (@ kaspersky)2015, February 16

Kaspersky aims at people working at financial institutions such as banks, as a noticeable point of harm "Be careful about phishing"Do not neglect updating software"Not to be subject to malware attack"Is cited.