A funny thing happened on the way to the ATM (and depending on who you believe, may still be happening). Scratch that. For the lucky few at the right place at the right time, an awesome thing has been happening: ATMs randomly coughing up cash -- and a lot of it. Like an international lottery, the phenomenon has occurred in more than 30 countries, leading to potentially as much as $1 billion in stolen funds.
At first glance, it might seem like a ghost in the machine was behind these pedestrian cash bonanzas (or a benevolent god), but as the walk-by windfalls multiplied a more likely scenario emerged. Called in to investigate, the international security software group Kaspersky Lab discerned the telltale signs of cybercrime behind the Mystery of the Communist ATMs.
The cash cataracts were the tip of an iceberg of massive proportions still unknown. As such, they underscore the need for private and public sector sharing of cybersecurity threat information. In an environment where cooperation, collaboration and communication are practiced, it's harder for criminals to flourish. Had those ATM incidents been reported in a timely way, the scam probably would have been caught sooner.
President Obama signed an executive order last week on information sharing that was more like a guideline than anything else, but still very much a step in the right direction. "It's one of the great paradoxes of our time," the President told attendees of the first White House summit on Cybersecurity and Consumer Protection at Stanford University, "that the very technologies that empower us to do great good can also be used to undermine us and inflict great harm."
Exploiting System Weaknesses
Members of a cybercrime gang called Carbanak appear to know that better than most. They were the ones behind the ATM paydays, according to Kaspersky Lab. Using a RAT (remote access tool), Carbanak was able to release large amounts of money without anyone touching the machines. What seemed like an unfortunate loss for the affected banks -- on the surface these incidents only benefited random passers-by -- stayed hush-hush. According to my colleague Byron Acohido, "companies by and large are loathe to let word of any successful hack leave the inner circle - unless absolutely necessary." But the knee-jerk reaction to circle the wagons that most companies have when they've been compromised by cybercriminals actually cost banks more in this instance since it allowed the Carbanak gang to have a longer run at the institutions they had cracked. Had the affected banks shared information, a pattern would have emerged early on.
The forensics experts at Kaspersky Labs started to work backward to piece together the anatomy of what we now know may be the biggest bank heist to date. The deeper they probed the cause of these money geysers, the more apparent it became that the extent of the hit went way beyond the scope of a few zombie ATMs. At least $300 million had been stolen over the two-year period.
Kaspersky reported these findings at the opening of their annual Security Analyst Summit, which was held in Cancun last week. According to the report, "the criminals have attempted to attack up to 100 banks, e-payment systems and other financial institutions." The Carbanak targets included financial organizations across the globe. The form the attacks took: malware.
The days of the safe-cracking bank robber have given way to the security-breaching hacker--yet another reason institutions should value open lines of communication and a high level of cooperation when it comes to fighting the threats out there. In the Carbanak scam, spearphishing emails were sent to employees that infected work stations, and from there the hackers tunneled deeper into the banks' systems until they controlled employee stations that would allow them to make cash transfers, operate ATMs remotely, change account information and make administrative changes.
Was It Avoidable?
It was a pretty standard scheme: an email with a link that looked like it was coming from a colleague contained the malicious code, which spread from there like a digital rhinovirus. The hackers recorded everything that happened on the affected computers to learn how the organization did things. When they had mastered the system, they commandeered it for a series of transactions that included the ATM hits, but also a practice of artificially inflating bank balances and then siphoning off that amount, so a customer's account balance might go from $1,000 to $10,000 and then $9,000 would go to the hacker. Could banks have prevented the attack? Maybe not, but more communication and a culture of cybercrime awareness certainly could have limited the damage.
The truth is there is no solution, but there is something that could make it harder for this kind of attack to go undetected for such a long period of time: collaboration, communication and cooperation. This is not just at the enterprise level. Consumers who see their bank account balances increase for no reason need to speak up instead of pray no one notices. Banks that get robbed need to talk about it, and share information. Cybercrime flourishes most when it is able to operate in the shadows.
As Justice Louis Brandeis said, "Sunlight is said to be the best of disinfectants; electric light the most efficient policeman." Right now, the 3Cs of collaboration, communication and cooperation are the bright light in the dark night of cybercrime's ascendency.