Payment Card

A cyber-criminal gang has stolen over $40 million from Eastern European banks using a clever new technique that combines hacking the bank's network, the manipulation of overdraft limits, disabling fraud alerts, and mass ATM withdrawals.

The heists are some of the most sophisticated bank robberies to date, on par with the SWIFT hacks that hit several banks last year.

The attacks have been happening since March this year, according to a report released yesterday by Trustwave SpiderLabs.

Attackers targeted banks with poor security measures

Brian Hussey, vice president of cyber threat detection and response at the SpiderLabs told Bleeping Computer the attacks aren't the work of lone hackers, but of a well-organized international crime syndicate.

Hussey says his company investigated heists at five different banks in post-Soviet countries. Attackers made off with sums between $3 million and $10 million per bank, for a total of over $40 million.

"We only see the ones that come to us," Hussey told Bleeping. "Other banks may have come to other vendors or may not have noticed the theft yet."

Hussey also said attackers aren't as technically skilled as hackers robbing banks in Western countries, but the attacks are complex nonetheless.

"This can probably be explained by practicality and a pragmatic approach from attackers – banking infrastructure and enacted security controls in developing countries are much less sophisticated than in the Western World," Ilia Kolochenko, CEO of web security company, High-Tech Bridge, told Bleeping Computer. "Therefore, no complicated chained attacks with 0days and advanced techniques to evade security systems are required to get in."

How the heists took place

Each attack unfolded across multiple stages. The first involved recruiting so-called "mules," persons who visited banks and opened debit card accounts under fake identities.

The group's hackers entered the fold in the second stage by compromising computers of bank employees, moving laterally inside the bank's network, and identifying workstations that had access to the bank's internal systems. If needed, hackers would go as far as compromising the bank's third-party providers of payment card management solutions.

When hackers had full access to all the bank's systems they needed, they would coordinate large-scale attacks with so-called "cash mules" on one or across multiple days.

On selected nights, hackers would modify the overdraft limit on the debit cards they created, allowing cash mules to withdraw money from ATMs with higher limits.

If they could, hackers would also disable the bank's card fraud detection systems, but if not, they'd send cash mules to withdraw money from ATMs in other countries, delaying the possibility that the issuing bank would detect the fraudulent transactions.

Trustwave notes that withdrawals happened minutes after the overdraft limit as modified, showing a high level of coordination between the gang's different groups.

When everything was done, hackers would launch a destructive malware strain that would destroy the MBR (Master Boot Table) on infected computers, corrupting the PCs' storage system and hindering subsequent investigative efforts.

The attacks are detailed in more depth in a Trustwave SpiderLabs report named "Post-Soviet Bank Heists: A Hybrid Cybercrime Study," available for download here. We also pulled the graphs from the report into the infographic below.

Overdraft hack infographic