When scammers get inside of the networks of financial institutions, they sometimes stage "cashouts" where they recruit confederates around the world to all hit ATMs at the same time with cards tied to hacked accounts and withdraw the maximum the ATMs will allow; but the wilier criminals first disable the anti-fraud and withdrawal maximum features in the banks' systems, enabling confederates to drain ATMs of all the cash they contain. This is called an "unlimited cashout."
A leaked FBI memo circulated on Friday to US banks warns that "cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an ‘unlimited operation.'"
ATM cashouts often target smaller banks with less sophisticated cybersecurity systems, but the FBI memo hints that the upcoming attack could target large financial institutions. Attacks are usually staged over the weekend, especially holiday weekends, when core security staff may not be available.
The FBI is urging banks to review how they’re handling security, such as implementing strong password requirements and two-factor authentication using a physical or digital token when possible for local administrators and business critical roles.
Other tips in the FBI advisory suggested that banks:
-Implement separation of duties or dual authentication procedures for account balance or withdrawal increases above a specified threshold.
-Implement application whitelisting to block the execution of malware.
-Monitor, audit and limit administrator and business critical accounts with the authority to modify the account attributes mentioned above.
-Monitor for the presence of remote network protocols and administrative tools used to pivot back into the network and conduct post-exploitation of a network, such as Powershell, cobalt strike and TeamViewer.
-Monitor for encrypted traffic (SSL or TLS) traveling over non-standard ports.
-Monitor for network traffic to regions wherein you would not expect to see outbound connections from the financial institution.
FBI Warns of ‘Unlimited’ ATM Cashout Blitz [Brian Krebs/Krebs on Security]