Hackers planted malware on an automated teller machine (ATM) server belonging to an Indian bank as part of a criminal scheme which saw the theft of nearly 944 million rupees (US $13.5 million) in a co-ordinated attack across 28 countries last weekend. India's Cosmos Bank, based in the western city of Pune, suffered an attack which saw hackers use malware to steal customer information from the company's ATM server and then use that data to clone thousands of Visa and RuPay debit cards. The debit cards were then used over the course of the weekend in a number of countries including Canada, Hong Kong, and India. In all, 14,859 transactions were made at cash machines, resulting in the theft of 805 million rupees. To add insult to injury, the hackers also transferred 139 million rupees to a Hong Kong-based bank account by ordering three unauthorised transactions over the SWIFT inter-bank communication network. SWIFT (the Society for Worldwide Interbank Financial Telecommunications) is the system that is normally used by banks to send money securely to each other around the world. However, in recent years, cybercriminals have targeted the finance industry's usage of SWIFT to attempt to steal large amounts of money. Perhaps the most notorious incident occurred in February 2016 when hackers tried to transfer $951 million from a Bangladesh bank to accounts in the Philippines, successfully making off with a (still impressive) $81 million. Similar attacks have plagued banks worldwide as they have been targeted with bespoke malware. Cosmos Bank told the press that the attackers managed to bypass a debit card payment request "switching system" used by its main banking software during the attack:
During the malware attack, a proxy switch was created and all the fraudulent payment approvals were passed by the proxy switching system.
The company was keen to emphasize that its core banking system had not been compromised by the hackers and that the malware was on the switch. "None of the customers’ accounts were touched, and it is the bank that has incurred the loss of this money," an official said. In response to the attacks, Cosmos Bank says it shut down its servers and internet banking facilities and that it is working with police investigators. The attack came within hours of the FBI warning's for banks that organized criminals were planning a major “ATM cash-out” with the intention of stealing millions of dollars. The confidential letter seen by cybersecurity blogger Brian Krebs makes clear the belief that there was an imminent threat:
The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an ‘unlimited operation’. Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities. The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.
Sadly, it seems the warning was too late to protect India's Cosmos Bank. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Financial Services Cybersecurity Regulations
Learn how Tripwire's strategies bolster cybersecurity in the financial sector. Facing heightened risks, financial organizations can benefit from Tripwire's expertise in security configuration management and file integrity monitoring, ensuring compliance with critical regulations and safeguarding sensitive data.