Russian hackers have adopted a new technique, dubbed Reverse ATM Attack to steal Millions of dollars from ATMs of financial institutions.
According to the experts at security firm GroupIB, the Reverse ATM Attack allowed criminal rings in Russia to steal 252 Million Rubles (roughly US$3.8 Million) from at least five different banks.
The theft started in summer 2014 and finished in Q1 2015.
The experts provided a detailed description of the Reverse ATM Attack. The attacker would deposit sums of 5,000, 10,000 and 30,000 Rubles into legitimate bank accounts using ATMs, and immediately withdraw the same amounts of money accompanied by a printed receipt of the payment transaction. At this point the hackers send the details included in the receipt, including the payment reference number and the amount withdrawn, to a partner who had remote access to the infected POS terminals. Usually the partner is an individual located outside of Russia.
“That information was sent to hackers who would use the data and their access to thousands of point of sale terminals, primarily based in the US and the Czech Republic, to create “a reversal operation” on a terminal that tricked the bank into believing the withdrawal of funds had been cancelled.” states Forbes. “At the point of sale terminal, this looked as though goods were returned or a payment declined, whilst to the banks it appeared the ATM withdrawal had been cancelled. Funds were returned to the account, though the crooks had already taken the cash. The process was repeated until there was no money remaining in the targeted ATM.”
As explained by the experts at Group-IB, the criminal gang leveraged weaknesses in the withdrawal, transfer and verification stages of credit card transactions used in Russia and managed to bypass checks recommended by VISA and MasterCard.
The problem is that when the reverse operation targets a single bank, transaction details provided by VISA are not verified by the targeted banks. When ATM Withdrawals were made in one country and cancelled/reversed in another, the verification process fails.
VISA brought together the affected banks so they could block reversal operations when funds were withdrawn from an ATM of the bank and reaccredited through a separate terminal.
“But that fix only addressed the issue of withdrawals from ATMs, not transfers from one card to another.” continues Forbes.
Group-IB is supporting law enforcement to investigate further fraudulent activities.
(Security Affairs –money Laundering, Reverse ATM hack)