Cyber criminals have hacked cash machines in 28 countries to loot over £10 million from an Indian bank.
Hackers infected the bank’s credit card payment system with malware, which allowed them to approve transactions and access client accounts. Fake credit cards were then used to force ATMs around the world to dispense cash worth about $13 million until they were empty.
The attack on Cosmos Bank, based in the Indian city of Pune, came just days after a warning of an imminent attack from the Federal Bureau of Investigation (FBI) last week. The FBI issued a warning to global banks that it feared there would be a global cyber attack of ATMs within days.
UK-based banks with large international operations, such as HSBC and Barclays, are among those made aware of the threat.
The FBI said that it had intelligence that criminals were going to hack into a banking system using a highly choreographed fraud scheme known as ATM “jackpotting”, in which crooks hack a bank or payment card processor and use cloned cards at cash machines around the world to take out millions in just a few minutes.
Cyber experts have suggested that the attack may have been led by hackers from the so-called Lazarus organisation, an infamous gang of cyber criminals that has been linked to other scams. However, the group has not confirmed its involvement.
Zeki Turedi, technology strategist at Crowdstrike, said the apparent complexity and scale of the heist suggested it was highly likely carried out by sophisticated actors with access to significant resources. This could potentially include groups with a level of state support.
Some banks use older operating systems that leave them more vulnerable to hackers, Lu Zurawski, consumer payments practice lead at payments system company ACI Worldwide said.
“Bank systems may indeed be able to monitor irregularities and react by shutting down ATMs and involving law enforcement agencies at known trouble spots,” he said.
“But gangs are pretty savvy and nippy – their ‘cash mules’ could remove tens of thousands of pounds before any police turn-up.”
The bank told Reuters that its payments system was bypassed in the attack.
Cosmos Bank said in a statement to Reuters: “During the malware attack, a proxy switch was created and all the fraudulent payment approvals were passed by the proxy switching system.”
ATM jackpotting is increasingly common. In one incident in Thailand in 2016, thieves made off in minutes with 12 million baht or about £280,000 from cash machines by targeting ATMs run by Government Savings Bank, a state-owned Thai bank based in Bangkok.
In another case in the US, criminals siphoned about $570,000 in cash from ATMs operated by the National Bank of Blacksburg in two separate attacks in 2016 and 2017.