The most famous Unlimited Attack was also one of the earliest, when $9 Million in cash was withdrawn from at least 2100 ATM machines in 280 cities around the world on November 7th and 8th, 2008 in the RBS WorldPay attack. That was far surpassed in 2013, when cash-out gangs in 26 Countries stole $40M. More recently, Standard Bank was victimized in the first Japanese Unlimited Attack in 2016, involving at least 14,000 “maximum” ATM withdrawals.
In this case, the FBI’s prediction came true almost immediately, even before our favorite security journalist, Brian Krebs, was able to get his story out: FBI Warns of Unlimited ATM Cashout Blitz.
The Times of India reported on August 14th “How hackers siphoned over Rs 94 crore off a co-operative bank in Pune“, revealing that the 112 year old Cosmos Bank was the target of the attack. During this attack hackers were able to cause the ATM Network to approve “Rupay” transactions by validating the requests against a fake payment gateway controlled by the hackers. In 2.5 hours, from 3 pm to 5:30 pm, 12,000 Visa card transactions withdrew Rs 78 crore (approximately $10.9 Million USD) before Cosmos Bank terminated all ATM Visa Transactions, however Rupay transactions continued until at least 10PM. RuPay is an India-only card system designed to allow national payments in India without reliance on Visa and Mastercard. 2,890 India-based RuPay transactions totaled an additional Rs 2.5 crore ($351,500 USD). In addition to the ATM damages, on August 13th, the same hackers wired Rs 13.94 crore (almost $2M USD) to Hong Kong via a fraudulent SWIFT transfer. (Three separate MT103 transactions were sent to ALM Trading Limited at Hang Seng Bank in Hong Kong, according to Securonix analysis of the event. Securonix believes the behavior of the attackers is consistent with the North Korean based APT group known as “Lazarus Group”. MITRE’s ATT&CK program (Adversarial Tactics, Techniques & Common Knowledge) provides more information on the Lazarus Group.
As with many previous Unlimited attacks, Cosmos Bank chairman Milind Kale said that no customer accounts were impacted, as these were “dummy” accounts that were established for the attack. If this attack is like historical ones, many of the follow-up arrests will come from using ATM video footage to identify individual cash-out gangs and try to follow their communications back to the criminals who recruited them for the scheme.
*** This is a Security Bloggers Network syndicated blog from CyberCrime & Doing Time authored by Gary Warner, UAB. Read the original post at: http://garwarner.blogspot.com/2018/09/indias-cosmos-bank-suffers-unlimited.html