Here’s How Cybercriminals Stole $100 Million From EU Banks and Vanished Without Trace

A wave of financially-motivated cybercrime has hit European and former Soviet banks to reveal profound security weaknesses in the technology infrastructure that handles transactions and funds worth billions of dollars. But how do we stop the next generation of tech-savvy criminals? What security measures must institutions enact to prevent further hemorrhaging of funds in the wake of escalating attacks? First, let’s analyze what happened and why the criminals were so successful.

Yesterday’s drug mule is today’s cyber-foot soldier

The concept of a ‘mule’ is nothing new. Criminals offer tourists, truck drivers, and other working-class individuals (with clean records) who have citizenship and a passport to travel across borders carrying a dubious package they know little about in exchange for a quick payday.

Today, hackers use mules to create bank accounts with fraudulent or stolen IDs. The mules then take the legitimate debit cards and pass them on to other mules who later make simultaneous withdrawals from ATMs in other countries.

While the mules perform the legwork and prep for the attack, hackers use targeted phishing scams to plant keylogging software on employee terminals where bank tellers and credit card processors work. Over time, they acquire access to the bank’s network and plant legitimate software like Mipko, a software package used to monitor employee terminals remotely. The minimal use of malware is one of the key reasons why these attacks failed to raise any red flags with the banks involved.

Modern banking institutions are frequently interlinked with third-party credit card processors, allowing hackers to freely move between networks and spy on employees until they get the credentials needed to access and modify the bank’s risk scores and overdraft protection limits. As soon as the online attack happens, mules on standby in numerous countries make simultaneous cash withdrawals from ATMs using the legitimate debit cards issued by the institution. This kind of attack exploits both the logistical weaknesses of ATM infrastructure and law enforcement’s ability to track down such a large number of co-conspirators who know very little, if anything, about the actual masterminds.

Hackers then cover their tracks by crashing systems they used and rendering them unbootable, meanwhile the mules disappear with the cash long before authorities have even been notified that a heist is underway. In fact, because of the legal nature of the withdrawals, most banks are completely unaware of the attack until someone notices the spike in ATM traffic hours or days later.

What does this mean for the future of banking?

Thus far, these cyber-attacks have yet to spark a serious change in banking infrastructure because they have yet to affect a rich super-power. However, Trustwave issued an Advanced Threat Report that claims these organized attacks are likely to spread globally over the next few years, increasing both the frequency and intensity of the attacks as the organizers grow in influence and power.

While banks and credit card processors can double down on internal security and in-house training, human error (in the form of falling for phishing scams) remains one of the key weaknesses that hackers exploit—and that isn’t something anyone can just eliminate. Preventing hackers from getting a toe-hold into the network is a crucial countermeasure, but that doesn’t excuse the lax security on integrated networks that should have multiple layers of authentication or the ease of which criminals open new accounts with phony or stolen personal information.

The only other option is to limit the functionality of ATMs to the point where it is too time-consuming (and therefore costly) to engage in this kind of heist. However, this will undoubtedly irritate consumers who rarely opt to sacrifice convenience for security.