FastCash ATM Cashout Fraud Scheme

What Is It?

The US-CERT has released a joint technical alert from the FBI, the Department of Homeland Security (DHS), and the Department of the Treasury about a new cyber-attack, dubbed "FASTCash". Hidden Cobra, the North Korean Advanced Persistent Threat (APT) hacking group, has been using this attack to cash out ATMs since at least 2016, targeting banks in Africa and Asia. 

How They Do It?

Hidden Cobra remotely compromises switch application servers at various banks where they have accounts (and payment cards) with minimal activity or zero balances. The malware is installed on the compromised switch application servers then intercepts transaction requests associated with the attackers’ payment cards and respond with fake but legitimate-looking affirmative messages without actually validating available balances.  The fraudulent affirmative message manipulates ATMs into spitting out large amounts of cash without notifying the bank. 

Experts believe that the APT threat actors use spear-phishing emails containing malicious Windows executables and target employees at different banks. Once opened, the executable infects computers with Windows-based malware, allowing hackers to move laterally through a bank’s network using legitimate credentials to deploy malware onto the payment switch application server.

Recommendations and Best Practices:

• Require multi-factor authentication for all user access to the switch application server, and for all accounts with administrative access
• Require chip and PIN validation for all debit card ATM transactions
• Encrypt data in transit
• Monitor transactions for anomalous behavior 
• Ensure all system patches are up-to-date
• Be mindful of Phishing and/or other attack vectors where malicious software can be downloaded onto your systems