There’s a new hack in town, and the U.S. Secret Service calls it “Unlimited Operation.” Targeting ATMs belonging to small- and medium-sized banks, the hackers use stolen credentials to log in to the ATM systems’ remote admin panels and change the cash withdrawal limits to “Unlimited.” They then use stolen debit cards to withdraw as much cash as possible—sometimes more than victims actually have in their accounts.
- A successful spear-phishing attack puts malware on an employee workstation—pwned!
- Hacker monitors the workstation/endpoint to see how the admin normally logs in to the remote admin panel for the bank's ATM system
- Hacker uses a DDoS attack to distract bank security while he logs in to the ATM admin panel
- Hacker removes the withdrawal limits for certain ATMs and/or bank accounts
- The ATM remains uncompromised: limits are controlled through a legitimate admin console.
- Audit bank employees' workstations and create baselines of "normal" behavior and processes for each
- Run regular scans to see if any are running any non-whitelisted processes or have suspicious remote connections, perhaps based on the geography of the remote IP or domain
- Perform regular hunts for anomalies.