Metel Hackers Roll Back ATM Transactions, Steal Millions

msm1267 writes: Researchers from Kaspersky Lab's Global Research & Analysis Team today unveiled details on two new criminal operations that have borrowed heavily from targeted nation-state attacks, and also shared an update on a resurgent Carbanak gang, which last year, it was reported, had allegedly stolen upwards of $1 billion from more than 100 financial companies. The heaviest hitter among the newly discovered gangs is an ongoing campaign, mostly confined to Russia, known as Metel. This gang targets machines that have access to money transactions, such as call center and support machines, and once they are compromised, the attackers use that access to automate the rollback of ATM transactions. As the attackers empty ATM after ATM—Metel was found inside 30 organizations—the balances on the stolen accounts remained untouched.

Re:

[sims 2]

45 6E 67 6C 69 73 68 2E

Where's the link?

[n0creativity]

I'm on the mobile site, as I usually am, reading /. on my phone while having a cig (no judgments please). I can't, for the life of me, find the link to RTFA when it's not included in the summary text! What am I missing?!?!

Re:

[Anonymous Coward]

Don't worry, there isn't a link for the article on the non-mobile site either.

Re:

[Anonymous Coward]

https://threatpost.com/spree-of-bank-robberies-show-cybercriminals-borrowing-from-apt-attacks/116173/ [threatpost.com]

For me in the article header is a clickable link next to the headline "Metel Hackers Roll Back ATM Transactions, Steal Millions ": (threatpost.com)

If you could heist that many millions you could retire right there and be set. If they're stealing a billion then what do you use that for? That's more like nationstate or mega corp level money and influence.

Re: Where's the link?

[n0creativity]

Are you on the mobile site? For me (running Chrome on my Samsung GS5), there is no link in the article header. This isn't specifc to this article, either. Unless the submitter includes a link in the summary, I never see a link on my phone.

Re:

[tburkhol]

The article header "Metel Hackers..." is a link to the slashdot article. The parenthetical note "(threatpost.com)" is a link to the threatpost article. Reading on a desktop in classic.

I don't know how long it's been like that. I don't remember the parenthetical thing being clickable before, but that may just be because I've gotten used to slashdot's systems of LINK[hostname] tagging, where the link is clickable and the hostname is not.

Re: Where's the link?

[bill_mcgonigle]

Same here. Mobile doesn't have the 1990's comment delay problem, but it has it's own warts.

Re:Where's the link?

[PPH]

Link [threatpost.com].

Please, no applause. Just throw money.

Re:

[antdude]

I am throwing money (IRR) at my monitor, but it is not working!

Re:

[ShaunC]

Can confirm with Firefox on Android. The little "(threatpost.com)" link that appears on the standard version of the site, which is hard enough to find there, doesn't show up at all on mobile.

Re:

[mjwx]

I'm on the mobile site, as I usually am, reading /. on my phone while having a cig (no judgments please).

Look, what you choose to do with a welder is your business, but for the love of god get off Slashdot whilst you're doing it. Cig welders can cause some serious injuries if you're not careful.

Roll-back as in play-back?

[TWX]

Just to confirm...

Rollback means playback, right? Like, they record how the ATM communicates the authentication portion of the transaction, and replay that same communication with the ATM until its stored cash has all been dispensed and it's now empty?

Seems like the people that designed the ATMs and their authentication protocols have some 'splaining to do. This kind of vulnerability should have been anticipated and the software hardened against, given that this is machine-to-machine encryption, not person-to-machine.

Re:

[OverlordQ]

Well, once they've hacked the machine it doesn't really matter how secure their protocols are as they are effectively the machine at that point.

Re:Roll-back as in play-back?

[Lord Crc]

I read it as they rollback in the database sense, so that the account still has money and they just make repeat withdrawals until the machine is empty.

Re:Roll-back as in play-back?

[alphatel]

I read it as they rollback in the database sense, so that the account still has money and they just make repeat withdrawals until the machine is empty.

Exactly correct. With good accounting measures this would be noticed much faster as deficits start to mount. But with criminals hiding in the bank's systems for months, it's easy to plan this during system maintenance or on days when tallies on bankrolls aren't being performed.

A little OT: This reminds me though of how Bank Robbers always shared this mythical celebrity status with a big portion of the population. In the 20's people blamed banks for everything and were happy to see them suffer. In 2016 the banks are still screwing the population over at a much faster rate, yet you never hear of hackers being heroes to any but a select few.

Re:

[Ravaldy]

This reminds me though of how Bank Robbers always shared this mythical celebrity status with a big portion of the population

References please because I don't believe it. Up until your money was secured by the bank or the government itself, very few appreciated bank robbers because it meant they lost money.

I went and looked at dozens of recent bank robberies stories and nobody in the comment was putting them on a pedestal. They were quick at calling them lazy and scum though!

In 2016 the banks are still screwing the population over at a much faster rate, yet you never hear of hackers being heroes to any but a select few.

That's a matter of perception isn't it? You say the banks screw you, yet you leave your money with them. You have no obligations to do so.
Keeping the same tr

re: perception and reality

[King_TJ]

People are generally upset with our banks because while they accept them as basically essential, they don't approve of much of what they do.

The banks can and do screw me, from time to time, yet yes - I leave my money with them. I might not have an "obligation" to do so, but it becomes very difficult to go around them. Most employers prefer to pay with direct deposit to a bank account, for example. If you opt out? They might cut you checks which you've got to go to check cashing places to cash, and incur fee

Re:

[Ravaldy]

check cashing places to cash, and incur fees for doing so right off the bat. Then you incur the risk of carrying that much cash around with you everywhere too.

So the bank is supposed to take this risk you don't want to take and guarantee the safety of your money at no cost?
The alternative is for you to hire a security company to escort the money to your safe.

Try to make a major purchase and the country flags you as a terrorist suspect the minute you make a large cash payment for it!

Wrong, they flag your transaction for review. Two very different things.

Try to take cash on an airline flight and again

If you are crossing borders that makes absolute sense. If you aren't crossing borders you can carry as much money as you want. You should notify TSA ahead of travels: http://www.airsafe.com/issues/... [airsafe.com]

since there's no record of you having your name on a savings or checking account or any other real credit history.

Would you loan your money to someone

Apologies for banks?

[King_TJ]

Seriously? I'm a "sheep" for hating the banking system we've got in place?

Let's talk about that "interest collected on savings", shall we? It's so little these days, it's pretty much worthless. Meanwhile, you let the bank use your money while it sits there, to lend out to someone else at a FAR higher interest rate than you're being paid on it.

Or let's talk ATM machines.... Ostensibly deployed for customer convenience, they're ALSO quite popular with banks because it allowed them to stop hiring nearly so

Re:

[Ravaldy]

Let's talk about that "interest collected on savings", shall we? It's so little these days

That's because the interest rates are crap all together. Lenders are lending at 4% - 8% while you get 1$ - 3%. You can't blame the banks for making borrowing affordable.

That means, a big cost savings for the banks

Yes, it is but you forget that the cost of transactions is significantly lower if you compare the average salary from today to 20 years ago.

And why, in most cases, will the bank who owns that ATM *also* add on a $2.00 or more fee for withdrawing the money?

Where do you pull your money from? Those random ATMs in the grocery and convenience stores? As long as I pull my money out of an ATM that is parts of the partner circle for my bank I pay a flat monthly f

Re:

[alphatel]

References please because I don't believe it. Up until your money was secured by the bank or the government itself, very few appreciated bank robbers because it meant they lost money.

If you haven't heard of these people, or how legendary they were, I can't really help you any further. http://www.legendsofamerica.co... [legendsofamerica.com]

Re:

[Ravaldy]

If you haven't heard of these people, or how legendary they were, I can't really help you any further. http://www.legendsofamerica.co... [www.legendsofamerica.co] [legendsofamerica.com]

I also heard of Hitler. Did you?

Is it not the most talked about villain of all times? Does that mean people admire him? ABSOLUTELLY NOT!

Re:

[moeinvt]

Can't speak for the OP, but the whole debt-based monetary system is one colossal screw! Sovereign governments give up their monetary power and allow a group of private corporations called "banks" to create the money. Then, the government uses force to coerce the citizenry into using the privately created debt-money. Since the whole money supply, minus a tiny amount of physical currency is really just a series of debt obligations and the banking system is a closed loop, banks are collecting interest on mo

Re:

[jbengt]

Or are you confusing Deposit banks with Investment banks?

Problem is, the laws were changed in the 1990s to allow 'Deposit banks' to act like Investment banks and play Stock Market, REIT, Credit Default Swap, and other Option games with the deposits. That's been partly rolled back since the great recession.
And yes, when those houses of cards fell, that was a bank screw, as the taxpayers had to pony up money to shore up the inadequate deposit insurance pools and to prevent a depression.

Re:

[mjwx]

A little OT: This reminds me though of how Bank Robbers always shared this mythical celebrity status with a big portion of the population. In the 20's people blamed banks for everything and were happy to see them suffer. In 2016 the banks are still screwing the population over at a much faster rate, yet you never hear of hackers being heroes to any but a select few.

Banks these days aren't distrusted and despised like they used to be in the 20's.

People will actually defend banks ripping them off these days because banks do it indirectly and give a pittance to the end user to buy their loyalties. Cashback, rewards, frequent flyer points and what not to get the end user sucked into using credit then they charge the merchant for accepting credit. The merchant is not in a position to say no because they have literally addicted (via gamification) the end user into using

Re:Roll-back as in play-back?

[rhazz]

No they really mean roll-back, as in a transaction.

1. Get access to PC which has access to banking transactions.
2. Install malware on PC which automatically rolls back ATM transactions with a particular signature (probably matching some stolen or duplicated bank card)
3. Go to an ATM and simply withdraw $500 over and over until the ATM runs out of money.

The ATM allows it because due to the rollbacks the balance of the account hasn't gone down.

Re:

[Anonymous Coward]

“With the automated rollback the money was instantly returned to the account, when the cash has already been dispensed from the ATM. The group worked exclusive at nights, emptying ATM cassettes at several locations.”

They'd withdraw the money, and then roll-back the transaction, so that it looks like no transaction actually occurred, at least when looking at the logs.

Have to have a rollback feature....but something

[Anonymous Coward]

smells.

The only reason why an ATM transaction should be able to be "rolled-back" is if the machine dispensed never dispensed the cash.

Cash dispensers aren't generally "smart enough" to know if they actually dispense cash or not. They try hard (photo-sensors, knowing how much cash in the system, etc) -- but at the end of the day you're talking about ejecting paper. Paper jams do occur. A rollback mechanism must be in place.

Here's the thing - we're talking VERY small amounts. $200 at a shot. Multiple A

Re:

[LynnwoodRooster]

A team of 50 people - that's $5 million a day. Do it sporadically over the course of a few years - yeah, a billion is possible...

Re:

[IamTheRealMike]

Banks can roll back transactions for various reasons, e.g. bankruptcy proceedings, mistakes by their own operators or by customers, or ... transactions that are fraudulent. The Metel gang obviously had a sense of irony in exploiting this ability to undo fraudulent transactions to their own benefit.

Re:

[swb]

Like, they record how the ATM communicates the authentication portion of the transaction, and replay that same communication with the ATM until its stored cash has all been dispensed and it's now empty?

Had this fantasy in the 1980s when I noticed the student union ATM had what looked like an exposed Cat-3 phone cable sticking out of it. I naively thought "what if it's a modem, and you tapped the line, reverse engineered a withdrawal transaction, and then replayed the withdrawal ACK endlessly until you suck

Re:

[Livius]

Rollback means playback, right?

No, quite the opposite.

No links?

[Anonymous Coward]

http://usa.kaspersky.com/about-us/press-center/press-releases/carbanak-and-beyond-banks-face-new-attacks

Re:

[rhazz]

It's in the stupid green header bar. Still boggling at that design decision.

Re:

[gstoddart]

Apparently, only sometimes ... I can see 4 stories on the front page in which that isn't true.

So, it's not even consistent.

Re:

[Anonymous Coward]

Modded down because - The TFA didn't mention that the ATMs ran Windows and even if they did, what is notable is the access to the databases. Also, why rant about the loss of american jobs ... in Russia?

Re:

[sjames]

But TFA DID. It spoke of the value to the hackers in gaining control of the domain controller. That's a Windows thing.

Re:

[WindBourne]

Where did I rant about loss of American jobs? Not a once. I spoke ONLY of the security issue. And I will bet that each of these are running windows which makes it easy to leave backdoors in.

Re:

[tetraverse]

Didn't you know, the microserfs monitor this forum for an criticism of MICROS~1 Windows :)

Pre-software roll back

[gurps_npc]

What they do is put the ATM machine on wheels and push it really hard. This "rolles back the ATM" hard enough till the machine's back breaks open, where upon they steal all the cash.

Really people, don't use abbreviations, or ambiguous terms. No matter how 'cool' you think you are, there are less technical people out there that still want to know what you have to say. Using that kind of crap without explaining it doesn't make you see knowledgeable, it just makes you seem like a fool. Nor is it that har

Re:

[gurps_npc]

I was referring to stupid stuff that hasn't entered the non-technical community, such as the aaS abbreviation used earlier today. I knew what SaaS, but aaS is just a way to pretend to be 'in the know', not helpful.

Our tax dollars at work...

[mitcheli]

... that have borrowed heavily from targeted nation-state attacks

'nough said.

Fuck the banks

[Anonymous Coward]

This is awesome.

The bank still has the same digital balance, it just doesn't have the physical notes any more.

It's the perfect victimless crime.

Windows ATMs connected to the Internet.

[tetraverse]

Why are these ATMs connected to the Internet and who decided to run Windows on them: Carbank ring steals $1 billion from banks [threatpost.com]