Countermeasures

The Central/Host Fraud definitions used by EAST when issuing Fraud Alerts, or when compiling the statistics and other information for European Payment Terminal Crime Reports and Fraud Updates, are shown below. These definitions for  have been prepared by the EAST Expert Group on All Terminal Fraud (EGAF).

The aim is for these Central/Host Fraud Definitions to be adopted globally when describing or reporting payment or terminal fraud.  Central/Host Fraud Definitions cover attacks against central infrastructure like banking host systems in order to perform different Modus Operandi not directly connected to a Terminal.

The compromise of a corporate network is the first step with these types of incidents. This can be done by external attackers as well as by internal employees of the institution. The following description of a Corporate Network Attack should explain how attackers typically try to get access to this critical infrastructure, enabling the three different Modus Operandi described below.

EAST also publishes Fraud TerminologyFraud Definitions, Terminal Fraud Definitions, Terminology for Locations of Card Data Compromise (CDC) Devices at Terminals,Terminal Physical Attacks Definitions & Terminology and Countermeasures against ATM Malware and Black Box Attacks.

PreparationCorporate Network Attack
DescriptionA corporate network attack is a sequence of sophisticated, targeted malicious attacks aimed at a specific company, system or software, based on some specific knowledge regarding the target. It pursues its objectives over an extended period of time and may adapt to the defenders’ efforts to resist. It is determined to maintain the level of interaction needed to execute its objective.

A corporate network attack enables the attacker to reach one of the following objectives:

a. Financial gain MO's related to card processing, fund transfer or remote malware distribution and control
b. Reputational damage, data loss, espionage, blackmail and sabotage of infrastructure etc...

Corporate network attacks, which are sometimes also referred to as Advanced Persistent Threat (APT), can cover several types of modus operandi. Some of these are listed below:

• Card Processing
• Fund transfer
• Remote malware distribution and control
• Data breaches
• Ransomware
• Denial of Service attack
• BIN Attack
ExecutionCorporate network attacks are typically launched via targeted spear-phishing email campaigns. Once activated the malware resides within an internal area of the network and can be used by the fraudsters for a specific purpose. Emails sent to employees of the target financial institution can include detailed information about internal processes or members of the company in order to appear legitimate. They can include malicious links or malware attachments exploiting vulnerabilities of the targeted system. The emails can be accompanied by social engineering via phone calls or other measures.
CharacteristicsAfter infection, fraudsters try to achieve persistence within the network and start lateral movement, including attempts to escalate privileges, in order to extend access to other parts of the infrastructure. Infected systems usually return information about their software stack and its immediate vicinity to a command and control server (C&C) controlled by the attacker. The infected systems often can receive additional tools from the C&C server. This server is an essential part of these types of attacks enabling the fraudsters to penetrate the network of the financial Institution in order to reach their objective.

Corporate network attacks are different for every environment and fraudsters need to adapt their actions to the architecture of the network and possible countermeasures individually.
Modus Operandi:Card Processing
DefinitionControl of a financial institution's card processing infrastructure leading to illegitimate ATM withdrawals using genuine transactions from an ATM perspective. This is also known as 'Unlimited Operations / Cash Outs'.

This Modus Operandi is different to a Man-in-the-Middle (MITM) attack, where the communication between the ATM and a legitimate host is targeted.
ExecutionFraudsters use a corporate network attack to take over the command and control of a financial institution's card processing infrastructure, which enables the fraudster to set limits for current credit or debit cards to 'unlimited' or create new cards for fraudulent use. It might also include disabling checks for EMV cards. Stolen cards or prepaid cards in their possession or clones of the affected cards are then used for 'cash-out' operations at ATMs globally (in multiple countries). This often occurs within a short period of time after the card processing infrastructure was compromised. ATMs are used as redemption points and cannot distinguish between legitimate transactions and rogue transactions, which are authorized based on fraudulent accounts.
Financial Institution ImpactFinancial: If successful, a financial loss will be incurred.

Operational: May result in loss of service at Terminals or the Host.

Reputational: These incidents may influence customers’ trust in the banking industry and their capabilities to securely handle funds in general.
Modus Operandi: Fund Transfer
DefinitionControl of a financial institution's fund transfer infrastructure leading to illegal funds transfer using SWIFT/electronic banking.
ExecutionFraudsters use a corporate network attack to take over the solution controlling the financial institution's fund transfer infrastructure. This enables the fraudster to perform illegitimate fund transfers within the inter-banking fund transfer system.
Financial Institution ImpactFinancial: If successful, a financial loss will be incurred.

Operational: May result in loss of service.

Reputational: These incidents may influence customers trust in the banking industry and their capabilities to securely handle funds in general.
Modus Operandi: Remote Malware Distribution and Control
DefinitionControl of a financial institutions network leading to illegitimate file distribution in order to install and execute ATM specific malware. The different malware Modus Operandi actually used within the attack can be Jackpotting, Man-in-the-Middle and SW-Skimming. Those are described in the Terminal Fraud Definitions.
ExecutionFraudsters use a corporate network attack to take over the command and control of a financial institution's network. Afterwards they either identify ATM endpoints directly or servers, which are used for maintaining the ATM infrastructure like monitoring and software distribution solutions. Via these servers or the connection to an ATM, they are distributing and controlling ATM specific malware for different purposes. From the ATM perspective, the malware might be distributed in an otherwise legitimate package like within a standard update procedure.

In case of the usage of jackpotting malware, a coordinated action is necessary to control the malware while working in parallel to send money mules to the correct ATM for retrieval of the cash. Typically, these are highly organized including the involvement of many different people doing the appropriate action at the right time.
ATM Deployer ImpactFinancial: Financial loss at the time of a Jackpotting or MitM attacks, or at a future point if SW-Skimming.

Operational: May result in loss of service.

Reputational: SW-Skimming or MitM could result in compromise of data and loss incurred by card issuers.
Card Holder ImpactDepending on the malware type, the card holder either sees a normal transaction (SW Skimming and MitM) or the ATM may be out of service (Jackpotting).
VIEW

EAST Central/Host Fraud Definitions

A summary document is available to view or download by clicking on the button