The leader of the cybercrime syndicate behind the Carbanak and Cobalt malware attacks, which infiltrated over 100 financial institutions in 40 countries, has been arrested in Alicante, Spain. The arrest followed a complex investigation conducted by the Spanish National Police, with the support of Europol, the US FBI, the Romanian, Belarussian and Taiwanese authorities and private cyber security companies.
Since 2013 the cybercrime gang have attempted to attack banks, e-payment systems and financial institutions using pieces of malware they designed, known as Carbanak and Cobalt. The criminal operation has struck banks in more than 40 countries and has resulted in cumulative losses of over €1 billion for the financial industry. The magnitude of the losses is significant: the Cobalt malware alone allowed criminals to steal up to EUR 10 million per heist.
The money was then cashed out by one of the following means:
- ATMs were instructed remotely to dispense cash at a pre-determined time, with the money being collected by organised crime groups supporting the main crime syndicate: when the payment was due, one of the gang members was waiting beside the machine to collect the money being ‘voluntarily’ spit out by the ATM;
- The e-payment network was used to transfer money out of the organisation and into criminal accounts;
- Databases with account information were modified so bank accounts balance would be inflated, with money mules then being used to collect the money.
The criminal profits were also laundered via cryptocurrencies, by means of prepaid cards linked to the cryptocurrency wallets which were used to buy goods such as luxury cars and houses.
International police cooperation
International police cooperation coordinated by Europol and the Joint Cybercrime Action Taskforce was central in bringing the perpetrators to justice, with the mastermind, coders, mule networks, money launderers and victims all located in different geographical locations around the world.
Europol’s European Cybercrime Centre (EC3) facilitated the exchange of information, hosted operational meetings, provided digital forensic and malware analysis support and deployed experts on-the-spot in Spain during the action day.
The close private-public partnership with the European Banking Federation (EBF), the banking industry as a whole and the private security companies was also paramount in the success of this complex investigation.
The full Infographic can be seen on the Europol Website
Black box attacks on ATMs are a form of logical attack. To perform these ‘cash-out’ or ‘jackpotting’ attacks the criminals connect an unauthorised device (typically an unknown box or laptop) to an ATM. This device then sends dispense commands directly to the ATM cash dispenser in order to get it to spit out banknotes. In order to physically connect such a device the criminals gain access to the ATM’s Top Box by either drilling or melting holes.
The latest statistics published by EAST show that, while the number of black box attacks in Europe is increasing, related losses have fallen when comparing 2016 with 2015. This drop can be partly attributed to the recent arrests by law enforcement agencies across Europe (in an operation supported by EC3, Europol’s European Cybercrime Centre) and partly to actions taken by the industry to counter such attacks. The first black box attacks in the Czech Republic took place in August 2016 and three arrests were subsequently made there by the Police. The industry also took actions to counter such attacks and, at the upcoming EAST Financial Crime & Security Forum (EAST FCS 2017), Petr Ullmann from NCR in the Czech Republic will give an update on the actions taken.
About Petr Ullmann
After graduating in 2007 Petr Ullmann started his career as an IT and network administrator in the automotive industry and went on to work for various Czech companies in IT administration and project management roles. His key area of expertise was Enterprise Resource Planning (ERP) software – business process management software that allows an organization to use a system of integrated applications to manage the business and automate many back office functions related to technology, services and human resources.
In 2011 he joined NCR Česká republika, initially working as a member of a team working on a project for Tesco Plc in Central Europe. Since then he has worked on several specific projects for NCR customers (banks and financial institutions) including the migration to Windows 7 and implementation of McAfee ePO.
Who Is Attending?
Over 150 delegates will attend EAST FCS 2017 from ATM networks, banks, law enforcement, vendors, and EAST national and associate members.
Book soon to ensure you don’t miss this great opportunity to attend what has been described as an “excellent event for helping to make a difference in the area of financial crime prevention”.
There are some sponsorship slots still available so, if you are in the business of ATM crime and fraud prevention and wish to showcase your brand to a key audience, contact us.
Five members of an international organised criminal group (OCG) have been arrested and three of them convicted so far as a result of a complex operation led by law enforcement agencies from Europe and Asia, with the active support of Europol’s European Cybercrime Centre (EC3). One arrest was made by the Romanian National Police, three arrests by the Taiwanese Criminal Investigation Bureau and one arrest by the Belarusian Central Office of the Investigative Committee. EC3 assisted the investigation by providing analytical support, organising operational meetings in Europe and Asia as well as analysing the seized data/ equipment.
This OCG is responsible for carrying out highly-sophisticated ATM malware attacks against bank ATMs, which were made to dispense all the money they contained (known as cash-out or jackpotting). The modus operandi employed was highly sophisticated and involved:
- spear-phishing emails with attachments containing malicious programmes,
- penetration of the banks’ internal networks,
- compromising and controlling the network of ATMs,
- special computer programmes which deleted most of the traces of the criminal activity, etc.
Related losses suffered by the affected banks are estimated at around EUR 3 million. In some cases, after the cashing-out, the stolen money was partially recovered from the criminals.
A key factor for the successful dismantling of this international cybercrime syndicate was close police cooperation on the global level and deep involvement of the Europol Liaison Office at the INTERPOL Global Complex for Innovation (IGCI).
Steven Wilson, Head of EC3, said: “The majority of cybercrimes have an international dimension, taking into account the origins of suspects and places where crimes are committed. Only through a coordinated approach at the global level between law enforcement agencies can we successfully track down the criminal networks behind such large-scale frauds and bring them to justice.” Mr Wilson will give the keynote address at the EAST Financial Crime and Security Forum which will be held in The Hague on 8th/9th June 2017.
To further strengthen international police cooperation the Third Strategic Meeting on Payment Card Fraud (PCF) was held last month at the Electronic Transactions Development Agency (ETDA) in Bangkok, Thailand.
Europol, working with the EAST Expert Group on ATM Fraud (EGAF), has published guidelines to help industry and law enforcement counter the threat presented by ATM logical and malware attacks.