Hackers Stole Money From Israeli Bank Accounts via ATMs, Analysts Claim

Russian cyber security firm says ATMZombie combined sophisticated online attacks with mules who would collect the cash.

Bloomberg

Israeli bank clients lost hundreds of thousands of dollars in an operation that combined sophisticated computer hacking with the simple tactic of employing local teenagers to physically take cash out of automated teller machines.

The theft, which involved amounts of money never exceeding $750, was revealed over the weekend in a blog post by the Russian cyber security firm Kaspersky Lab. It was done using what researchers dubbed the ATMZombie Trojan because it involved hiring teenagers as mules, or zombies, to collect the money.

“The technique allowed the attackers to stay anonymous and supervise the entire campaign remotely. It also points to a new type of attack, where attackers control residents of a country to operate as an insider and deliver a basic service,” researchers for the company said in a blog post.

Police and the banks — none of which were identified — were alerted to the threat, blocked it and compensated clients who lost money through the scheme, Kaspersky said.

Kaspersky said it first identified the ATMZombie last November and more recently discovered it was being used in a cyberattack campaign focused on Israeli bank accounts. It said the hackers used a phishing campaign, rather than a mass spam emailing, to lure victims, so that each email or link was addressed to a specific victim or bank.

“This requires either very good intelligence-gathering techniques or an insider that can, legitimately or not, get a hold of the list of clients,” the blog said.

According to Kaspersky’s analysis, the Trojan that victims unknowingly downloaded into their computers would wait for the victim to log in to his or her bank account and then steal its credentials. It would then log in on its own using the victim’s name and use the SMS feature to send money to the so-called ATMZombie.

Instead of relying only on direct wire-transfer or trading credentials, the hackers exploited a loophole in one of the bank’s online features and used it to physically withdraw money from an ATM by a mule who likely had no idea he or she was part of a larger scheme.

The mules, who likely were paid a small percentage of the stolen cash for their work, forwarded the money to the hackers via the post office or other channels, Kaspersky said.