Metel Hackers Roll Back ATM Transactions, Steal Millions

msm1267 writes: Researchers from Kaspersky Lab's Global Research & Analysis Team today unveiled details on two new criminal operations that have borrowed heavily from targeted nation-state attacks, and also shared an update on a resurgent Carbanak gang, which last year, it was reported, had allegedly stolen upwards of $1 billion from more than 100 financial companies. The heaviest hitter among the newly discovered gangs is an ongoing campaign, mostly confined to Russia, known as Metel. This gang targets machines that have access to money transactions, such as call center and support machines, and once they are compromised, the attackers use that access to automate the rollback of ATM transactions. As the attackers empty ATM after ATM—Metel was found inside 30 organizations—the balances on the stolen accounts remained untouched.

Where's the link?

[n0creativity]

I'm on the mobile site, as I usually am, reading /. on my phone while having a cig (no judgments please). I can't, for the life of me, find the link to RTFA when it's not included in the summary text! What am I missing?!?!

Re:Where's the link?

[PPH]

Link.

Please, no applause. Just throw money.

Roll-back as in play-back?

[TWX]

Just to confirm...

Rollback means playback, right? Like, they record how the ATM communicates the authentication portion of the transaction, and replay that same communication with the ATM until its stored cash has all been dispensed and it's now empty?

Seems like the people that designed the ATMs and their authentication protocols have some 'splaining to do. This kind of vulnerability should have been anticipated and the software hardened against, given that this is machine-to-machine encryption, not person-to-machine.

Re:Roll-back as in play-back?

[OverlordQ]

Well, once they've hacked the machine it doesn't really matter how secure their protocols are as they are effectively the machine at that point.

Re:Roll-back as in play-back?

[Lord+Crc]

I read it as they rollback in the database sense, so that the account still has money and they just make repeat withdrawals until the machine is empty.

Re:Roll-back as in play-back?

[rhazz]

No they really mean roll-back, as in a transaction.

1. Get access to PC which has access to banking transactions.
2. Install malware on PC which automatically rolls back ATM transactions with a particular signature (probably matching some stolen or duplicated bank card)
3. Go to an ATM and simply withdraw $500 over and over until the ATM runs out of money.

The ATM allows it because due to the rollbacks the balance of the account hasn't gone down.

Re:Roll-back as in play-back?

“With the automated rollback the money was instantly returned to the account, when the cash has already been dispensed from the ATM. The group worked exclusive at nights, emptying ATM cassettes at several locations.”

They'd withdraw the money, and then roll-back the transaction, so that it looks like no transaction actually occurred, at least when looking at the logs.

Re:Roll-back as in play-back?

[alphatel]

I read it as they rollback in the database sense, so that the account still has money and they just make repeat withdrawals until the machine is empty.

Exactly correct. With good accounting measures this would be noticed much faster as deficits start to mount. But with criminals hiding in the bank's systems for months, it's easy to plan this during system maintenance or on days when tallies on bankrolls aren't being performed.

A little OT: This reminds me though of how Bank Robbers always shared this mythical celebrity status with a big portion of the population. In the 20's people blamed banks for everything and were happy to see them suffer. In 2016 the banks are still screwing the population over at a much faster rate, yet you never hear of hackers being heroes to any but a select few.

Re:Roll-back as in play-back?

[IamTheRealMike]

Banks can roll back transactions for various reasons, e.g. bankruptcy proceedings, mistakes by their own operators or by customers, or ... transactions that are fraudulent. The Metel gang obviously had a sense of irony in exploiting this ability to undo fraudulent transactions to their own benefit.

Re:Roll-back as in play-back?

[swb]

Like, they record how the ATM communicates the authentication portion of the transaction, and replay that same communication with the ATM until its stored cash has all been dispensed and it's now empty?

Had this fantasy in the 1980s when I noticed the student union ATM had what looked like an exposed Cat-3 phone cable sticking out of it. I naively thought "what if it's a modem, and you tapped the line, reverse engineered a withdrawal transaction, and then replayed the withdrawal ACK endlessly until you sucked all the money out."

As it happened, 20-odd years later, I ended up at dinner with the guy that ran that ATM network at the time. One, he said that was most likely a leased line, not a dialup, making the interception of the more complicated than an analog modem. Two, he said there was anti-replay and encryption built into the system even then.

His advice was to just steal the entire ATM.

Re:No links?

[rhazz]

It's in the stupid green header bar. Still boggling at that design decision.

Re:Have to have a rollback feature....but somethin

[LynnwoodRooster]

A team of 50 people - that's $5 million a day. Do it sporadically over the course of a few years - yeah, a billion is possible...

Re:Pre-software roll back

[gurps_npc]

I was referring to stupid stuff that hasn't entered the non-technical community, such as the aaS abbreviation used earlier today. I knew what SaaS, but aaS is just a way to pretend to be 'in the know', not helpful.

Fuck the banks

This is awesome.

The bank still has the same digital balance, it just doesn't have the physical notes any more.

It's the perfect victimless crime.