Analysis: Japanese ATM super-raiders bag £9m in 3 hours

Land of the rising cyber-crime?
Land of the rising cyber-crime?

Japanese police are investigating a raid that hit as many as 1400 ATMs in a sophisticated coordinated attack this month. Hackers are thought to have bagged 1.4 billion yen (roughly GBP £9 million) in cash from ATMs in convenience stores across the Japan.

Home to its own brand of mafia and a string of illicit underground cybercrime communities, the Japanese ATM hackers are said to have used cards that were cloned from data stolen from Standard Bank in South Africa.

Trend Micro warned last year that there would be a big increase in incidents of cyber-crime in Japan as criminals got to grips with technology. 

Although Japanese police initially held back from naming Standard Bank in South Africa directly, the firm itself came forward to confirm its involvement with the attack. The Standard Bank of South Africa Limited is one of South Africa's largest financial services groups, currently operating in 32 countries around the world, including 20 in Africa.

“The South African banking operations of Standard Bank Group have been the victim of a sophisticated, coordinated fraud incident,” the bank said in a statement. 

Eyewitness News South Africa notes that, “The bank says the target of the fraud has been Standard Bank and there has been no financial loss for customers.”

Land of the rising cyber-crime

Japan's own National Police Agency has said that cyber-criminal activities in the period recorded up until March 2015 increased 40 percent over the previous year, a statistic highlighted by Pierluigi Paganini, chief information security officer at identity management company Bit4Id.

Writing on SecurityAffairs, Paganini says that Japanese authorities are investigating the case alongside the South African authorities through the International Criminal Police Organization (INTERPOL).

“Further information about the criminal operations reveals that there were approximately 14,000 transactions, the maximum amount of money that was stolen by criminals is 100,000 yen and it was withdrawn from Seven Bank ATMs using the fake credit cards,” said Paganini.

As many as 100 perpetrators are believed to have to been involved in carrying out the attack, a number that illustrates the scale, scope and overall level of coordination in this particular case.

We've been here before, you know

F-Secure security advisor Sean Sullivan says that we've seen coordination of this nature before now. Speaking exclusively to SCMagazineUK.com, Sullivan pointed to a KrebsOnSecurity report which details how organised cyber-criminals stole almost US$11 million in two highly coordinated ATM heists in the final days of 2012.

“Cloning cards in past cases was done with recycled gift cards. The ATM models located at 7-Eleven are probably just mag-swipe based. So, are consumers protected by the bank? In past cases, schemes such as these have been possible because of flaws on the bank's side. So, yes, customers will be protected in such cases,” said Sullivan.

“Organised crime gangs were involved in past cases – they have the resources on the ground. Or they can recruit people. Many of those arrested in past ATM schemes were drugs users – recruited by their pusher,” he added.

Stephen Coty, chief cyber security evangelist at Alert Logic spoke to SC in line with this story to say that these types of attacks are very common for cyber-criminals and organised crime. They will highjack ATM cards from various accounts and then deliberately NOT sell them on the underground market, as this might trigger a fraud alert.

An attack lying in wait

“They will then start printing cards with the strip information digitised on the mag strips to tell ATMs everything from account numbers to daily limits of withdrawal.  Instead of selling these cards, they will instead hold them for months, or sometimes years, until they have amassed ‘enough' cards to run a 72 hour weekend campaign that will net millions,” said Coty.

The Alert Logic specialist explains that the perpetrators branch off the attack regionally where they use trusted and organised groups who will coordinate each effort in the area.

“They will go to the local homeless park or work with local gang members to use the ATM cards to get the maximum amount of cash out at each ATM. As they withdraw money, they all then go back to the coordinator and deliver the cash. That person will then get their percentage and more cards to continue the efforts. Everyone gets paid along the way," explained Coty.

Travelex tribulations

Robert Capps, VP at NuData Security also spoke to SC for extended commentary on this story and pointed out that it looks like Japanese ATMs dispense 10,000 Yen notes, so the maximum withdrawal at one ATM, for one card, would be 10 notes.

“If you extrapolate that across 100 attackers and 14,000 withdrawals, each person would be carrying 1,400 notes. That's not a small stack of bills! I suspect some of the bills would have been laundered in the country, with the rest being laundered at currency exchange booths at airports all over the world. I bet Travelex, and the like, are seeing a huge increase in 10,000 Yen notes being exchanged," said Capps.

Capps further commented on the coordinated nature of the attack and said that such a heist would require substantial pre-planning and logistics in order to pull it off. He thinks that the locations of the ATMs were likely chosen in advance to allow each attacker on the ground the ability to visit each ATM in a short period of time and make the required withdrawals.

“The attack appears to have taken place at a time when traffic would have been lightest in the convenience stores where these ATMs were located, reducing the amount of exposure and inconvenience the attackers might have experienced, and likely exploiting low (or no) staffing at the Japanese ATM providers, and the South African Bank that was targeted. The attack occurred late on Saturday night, South African time, and early Sunday morning Japanese time,” said Capps.

He also notes that the early morning attack at the weekend also allowed the attackers to get a head start on departing the area of the attack before the authorities could be alerted and could respond.

Data cloning, data cloning, data cloning

"There is a question around the source of the data. This level of data could come from a breach at the institution, but is more likely to have come from a phishing attack against the cardholders, a data breach or skimming attack at a merchant or service provider.  Generally attacks like this focus on vulnerabilities or weakness in staffing and fraud detection systems at the ATM network and the financial institution," he said.

Capps concluded by saying that this case represents a perfect storm of variables and vulnerabilities which allowed it to take place without real-time detection or mitigation techniques being tripped – likely relying on the fact that the South African financial institution had some quirks or peculiarities in how it processed and evaluated international ATM withdrawals.

“This is probably combined with the time (and time zone) differences over the weekend, and the fact that the majority of convenience store ATMs in Japan are still based on mag stripe technology, which is much easier to counterfeit and spoof, than more secure chip and pin (EMV) cards that have been deployed in the Japanese and South African payments markets for nearly 10 years," said Capps.

He rounds out by saying, "While we don't have all of the details of this case, there are clearly unanswered questions regarding how such a small number of accounts could be used to withdraw such a large amount of money in such a short period of time. Such a volumetric change in transactions should have been identified as anomalous by risk systems at the ATM network and at the financial institution itself here."