Want an unlimited withdrawal for the weekend? There’s a group of cyber bad guys trying to do just that. The American FBI is warning that people – both individuals running through mid-sized financial institutions — should be aware of the cyber-criminal trick called unlimited withdrawal.
It only looks real and personable
The trick generally starts with hacking or spearphishing, a phishing email attempt that targets specific individuals at their place of work. And, the most targeted places are small to mid-sized financial institutions which might not have the best of security coverage or education into online threats.
Once opened, the spearphishing appears to bring into the compromised network an array of malware that can access customer account information, change balances, and alter some of the fraud control security settings such as withdrawal limits and the number of daily transactions. The tactic is often called an “unlimited operation” thanks to the newly-removed security limits.
Bad guys can work together
This account data is then sold to second group of bad guys charged with monetizing the scheme. The second group takes this data to create fraudulent cards such as reusable gift cards. In a synchronized move, bad group 1 changes the account information and security settings, while bad group 2 tries to cash out the gift cards as quickly as possible. The scheme usually gets underway on Saturday after the banks close, giving the bad guys a larger time window to work in.
This warning was confidential
The FBI warning was confidential and the story was reported by KrebsOnSecurity. This is apparently a separate issue from the previous week’s FBI warning about the dangers of IoT smart devices. KrebsOnSecurity, the premier source of American information on cybercrime and pump skimming, previously wrote about two similar operations that stole around $2.4 million from the US National Bank of Blacksburg in 2016 and 2017.
Prevent withdrawal symptoms
Krebs also reported that the FBI gave businesses an array of security tips – some of which are also valid for the consumer with a regular computer – or with a collection of smart devices at home. They include:
- Dual authentication procedures. Double check things if your account conditions suddenly change.
- Application whitelisting. Block some apps (like malware) from executing.
- Monitor and limit administrator critical accounts. (Don’t run your device as the admin).
- Look out for encrypted traffic (SSL or TLS) on non-standard ports. (Look out for your smart devices).