Kaspersky Lab identifies new tricks and copycats of the infamous financial cyber-heist
A year after Kaspersky Lab warned that cybercriminals would start to adopt the tools and tactics of nation-state backed APTs in order to rob banks, the company has confirmed the return of Carbanak as Carbanak 2.0 and uncovered two more groups working in the same style: Metel and GCMAN. They attack financial organisations using covert APT-style reconnaissance and customised malware along with legitimate software and new, innovative schemes to cash out.
The Metel cybercriminal group has lots of tricks in its playbook but is particularly interesting because of a remarkably clever scheme: by gaining control over machines inside a bank that have access to money transactions (e.g. the bank’s call centre/support computers) the gang can automate the rollback of ATM transactions.
The rollback capability ensures that the balance on debit cards remains the same regardless of the number of ATM transactions undertaken. In the examples observed to date, the criminal group steals money by driving around cities in Russia at night and emptying ATM machines belonging to a number of banks, repeatedly using the same debit cards issued by the compromised bank. In the space of just one night they manage to cash out.