On Friday, the FBI issued a confidential notice to banks warning them that hackers are planning a global heist that will allow them to withdraw large sums of money from ATMs, according to an email obtained by security researcher Brian Krebs.
“The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an ‘unlimited operation,’” the FBI letter to banks reads.
Unlimited operations use malware to gain access to the card information of bank customers and access to the banks’ networks.
“The cyber criminals typically create fraudulent copies of legitimate cards by sending stolen card data to co-conspirators who imprint the data on reusable magnetic strip cards, such as gift cards purchased at retail stores,” the FBI letter said. “At a pre-determined time, the co-conspirators withdraw accounts funds from ATMs using these cards.”
According to Krebs, who first published the alert on his blog, after cybercrime groups gain access to bank or credit card company networks they usually wait until right before an organized run on ATMs to disable fraud controls like daily limits on ATM withdrawals and ATM card PINs. These runs almost always happen after banks close up for the weekend, according to Krebs.
Historically, unlimited operations have targeted smaller banking institutions because they are less likely to have robust security mechanisms. In 2016, for example, cybercriminals stole $570,000 from Virginia’s National Bank of Blacksburg in an unlimited attack and only a few months later launched another unlimited attack against National Bank to the tune of nearly $2 million. The bank was compromised through a phishing attack that embedded malicious code in a Microsoft Word document.
So far the FBI hasn’t made any details about this ATM scheme public, but a spokeswoman for the FBI told CNN that the Bureau “routinely advises private industry of various cyber threat indicators observed during the course of our investigations” and that “this data is provided in order to help systems administrators guard against the actions of persistent cyber criminals.”
Motherboard reached out to the FBI for comment and we’ll update this post if we hear back.