February 8, 2016
To appreciate how malware targeting banks and other financial institutions is adopting sophisticated techniques once reserved for state-sponsored spies using so-called advanced persistent threats, consider the recently discovered Metel crimeware package.
It contains more than 30 separate modules that can be tailored to the computer it’s infecting. One of the most powerful components automatically rolls back ATM transactions shortly after they’re made. As a result, people with payment cards from a compromised bank can withdraw nearly unlimited sums of money from ATMs belonging to another bank. Because the Metel module repeatedly resets card balances, the criminals never pass the threshold that would normally freeze the card. Last year, the rollback scheme caused an unnamed bank in Russia to lose millions of rubles in a single night.
Metel usually gains an initial foothold by exploiting vulnerabilities in browsers or through spear phishing e-mails that trick employees to execute malicious files. Members of the Metel hacking gang then use legitimate software used by server administrators and security researchers to compromise other PCs in an attempt to further burrow into the targeted network. They will often patiently work this way until they gain control over a system with access to money transactions, for example, PCs used by call center operators or IT support.