Zombies and mules: The inside story of the first-ever shekel bank hack

Dozens, perhaps hundreds, of Israeli bank customers were the targets of an attack that enabled hackers to purloin hundreds of thousands of shekels from customer accounts.

It was only due to the very high standards of cyber-security in the Israeli banking system that the fraud was discovered early on, enabling security officers to take steps to halt the attacks, said international cyber-security firm Kaspersky Lab, which discovered the scam in November.

“It is important to note that Israeli financial institutions are well-known for their capabilities in fending off hostile activity,” said Israeli cyber-security expert Ido Naor, who led Kaspersky’s GReAT (Global Research and Analysis Team) in uncovering the attack, informing authorities and helping to prevent the spread of what the team called the ATM-Zombie attack.

Like much technology developed in Israel, the attack was based on a well-known technique – proxy changing – with a special “Israeli” twist. Instead of just transferring money electronically, the hackers mobilized an army of felons to extract actual cash from automated teller machines, using cellphone apps that allow account holders to forgo the use of ATM or credit cards and send requests for cash withdrawals to ATMs via their devices. The money collectors, called “mules,” would send most of the money to a drop-box in Israel, from where it was forwarded abroad, after skimming a bit off the top for themselves.

As such, said GReAT, the operation was a unique example of how to use social engineering to carry out a hack attack. First the hackers had to convince victims to click on a link that would install the malware that gave them access to user information and the ability to carry out the attack. Then they also had to convince the mules that they should not only participate in a criminal plot to help them steal money from ATMs, but send it on to a third party the mules presumably did not know personally instead of keeping it themselves.

“From a hacker’s point of view, cash is king, even if there is a limit on how much you can take out of a cash machine at one time,” Naor told The Times of Israel. “Why get involved with digital accounts and transfers when you don’t have to?”

Once the mules had the shekels in hand, said Naor, it was easy for them to get rid of them, such as by packing a bag and taking their haul abroad, or even sending cash by overnight mail to a location abroad.

“Although we don’t have all the details, there are several ways they could have gotten the money,” said Naor. “They could convert the shekels into dollars at a money-changer and either transport the cash or mail it abroad, or even re-convert it to digital form and buy bitcoins or a similar crypto-currency.”

ATM-Zombie, illustrated (Courtesy)

Naor said the operation had several stages: First, hackers would install malware via social engineering (spear phishing), persuading victims to install an application that would gather information about their bank accounts, and most importantly plant a phony digital signed certificate that enables users to exchange encrypted communication with the bank’s servers. The malware would also change the device’s proxy file, in order to fool it into sending data to the hackers’ servers without alerting cyber-defense applications.

Then, when users tried connect to their bank’s secure website, they would be redirected to the hackers’ site, which contained an exact duplicate of the page users would see on the legitimate site. As the users would log into their account page, the malware would steal their login data and store it.

Here is where ATM-Zombie differed from other similar proxy attacks. Instead of just using those credentials to transfer money from one account to another, the hackers — from outside Israel as evidenced by their IP addresses — recruited an army of accomplices, directing them to a certain ATMs (which the company refers to as the zombies in the caper) and sending them a text message with information automatically inserted into a bank-provided app that allows users to withdraw cash from ATMs without a card. All the mules had to do was collect the cash and then send it on to their employers.

The operation marks a number of firsts – the first full-blown hack attack against holders of shekel accounts in Israel, the first use of mules to collect cash from an ATM using mobile devices, and the first time “attackers from outside a country were able to control residents of a country to deliver a basic service,” in this case withdrawing money from an ATM. Thanks to the proxy-changing technique used by the hackers, the withdrawal would appear perfectly legitimate.

“The chance of proving that the mules were aware of the entire operation is close to none,” as their entire role was to use the codes sent to them to withdraw money from the ATM.

Just who were these mules? “We don’t have definitive information about that, but it’s very likely they were not Hebrew speakers – many of them likely on the social periphery of society who feel they have less of stake in society, and are less afraid to violate its rules.” said Naor. “Such people could be more easily manipulated into getting involved in a scam like this.”

As to who the perpetrators of the plot were, “we also cannot say definitively,” said Naor. The banks that were targeted have compensated all victims, and have presumably informed police, who have presumably opened an investigation. “We haven’t been informed of any specific investigations, but there are a lot of agencies I imagine would be interested in a case like this.”

In any event, “our job is to discover breaches, and we succeeded in doing that here,” he added.

Fortunately for local account holders, Israeli financial institutions have strong enough security to ensure that they are protected. “In this case the criminals succeeded by targeting the end customer instead of the banks themselves,” said Naor. “They took advantage of the weakest link. Luckily the banks were good enough to help stop the attack in its early stages.”