‘HIDDEN COBRA FASTCash Campaign’ ATM Cashout Attack on ATMs

17 August 2018

‘HIDDEN COBRA FASTCash Campaign’ ATM Cashout Attack on ATMs

FASTCash schemes remotely compromise payment switch application servers within banks to facilitate fraudulent transactions. TechCERT observed rise of these kind of attacks for last couple of months. In one incident in 2017, attackers enabled cash to be simultaneously withdrawn from ATMs located in over 30 different countries. In another incident in 2018, attackers enabled cash to be simultaneously withdrawn from ATMs in 23 different countries.

According to the FBI, cybercriminals configured and deployed legitimate scripts on compromised switch application servers in order to intercept and reply to financial request messages with fraudulent but legitimate-looking affirmative response messages.

Anatomy of a FASTCash scheme (Source: USCERT)


TechCERT Recommends to :

Mitigation Recommendations for Institutions with Retail Payment Systems

Require Chip and Personal Identification Number Cryptogram Validation
  • Implement chip and Personal Identification Number (PIN) requirements for debit cards.
  • Validate card-generated authorization request cryptograms.
  • Use issuer-generated authorization response cryptograms for response messages.
  • Require card-generated authorization response cryptogram validation to verify legitimate response messages.
Isolate Payment System Infrastructure
  • Require two-factor authentication before any user can access the switch application server.
  • Verify that perimeter security controls prevent internet hosts from accessing the private network infrastructure servicing your payment switch application server.
  • Verify that perimeter security controls prevent all hosts outside of authorized endpoints from accessing your system.
Logically Segregate Operating Environments
  • Use firewalls to divide operating environments into enclaves.
  • Use Access Control Lists (ACLs) to permit or deny specific traffic from flowing between those enclaves.
  • Give special considerations to enclaves holding sensitive information (e.g., card management systems) from enclaves requiring internet connectivity (e.g., email).
Encrypt Data in Transit
  • Secure all links to payment system engines with a certificate-based mechanism, such as mutual transport layer security, for all traffic external or internal to the organization.
  • Limit the number of certificates used on the production server, and restrict access to those certificates.
Monitor for Anomalous Behavior as Part of Layered Security
  • Configure the switch application server to log transactions. Routinely audit transactions and system logs.
  • Develop a baseline of expected software, users, and logons. Monitor switch application servers for unusual software installations, updates, account changes, or other activity outside of expected behavior.
  • Develop a baseline of expected transaction participants, amounts, frequency, and timing. Monitor and flag anomalous transactions for suspected fraudulent activity.
Recommendations for Organizations with ATM or Point-of-Sale Devices
  • Implement chip and PIN requirements for debit cards.
  • Require and verify message authentication codes on issuer financial request response messages.
  • Perform authorization response cryptogram validation for Europay, Mastercard, and Visa transactions.

Mitigation Recommendations for All Organizations

TechCERT encourages users and administrators to use the following best practices to strengthen the security posture of their organization’s systems:

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users’ ability (i.e., permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and require regular password changes.
  • Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on organization workstations, and configure it to deny unsolicited connection requests.
  • Disable unnecessary services on organization workstations and servers.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with content that could pose cyber-security risks.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
  • Scan all software downloaded from the internet before executing.
  • Maintain situational awareness of the latest cyber-security threats.
  • Implement appropriate ACLs.

More Information


16 April 2024 [NO.TCSA : 20240416-1-1-P]

Critical Command Injection Vulnerability Found in Palo Alto Networks GlobalProtect

9 February 2024 [NO.TCSA : 20240209-1-1-P]

Critical Remote Code Execution Vulnerability Found in FortiOS SSL VPN

13 July 2023 [NO.TCSA : 20230713-1-1-P]

Fortinet Patches Critical Remote Code Execution Vulnerability in FortiOS/FortiProxy