One of the most popular methods used by cybercriminals for monetizing their malware is cash out. Cybercriminals have been using this technique since 2012 to get money from stolen payment cards. The process involves stealing credit card information, then cloning the card data into fake payment cards that are used to withdraw cash directly from ATMs or purchase goods in online stores. The success of this method was mainly influenced by the availability of hacker-friendly tools that could be used for creating fake payment cards. These cash out methods are still being actively used today, but cybercriminals have also started using Bitcoin ATMs to cash out their profits without drawing too much attention to themselves.
Cash out is a popular way for cybercriminals to monetize their malware due to its reliability and simplicity, which makes it attractive for novice hackers as well. Cash out operations are usually conducted in countries where withdrawing money from an ATM is relatively easy and anonymous, e.g., European countries or Russia, China, India etc. For example, most Bitcoin ATMs only require the user to enter an SMS code sent to his or her mobile phone in order to withdraw money. Additionally, once stolen card data is used, cybercriminals can easily monetize it again by selling the information on the black market instead of withdrawing money directly from ATMs multiple times.
Cash outs are usually conducted by small groups that specialize in this type of attack and consist only of highly skilled hackers who know how to conduct money mule schemes, which means they do not need many people for this operation.
During an investigation into a cash out incident involving payment cards, Kaspersky Lab experts identified several servers that were used as malware command and control centers. Each device was identified using its unique identification number (ID). The investigators found that some of these ID’s had been active since 2012, meaning cybercriminals have been using them for cash out operations for a long time.
Cash out methods
There are several ways in which cybercriminals can cash out their profits from carding activities.
Some use a mobile application installed on a smartphone or tablet to make a payment at retail POS terminals. This method is commonly used when buying items in brick and mortar stores that do not require a physical card or passport to complete a transaction.
Some visit a particular bank’s ATM and withdraw cash using a fake payment card. This method is simple, but also risky as it requires the criminal to be physically present near the ATM machine. Another drawback of this method is that cybercriminals can only withdraw a limited amount of money from an ATM at one time depending on how much money the criminals have in their account. In order to avoid suspicion, they usually withdraw small amounts of money from several different ATMs during each operation.
Some use Bitcoin ATMs to withdraw money from the accounts they have created for this purpose. In order to do that, anyone can create an account on a Bitcoin ATM using any kind of ID documentation as long as it does not have their photo. After that, cybercriminals activate their Bitcoin ATM account and ask a so-called Bitcoin mule to transfer the balance from a malware-infected computer to the Bitcoin ATM’s address. The mule is usually involved in cash out operations by being instructed to either buy something online or withdraw money at a local retail POS terminal.
Cash out methodology
There are several different ways in which cybercriminals can cash out using Bitcoin ATMs including:
- Manual transactions – once attackers infect user computers with malware, they either create fake payment cards or buy them from the black market to use at different ATMs. In this case, attackers monitor if a user is currently using his or her computer – if not, attackers go ahead with the cash out operations.
- Automated transactions – cybercriminals can also purchase a stack of pre-paid debit cards that are then programmed to withdraw a certain amount of money from infected users’ accounts every day until all funds have been withdrawn from their account. This method allows cybercriminals to keep cashing out money from infected computers without being noticed by those users as long as their bank’s daily withdrawal limit is not too low.
Preventing cash outs
The best way to prevent cash outs is still to keep your antivirus and antimalware software up to date and run periodic checks on your computer in order to detect and remove the latest cyber threats. This will also prevent attackers from easily infecting you with malware-based cash out tools.
Another good defense against this type of attack is for users not to visit untrusted websites, especially those that are related to adult content or contain spammy hyperlinks. Also, it is recommended that everyone always chooses a strong password composed of random combinations of letters, numbers and special characters when creating an online account – never use passwords like 123456789 or qwertyuiop. Cybercriminals can easily break these types of passwords using brute force attacks which are very efficient against easy-to-remember passwords.
Schedule Your Demo
Tired of your website being exploited by malicious malware and bots?We can help
Subscribe and stay updated
Insightful articles, data-driven research, and more cyber security focussed content to your inbox every week.