In a session at the Black Hat USA 2020 virtual conference on August 5, Kevin Perlow, technical intelligence team lead for one of the largest banks in the US, explained how cyber-attackers are using public standards for financial transactions to enable multiple forms of fraud.
One of the key standards used every day by all financial institutions around the world is ISO 8583, which defines how credit card transaction messages are sent and received. Perlow explained that anytime an individual goes to a bank machine or uses a point of sale device at a grocery store to do a self-checkout, ISO 8583 messages are created as part of the transaction.
“ISO 8583 is a standardized set of fields for transmitting the data from your card and for sending your transaction over to a payment switch and then from that payment switch to a bank to approve or reject the transaction that’s happening,” Perlow said.
The payment switch is a device that handles incoming messages from different types of payment devices, such as ATMs and POS devices, like those at a grocery store. The payment switch processes the messages and decides what to do with them. The payment switch is also a key target for attackers, as they look to take advantage of ISO 8583 with ‘FASTcash’ as well as other forms of malware.
How FASTCash Uses ISO 8583
The so-called FASTCash malware was first publicly disclosed back in 2018 and has remained active in the years since. Perlow noted that FASTCash is a subset of malware created and executed by threat actors from North Korea, sometimes referred to as the Lazarus Group.
The way that FASTCash works is it is injected by the attackers into a payment switch and fraudulently approves what appear to be legitimate ISO 8583 messages from the attackers sitting at bank machines, allowing them to withdraw money. During his presentation, Perlow described how ISO 8583 messages are constructed in a way that the FASTCash attackers have been able to emulate.
Perlow emphasized that, in order to create and properly execute the ISO 8583 messages, a lot of things need to go right for the attackers, since there is a lot of complexity. That’s why FASTCash has embedded logging information, to help monitor and adjust in order to execute its malicious payload.
ISO 8583 Isn’t the Real Problem
Given that attackers are making use of the ISO 8583 standard, it begs to reason that perhaps there is something wrong with the standard that should be changed – but that’s not the case, according to Perlow. He said that he would never recommend changing the ISO 8583 standard, and it would also be impossible to do so, even if he thought it was a good idea.
“The ISO 8583 standard is the card payment standard for absolutely everything,” he emphasized.
That said, he noted that there are different ways to do credit card transactions that could randomize the data. By randomizing, he explained that the goal would be to make it less predictable to know what message is supposed to be going back to a bank machine.
“Ultimately, what’s happening here is that the payment switch is compromised and there’s nothing wrong at all with the payment standard being used,” he said. “The ATMs are working the way they’re supposed to in a very real sense and they’re processing the messages.”
There are multiple ways the FASTCash attackers are getting onto the payment switches, including using rogue PowerShell scripts. Perlow suggested that the attack vectors involve things that IT professionals should be looking for as part of their endpoint detection activities.
“By the time it gets to the payment switch and as cash outs happens, you’ll know because all your ATMs will be empty all of a sudden,” Perlow concluded. “The idea is to stop it before it gets to that point.”