This past Friday, the FBI began warning banks that a coordinated cyberattack on ATMs worldwide could be imminent. One day later, India’s Cosmos bank was hit by cyberattackers who began draining it of 944 million rupees ($13.5M) across 28 countries over the course of two days.

According to Brian Krebs from Krebs on Security, the FBI’s warning indicated that it was getting signals that cybercriminals were planning “a highly choreographed, global fraud scheme known as an ‘ATM cash-out,’ in which crooks hack a bank or payment card processor and use cloned cards at cash machines around the world to fraudulently withdraw millions of dollars in just a few hours.”

In the Cosmos case, hackers launched a cyberattack on the bank’s ATM server and cloned thousands of the bank’s debit cards. Reuters reports that the hackers started on August 11, “withdrawing 805 million rupees in 14,849 transactions in just over two hours.”

According to the Economic Times, Bank Chairman Milind Kale told reporters that the malware attack was on the switch, which is the payment gateway for Visa and Rupay debit cards.

Brian Krebs reports that most ATM cash-out operations strike over the weekend, after banks close on Saturday. In addition, Krebs writes, “Organized cybercrime gangs that coordinate unlimited attacks typically do so by hacking or phishing their way into a bank or payment card processor. Just prior to executing on ATM cashouts, the intruders will remove many fraud controls at the financial institution, such as maximum ATM withdrawal amounts….”

The FBI warning notes that historically, these types of attacks have targeted small- to medium-size financial institutions. The belief is that smaller organizations are less likely to have a robust cybersecurity infrastructure and might be more prone to third-party vendor vulnerabilities.

Get the full story at Krebs on Security.