Attackers are increasingly hacking into banks’ networks to gain access to the IT infrastructure connected to their ATMs, security experts warn. Attackers then push malware onto the ATMs that allows a low-level gang member to walk up and enter a preset numerical sequence into the ATM to make it dispense all of its money in what’s known as a “jackpotting” or “cashing out” attack.
Such attacks also enable criminals to steal credit and debit card data from ATM machines.
For attackers, the appeal is simple: Compared to walking into a bank with a gun and attempting to rob it, it’s safer – and easier – to remotely infect an ATM, then dispatch low-level gang members, known as money mules, to physically walk away with cash from infected ATMs.
So far, however, these types of attacks have yet to be unleashed in many larger regions, such as the United States and Canada. That’s according to EC3 – the European Cybercrime Center, part of the EU’s law enforcement intelligence agency, Europol – and Tokyo-based security firm Trend Micro, which have issued a joint report into what they say have been “a seeming spate of remotely orchestrated attacks” designed to infect ATMs with malware from afar.
Many remote attacks that install malware on ATMs begin with a phishing attack against a bank employee. (Source: Europol and Trend Micro)
“While network-based attacks require more work than do physical attacks, their appeal lies in allowing cybercriminals to extract cash on command without having to seek out the targeted ATMs,” according to a Tuesday blog post published by Trend Micro security researchers. They warn that these remote-access attacks can also bypass existing defenses, such as any firewalls, VPNs or network segmentation that might be in place.
One such campaign targeted 41 ATMs in Taiwan in July 2016, resulting in the theft of $2.7 million in cash. Police said attackers installed malware on 22 ATMs manufactured by Wincor-Nixdorf – now known as Diebold Nixdorf – run by the country’s First Commercial Bank after first hacking into the bank’s London-based networks. According to Taiwanese consultancy iThome – as cited in the Europol and Trend Micro report – the hackers then “accessed the bank’s voice recording system and stole the domain administrator’s account credentials,” used the credentials to gain VPN access to the bank’s Taiwan branch, mapped the company’s intranet topology, identified the ATM software updating system and figured out the required administrator credentials.
From there, “attackers logged into the ATM update server and set up a fake update package to the distribution management system,” according to the report. “They then uploaded it to the ATMs as if it were a real update.” The package instructed the ATMs to enable their telnet service, which the attackers used to remotely access the ATMs and upload three pieces of malware, including a test program that money mules, standing in front of an ATM, validated had been successfully executed.
“The mules in front of the machines reported the test results back to the remote hackers by using the Wickr Me secure messenger app on their mobile phones,” according to the report. “Once the hackers confirmed that the ATMs were ready for the attack, they uploaded and ran modified vendor test tools that dispensed 40 banknotes at a time” – the maximum that the machine could dispense at once.
The money mules then moved to another ATM and repeated the process, according to the report. “In the meantime, the remote hackers wiped the malicious programs off the victimized ATM and logged off.”
Ripper Hits Thailand
Meanwhile, in July and August of last year, a cybercrime gang hacked into Thailand’s Government Savings Bank’s network to install new Ripper malware onto NCR-built ATMs managed by the bank. Subsequently, three groups of men jackpotted 21 ATMs across six provinces in Thailand, making off with a total of 12 million baht ($363,000) in cash, police say.
The Ripper campaign, which came to light before the attacks in Taiwan, was the first known attack that involved installing jackpotting malware onto ATMs without having to physically access the ATMs to do so, according to Europol and Trend Micro.
Instead, security researchers say these attacks most likely begin with spear-phishing emails carrying malicious executable files – malware – as attachments, which the gang sends to prescreened lists of bank employees. If victims fall for this social engineering attack, the malware gives attackers a beachhead on the victim’s PC that they use to attempt to move laterally through the bank’s network, access the ATM infrastructure and then infect as many ATMs as possible.
In the case of the Ripper attacks against the Thai bank, for example, NCR said that after breaching the bank’s network, the attackers spoofed “the software distribution server as the means to deliver the malware to ATMs.”
Banks may be unaware they’ve been hacked until money goes missing. Some types of malware are also designed to delete themselves from an ATM after they’ve been used to jackpot it, “effectively dissolving most traces of the criminal activity,” according to Trend Micro.
More Regions Targeted
Attacks have also been seen in other regions. As of September 2016, for example, Moscow-based security firm Group-IB says that cybercrime gangs using Cobalt ATM jackpotting malware had struck banks in Russia, the United Kingdom, the Netherlands, Spain, Romania, Belarus, Poland, Estonia, Bulgaria, Georgia, Moldova, Kyrgyzstan, Armenia and Malaysia, stealing an estimated $25 million.
Malware known as Carbanak – aka Anunak – has also been tied to thefts of more than $1 billion, although that figure is a mix of fraudulent wire transfers, using banking Trojans installed on PCs, as well as attacks that implanted malware on ATMs in person, according to Moscow-based security firm Kaspersky Lab.
Europol and Trend Micro say that while there are “striking similarities” between the Carbanak and Cobalt attacks, it’s not clear if they’re the work of the same group.
Physical Attacks Still Reign
While there’s been a growth in remote ATM attacks as well as other types of “logical” attacks that involve malware, physical attacks remain the most common type of attack vector against ATMs.
Source: Europol and Trend Micro
The European Association for Secure Transactions, based in Edinburgh, Scotland, reports that the number of thefts that resulted from physical attacks against ATMs in Europe rose by 12 percent from 2015 to 2016. In particular, explosive attacks – including explosive gas and solid explosive attacks – increased by nearly 50 percent, to 1,000 such incidents in 2016. EAST says losses attributed to physical attacks in 2016, unchanged from recent years prior, was about €49 million ($57.5 million).
Here are some popular, old-school ways to steal cash from an ATM:
Ports: Crack open the ATM case and load jackpotting malware via USB or CD-ROM, or another access port. Sometimes gangs will use two teams – one installs the malware, while another waits to jackpot numerous infected ATMs in one fell swoop, often overnight or during a weekend.
Black box: Physically access the ATM and plug in a purpose-built black-box to override security controls, then proceed as above.
Skimmer: Install a skimmer glued into the mouth of the card reader – or in the form of a fake PIN pad, glued over the real one – that can read and store the data stored on cards’ magnetic stripes, as consumers feed their cards into machines, and in some cases broadcast the data to a waiting attacker via Bluetooth.
Ram raid: Ram the ATM or its enclosure using a vehicle, then attack the ATM with hammers or other tools to steal the cash it stores.
Robbery: Rob an ATM technician who comes to service or refill the device.
Explosives: If all else fails, open the ATM shutter and pump it full of explosive gas, then light a fuse and run until it potentially rains paper notes.