ATM Hackers Double Down on Remote Malware Attacks

‘Cash Out’ Malware Attackers Increasingly Infect ATMs From Afar, Experts Warn

Attackers are increasingly hacking into banks’ networks to gain access to the IT infrastructure connected to their ATMs, security experts warn. Attackers then push malware onto the ATMs that allows a low-level gang member to walk up and enter a preset numerical sequence into the ATM to make it dispense all of its money in what’s known as a “jackpotting” or “cashing out” attack.

See Also: IoT is Happening Now: Are You Prepared?

Such attacks also enable criminals to steal credit and debit card data from ATM machines.

For attackers, the appeal is simple: Compared to walking into a bank with a gun and attempting to rob it, it’s safer – and easier – to remotely infect an ATM, then dispatch low-level gang members, known as money mules, to physically walk away with cash from infected ATMs.

So far, however, these types of attacks have yet to be unleashed in many larger regions, such as the United States and Canada. That’s according to EC3 – the European Cybercrime Center, part of the EU’s law enforcement intelligence agency, Europol – and Tokyo-based security firm Trend Micro, which have issued a joint report into what they say have been “a seeming spate of remotely orchestrated attacks” designed to infect ATMs with malware from afar.

Many remote attacks that install malware on ATMs begin with a phishing attack against a bank employee. (Source: Europol and Trend Micro)

“While network-based attacks require more work than do physical attacks, their appeal lies in allowing cybercriminals to extract cash on command without having to seek out the targeted ATMs,” according to a Tuesday blog post published by Trend Micro security researchers. They warn that these remote-access attacks can also bypass existing defenses, such as any firewalls, VPNs or network segmentation that might be in place.

Taiwan Campaign

One such campaign targeted 41 ATMs in Taiwan in July 2016, resulting in the theft of $2.7 million in cash. Police said attackers installed malware on 22 ATMs manufactured by Wincor-Nixdorf – now known as Diebold Nixdorf – run by the country’s First Commercial Bank after first hacking into the bank’s London-based networks. According to Taiwanese consultancy iThome – as cited in the Europol and Trend Micro report – the hackers then “accessed the bank’s voice recording system and stole the domain administrator’s account credentials,” used the credentials to gain VPN access to the bank’s Taiwan branch, mapped the company’s intranet topology, identified the ATM software updating system and figured out the required administrator credentials.

From there, “attackers logged into the ATM update server and set up a fake update package to the distribution management system,” according to the report. “They then uploaded it to the ATMs as if it were a real update.” The package instructed the ATMs to enable their telnet service, which the attackers used to remotely access the ATMs and upload three pieces of malware, including a test program that money mules, standing in front of an ATM, validated had been successfully executed.

“The mules in front of the machines reported the test results back to the remote hackers by using the Wickr Me secure messenger app on their mobile phones,” according to the report. “Once the hackers confirmed that the ATMs were ready for the attack, they uploaded and ran modified vendor test tools that dispensed 40 banknotes at a time” – the maximum that the machine could dispense at once.

The money mules then moved to another ATM and repeated the process, according to the report. “In the meantime, the remote hackers wiped the malicious programs off the victimized ATM and logged off.”

Taiwan network attack. (Source: Europol and Trend Micro)

Ripper Hits Thailand

Meanwhile, in July and August of last year, a cybercrime gang hacked into Thailand’s Government Savings Bank’s network to install new Ripper malware onto NCR-built ATMs managed by the bank. Subsequently, three groups of men jackpotted 21 ATMs across six provinces in Thailand, making off with a total of 12 million baht ($363,000) in cash, police say.

The Ripper campaign, which came to light before the attacks in Taiwan, was the first known attack that involved installing jackpotting malware onto ATMs without having to physically access the ATMs to do so, according to Europol and Trend Micro.

Instead, security researchers say these attacks most likely begin with spear-phishing emailscarrying malicious executable files – malware – as attachments, which the gang sends to prescreened lists of bank employees. If victims fall for this social engineering attack, the malware gives attackers a beachhead on the victim’s PC that they use to attempt to move laterally through the bank’s network, access the ATM infrastructure and then infect as many ATMs as possible.

In the case of the Ripper attacks against the Thai bank, for example, NCR said that after breaching the bank’s network, the attackers spoofed “the software distribution server as the means to deliver the malware to ATMs.”

Banks may be unaware they’ve been hacked until money goes missing. Some types of malware are also designed to delete themselves from an ATM after they’ve been used to jackpot it, “effectively dissolving most traces of the criminal activity,” according to Trend Micro.