While stealing via payment card and identity theft is still popular, visits to ATMs are starting to be a preferred method of stealing cold hard cash by gangs of cyberthieves. Called jackpotting or cashing out, recent attacks were carried out in Taiwan, Russia, the UK, The Netherlands, Spain, Belarus, Estonia, Armenia, and other countries throughout Europe and Asia, according to Europol and Trend Micro. These groups use malware that is installed on a financial institution’s network, eventually making it to the ATMs allowing them to empty the machines of cash.
Unsurprisingly, the malware gets there via spear-phishing. Typically, the thieves send a malicious attachment to prescreened employees of the financial institution. If it’s opened, the malware executes and makes its way through the network. This method allows it to bypass perimeter security tools such as firewalls and intrusion detection systems.
Once the malware is on the ATMs, a low-level group member (a money mule) enters a sequence of numbers onto the keypad and relieves the machine of all the cash inside. Sometimes debit and credit card information is also retrieved from the ATMs.
Ripper malware was used in such an attack in Thailand in 2016. Thieves stole roughly $363,000 worth of baht. In Taiwan, a more sophisticated technique was used, where the thieves stole administrator credentials by accessing a bank’s voice recording system. They then mapped the network, locating the ATMs updating system, ultimately “updating” the system and loading malware that instructed the machines to dispense the maximum number of banknotes. They ended up with $2.7 million.
These types of attacks are becoming more popular because it’s less risky than walking into a bank with a note and a firearm demanding all the cash from the drawers or vaults. In fact, it’s unlikely the criminals in a remote attack using the money mules will ever be identified or caught.
© Copyright 2017 Stickley on Security