Posted on September 28, 2017 at 12:44 PM
Hackers can now manipulate ATMs remotely which security experts are calling a shift in the malware landscape.
Trend Micro’s latest cyber threat report recently highlighted the surge of hackers targeting ATMs. By injecting the ATM with malware, they are able to manipulate the ATM into releasing the money. However, due to the risks involved in physically injecting the malware at an ATM, cybercriminals have turned to a more covert approach.
In their report, Trend Micro researchers placed emphasis on the increasing number of network-based attacks that have targeted ATMs. The number of attacks increased so much, that software security companies worldwide consider this a “shift in the malware landscape.”
Criminals can target any ATM anywhere in the world. The method requires no privacy. In previous times, a would-be hacker would have to target a machine in an alley usually at night, where they won’t be disturbed by police or casual onlookers.
This latest attack eliminates the need for this. Hackers can attack the ATM remotely, and the cash mule can approach the ATM and pick up the cash without arousing suspicion.
ATM malware has evolved to such an extent that hackers can now access large sums of money whenever they want. To evaluate this evolution, Trend Micro researchers collaborated with Europol’s European Cybercrime Centre (EC3).
A previous attack method that hackers frequently used is the Ripper malware. Using this malware, hackers stole the equivalent of $346 000 from 21 different ATMs across Thailand. However, 10 000 different ATMs were vulnerable to the Ripper virus.
According to Trend Micro’s report, these network-based attacks require a fair amount of skill to pull off. In addition, hackers don’t completely eliminate the risk when they target an ATM remotely. There’s still the risk of investigators finding an online profile or IP address. Infiltrating a banking system is also extremely complex. Bank employees typically cause the most damage here. Human beings will almost always be the weakest link in any cybersecurity system.
Hackers generally targeted employees using phishing emails. The emails would contain malicious executables which would gain access to an employee’s security credentials. Once hackers have gained access to the system, they move through the bank’s network to take control of the ATMs. Trend Micro noticed that some strains of malware even has a self-deleting feature, which would erase all traces of criminal activity.
First Commerce Bank suffered such an attack in July 2016 where the equivalent of $2.4m was stolen from 22 branches across Taiwan.
This attack is noteworthy for its incredible sophistication. The point of entry for the attack was the bank’s London branch. The attackers made use of the bank’s voice recording system to gain access to the domain administrator’s credentials. They used the login details to hack the system’s VPN in order to bypass certain firewalls so that they could access the Taiwan branch network. Once they gained access here, they updated ATM software. Here they uploaded software disguised as a system update. The update package gave hackers access to the telnet service on the ATMs, from where they could force an illegitimate withdrawal.
According to the report, the hackers could perhaps be regular criminal networks that already had access to the bank’s network and realized they could access the ATM network. However, this seems unlikely in the case of Ripper as hackers are clearly seeking out the ATM network instead of stumbling upon it.
No similar cases have been reported in larger regions such as the US or Canada, but security firms are convinced that this will be a growing trend in the years to come.