Cyber thieves are stealing money from ATMs with infected USB sticks

Two German researchers at the last Chaos Computing Congress in Hamburg revealed how cyber thieves steal money from ATMs win infected USB Sticks.

Cyber criminals are exploiting new techniques to attack ATMs (Automated Teller Machines) infecting the devices with specifically crafted malware.

Security researchers discovered a new series of attacks against ATMs, the criminals cut a piece from machine chassis to expose its USB port and plug in USB drives carrying their malicious code onto the ATMs.

A detailed description of the technique was presented by two German researchers at the last Chaos Computing Congress in Hamburg, Germany, the attack was used against the ATMs of Details of an unnamed European bank’s cash dispenser.

The two researchers who presented the technique have requested to not divulge their identities, the event is dated back to July when a series of ATMs were being emptied despite the adoption of the necessary and ordinary defensive measures. The attackers were able to steal the highest value banknotes to minimize the duration of the theft and the windows of exposure.

The results of the investigation revealed that cyber thieves were vandalizing the ATMs to infect them with USB sticks, once compromised the cash machine they patched the holes up hiding any evidence of the attack, in these ways the targeted several times the device in a stealthy way.

The researchers confirmed that the gang behind the attack has a “profound knowledge of the target ATMs”, the malware itself appears to be very complex and designed for the specific goal.

Forensic analysis on the targeted machines revealed that the creation of the malicious code would have required a huge team of skilled developers. Malware design has requested a significant economic effort for a long time, the source appears sophisticated and perfectly written, it isn’t a prototype but the resultant of numerous improvements.

“For sure, they had to have a profound knowledge of ATMs,” “Most likely they actually had one to test. Either they stole one and reverse engineered the cash client, or most likely, they had someone on the inside.” revealed one of the researchers.

Once infected the machine, the malware is triggered by an access code composed of 12 digits typed by cyber criminals, the software launched a special interface.

Instances of the malicious software were found on four of targeted machines, the malware was able to display the amount of money available in each denomination of note and presented a series of menu items to release them.

The investigators made an interesting discovery, the thieves driven by mutual distrust implemented an access mechanism to the money that requires the introduction of a double code, one for each component in the gang.

“But the crimes’ masterminds appeared to be concerned that some of their gang might take the drives and go solo. To counter this risk the software required the thief to enter a second code in response to numbers shown on the ATM’s screen before they could release the money.” reported  a post on the BBC.

The dual factor authentication process request the thief could only obtain the access code by phoning another gang member and telling them the numbers displayed, in case of failure the ATMs would return to their normal state after three minutes.

The malware has also the capability to intercept information such as customer PIN numbers or account data, despite its primary function is immediate extraction of cash.

Just for curiosity … the name of the key file was called hack.bat. The German researcher remarked the conviction that similar attacks could be observed soon elsewhere:

“I’m not sure this is the end attack, or the end game,” ” “We’ll probably see this kind of malware on another bank, in another city, on another continent.”

No doubt cybercrime follows money… and passed to the ATMs to withdraw it.

Pierluigi Paganini

(Security Affairs –  ATMs, cybercrime)