Crooks steal millions from European ATMs with jackpotting attacks

Pierluigi Paganini November 25, 2016

Criminal gangs like the Cobalt gang are now focusing their efforts on the banks to steal cash directly from the ATMs with jackpotting attacks.

Security experts are assisting a change of tactics for the criminal organizations who target the ATMs and online banking credentials. Crooks are now focusing their efforts on the banks in the attempt to steal cash directly from the ATMs.

In the last months, cyber criminals targeted ATM machines in Taiwan and Thailand, in both cases, crooks used a malware to infect the machine and have instructed them on spitting out cash on demand. The principal ATM manufacturers, Diebold Nixdorf and NCR Corp., confirmed to be aware of the ATM attacks and had already been working with their customers to mitigate the threat.

“We have been working actively with customers, including those who have been impacted, as well as developing proactive security solutions and strategies to help prevent and minimize the impact of these attacks,” said Owen Wild, NCR’s global marketing director for enterprise fraud and security.

This technique is known as ATM jackpotting, the FBI has warned U.S. banks of the potential attacks.

The FBI confirmed in a bulletin earlier this month that it is “monitoring emerging reports indicating that well-resourced and organized malicious cyber actors have intentions to target the U.S. financial sector.”

According to law enforcement, the malware used in the attack could be a product of the Buhtrap ATM gangwhich stole 1.8 Billion rubles ($28 Million) from Russian banks between August 2015 and January 2016.

The cyber security firm Group-IB who investigated the string of ATM jackpotting attack  confirmed that cyber criminals have remotely infected ATMs with malware in more than dozen countries across Europe this year. The name of targeted banks was not disclosed, but the researchers confirmed the victims were located in Armenia, Bulgaria, Estonia, Georgia, Belarus, Kyrgyzstan, Moldova, Spain, Poland, the Netherlands, Romania, the United Kingdom, Russia, and Malaysia.

According to Group-IB, crooks have been targeting ATMs for at least five years, but the recent wave of attacks mostly targeted small numbers of ATMs because criminals have to physical access to the machines.

“To perform a logical attack, hackers access a bank’s local network, which is further used to gain total control over ATMs in their system. Cash machines are then remotely triggered to dispense money, allowing criminals to steal large amounts with relative ease. With full control over ATMs, criminals can choose the exact attack time to loot newly  filled ATMs.” states the report from Group-IB. “This results in millions of dollars lost, as in the case of the First Bank. That said, such attacks do not require developing expensive advanced software – a significant amount of tools used by the hackers is widely available from public sources, as will be further covered later in this report. ”

Group-IB attributed the attacks against the ATMs across Europe to a single criminal group, dubbed Cobalt.

The group launched spear phishing attacks with a malicious attachment in order to infect systems in the target banks. The emails purport to come from the European Central Bank, the ATM maker Wincor Nixdorf, or other banks.

“Criminals send emails with attachments containing exploits and password-protected archives with executable files. In the attacks, phishing emails were sent from virtual servers, which had installed an anonymous mailing script “yaPosylalka v.2.0” (another name of the service is “alexusMailer v2.0”) developed by Russian-speaking cyber-criminals.” continues Group-IB.

The criminal gang use Cobalt Strike, a legitimate program designed to perform penetration testing and the Mimikatz tool to compromise domain and local accounts.

cobalt-strike-gang jackpotting

The researchers from Group-IB believe that Cobalt gang is linked to Buhtrap,

“Group-IB specialists believe that just after the arrest of the Buhtrap group in May their botnet was sold to other criminals who are continuing its use to steal money from corporate accounts. That said, according to our analysis of Cobalt attacks on ATMs of Russian and European banks, the methods used by criminals to deliver phishing emails and obtain control over a domain controller are identical to those used by the Buhtrap group. Purportedly, at least a part of the Buhtrap group became Cobalt members, or more likely Buhtrap core members shifted their focus to attacks on ATMs. ” explains Group-IB.

I suggest the reading of the Group-IB report on the Cobalt gang, it is full of details that are very useful to prevent such kind of attacks.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Cobalt gang, jackpotting attacks)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment