Cyber Crime

Crooks steal millions from European ATMs with jackpotting attacks

Criminal gangs like the Cobalt gang are now focusing their efforts on the banks to steal cash directly from the ATMs with jackpotting attacks.

Security experts are assisting a change of tactics for the criminal organizations who target the ATMs and online banking credentials. Crooks are now focusing their efforts on the banks in the attempt to steal cash directly from the ATMs.

In the last months, cyber criminals targeted ATM machines in Taiwan and Thailand, in both cases, crooks used a malware to infect the machine and have instructed them on spitting out cash on demand. The principal ATM manufacturers, Diebold Nixdorf and NCR Corp., confirmed to be aware of the ATM attacks and had already been working with their customers to mitigate the threat.

“We have been working actively with customers, including those who have been impacted, as well as developing proactive security solutions and strategies to help prevent and minimize the impact of these attacks,” said Owen Wild, NCR’s global marketing director for enterprise fraud and security.

This technique is known as ATM jackpotting, the FBI has warned U.S. banks of the potential attacks.

The FBI confirmed in a bulletin earlier this month that it is “monitoring emerging reports indicating that well-resourced and organized malicious cyber actors have intentions to target the U.S. financial sector.”

According to law enforcement, the malware used in the attack could be a product of the Buhtrap ATM gangwhich stole 1.8 Billion rubles ($28 Million) from Russian banks between August 2015 and January 2016.

The cyber security firm Group-IB who investigated the string of ATM jackpotting attack  confirmed that cyber criminals have remotely infected ATMs with malware in more than dozen countries across Europe this year. The name of targeted banks was not disclosed, but the researchers confirmed the victims were located in Armenia, Bulgaria, Estonia, Georgia, Belarus, Kyrgyzstan, Moldova, Spain, Poland, the Netherlands, Romania, the United Kingdom, Russia, and Malaysia.

According to Group-IB, crooks have been targeting ATMs for at least five years, but the recent wave of attacks mostly targeted small numbers of ATMs because criminals have to physical access to the machines.

“To perform a logical attack, hackers access a bank’s local network, which is further used to gain total control over ATMs in their system. Cash machines are then remotely triggered to dispense money, allowing criminals to steal large amounts with relative ease. With full control over ATMs, criminals can choose the exact attack time to loot newly  filled ATMs.” states the report from Group-IB. “This results in millions of dollars lost, as in the case of the First Bank. That said, such attacks do not require developing expensive advanced software – a significant amount of tools used by the hackers is widely available from public sources, as will be further covered later in this report. ”

Group-IB attributed the attacks against the ATMs across Europe to a single criminal group, dubbed Cobalt.

The group launched spear phishing attacks with a malicious attachment in order to infect systems in the target banks. The emails purport to come from the European Central Bank, the ATM maker Wincor Nixdorf, or other banks.

“Criminals send emails with attachments containing exploits and password-protected archives with executable files. In the attacks, phishing emails were sent from virtual servers, which had installed an anonymous mailing script “yaPosylalka v.2.0” (another name of the service is “alexusMailer v2.0”) developed by Russian-speaking cyber-criminals.” continues Group-IB.

The criminal gang use Cobalt Strike, a legitimate program designed to perform penetration testing and the Mimikatz tool to compromise domain and local accounts.

The researchers from Group-IB believe that Cobalt gang is linked to Buhtrap,

“Group-IB specialists believe that just after the arrest of the Buhtrap group in May their botnet was sold to other criminals who are continuing its use to steal money from corporate accounts. That said, according to our analysis of Cobalt attacks on ATMs of Russian and European banks, the methods used by criminals to deliver phishing emails and obtain control over a domain controller are identical to those used by the Buhtrap group. Purportedly, at least a part of the Buhtrap group became Cobalt members, or more likely Buhtrap core members shifted their focus to attacks on ATMs. ” explains Group-IB.

I suggest the reading of the Group-IB report on the Cobalt gang, it is full of details that are very useful to prevent such kind of attacks.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Cobalt gang, jackpotting attacks)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

4 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

15 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

20 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.