Criminals Control, Cash Out Banks ATM Machines

New, sophisticated ATM heist used a malware-laden USB stick to hijack the machine -- one arrest is made

In what could be a sign of whats ahead in ATM fraud, a highly sophisticated and well-funded criminal gang targeted an overseas bank and commandeered at least four of its ATM machines with malware-rigged USB sticks in order to empty them of cash.
Tillmann Werner, a researcher for CrowdStrike, says the organized crime group cracked open the ATM machines and plugged in the USB stick containing a DLL exploit payload. The payload reconfigured the ATM system such that the attackers control it and allowed money mules to steal all of the cash stored in those machines. There has been a single arrest so far -- a money mule -- and the attacks may possibly have incurred millions of dollars in losses. These attacks are expected against other banks as well, he says.
They crack the ATM open and plug in the USB drive. Its risky, but nevertheless, it works, Werner says.
Werner declined to name the victim bank or the brand of ATM machines it runs. The attacks still appear to be under way, he says. The fact that such a sophisticated group is operating right now is the most important fact. Another thing thats interesting is banks in Germany potentially have the same issue, although we havent seen an attack like that in Germany so far, Werner says.
The attackers physically took apart the ATM machines and inserted a USB stick with a malicious DLL installer into the printer port, giving them control of the ATMs Windows XP-based operating system. When a network connection is interrupted to the ATM, it automatically reboots, doing so from the malicious USB. The installer program collects information from the ATM system and also contains a log file for the attackers.
Its a DLL injection file attack into the running process [of the ATM], and then you have code running in that process, and they can do what they want, Werner says.
One member of the gang in the heist was caught when he went to one of the ATMs to cash out. The cash-out works like this: An attacker types in a 12-digit code that then displays the malicious menu on the ATM screen. He answers a challenge question, and then calls one of his accomplices for a response code, which he inputs to dispense the cash from the ATM. The entire transaction of emptying the ATM takes a few short minutes.
Unlike the ATM Ploutus malware that was discovered last year that targeted bank customers during their ATM transactions, this attack goes after the banks cash in the ATMs. Its not related to Ploutus, he says, which is childs play compared with this new, more advanced method that steals from the bank itself.
Attacks against ATMs mostly have been skimming attacks, he says. With this attack, you can empty a whole ATM and make a lot of money ... It definitely takes a mafia-like organization to pull off such an attack.
The victim bank discovered the heist when its ATMs prematurely went empty of cash. It doesnt leave any [other] traces, Werner says. The only clue is that the balance in the machine declines -- the theft transaction isnt detected.
There are ways to prevent such an attack, but with ATMs not built with software security in mind, its tough to defend against it today. You have to secure the PC, but thats easier said than done, Werner says. The best bet is to add a boot password to the system, which would prevent this attack, or to encrypt the ATMs hard drive.
The attack could work on banks in the U.S. as well, he says. The attackers have different versions of the malware for different banks, he says. It has nothing to do with the banking system. Theyre going after the machine that spits out the money, he says. Maybe theyre not attacking U.S. ATMs because they use less cash in their ATMs.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Criminals Control, Cash Out Banks ATM Machines