Anti-Malware , ATM Fraud , Fraud

Lessons from ATM Fraud Ring Arrests

European Crime Gang Busted for 'Jackpotting' Attacks
Lessons from ATM Fraud Ring Arrests

The takedown of an Eastern European gang believed to have been responsible for a string of ATM jackpotting attacks across Europe serves as a reminder of why ATMs with outdated operating systems and universal access keys pose significant worldwide security risks.

See Also: Achieving Advanced Threat Resilience: Best Practices for Protection, Detection and Correction

The Romanian National Police and the Directorate for Investigating Organised Crimes and Terrorism, along with Europol and other European law enforcement authorities, arrested eight individuals after house searches in Romania and the Republic of Moldova, Europol announced on Jan. 7.

To wage the attack, the criminals compromised the ATMs locally, after physically opening ATM enclosures, presumably with universal keys and/or codes, and installed Tyupkin malware via a bootable CD, says Europol, the European Union's law enforcement agency.

Tyupkin targets ATMs running Windows 32-bit, a much slower and more rigid version of the operating system than 64-bit, which is easier to update and patch and supports larger programs, according Kaspersky Labs, which analyzed the malware back in 2014.

While most of the infections were found in Europe, Kaspersky notes in its research that ATMs in the U.S., India, China, Israel, France and Malaysia also had been infected.

Europol says in its announcement about the takedown that the malware was used to drain ATM cassettes of their cash without detection.

"The criminal group, composed of Romanian and Moldovan nationals, was involved in large scale ATM 'jackpotting' [scheme], causing substantial losses across Europe to the ATM industry," Europol states. "ATM jackpotting refers to the use of a Trojan horse, physically launched via an executable file, in order to target an ATM, thus allowing the attackers to empty the ATM cash cassettes via direct manipulation, using the ATM PIN pad to submit commands to the Trojan."

After reviewing ATM surveillance footage, the banks and law enforcement pieced together how the attacks were waged, Kaspersky Labs notes.

The best way for banks to protect themselves from these types of attacks is by ensuring their operating systems and software are up to date, running network analytics to detect anomalies in ATM traffic, changing default passcodes or universal keys used to open ATM enclosures, and regularly inspecting ATMs for tampering, experts agree.

"A significant portion of ATMs continue to run legacy operating systems and aren't kept up to date as new attacks and new strains of malware are discovered," says Jesse McKenna, director of product management at data security firm vArmour. "Just as the best practice for home computer owners is to keep their PCs up to date with all current security patches, the same is true for banks and ATMs."

ATM Vulnerabilities

ATMs running outdated versions of Windows is a growing concern because of the risk of jackpotting attacks, says Patrick Wardle, director of research at cybersecurity firm Synack.

"Once the hackers gain physical access, it's game-over," Wardle says. "In this case, the ATM's CD-ROM unit appears easily accessible through a universal key."

Wes Wineberg, a threat researcher at Synack, contends that ATM manufacturers, including NCR, whose ATMs were affected by this malware, aren't doing enough to enhance the physical security of ATM enclosures.

"From a security perspective, the issue is that NCR is not considering the attack vector of someone who is able to open the ATM," he says. "NCR states that their newer ATMs do a lot more in terms of preventing malicious code from running on the ATM, and possibly locking down diagnostic interfaces as well. It sounds like older versions did not have these measures in place, allowing attackers to potentially be able to run code from the ATM's USB or CD-ROM interfaces."

Although the ATMs compromised with Tyupkin were infected locally, McKenna says other types of ATM malware attacks, such as Carbanak, which are launched via the bank's enterprise network, could be detected with better network analytics.

Carbanak was used to defraud banks in Europe, the U.S. and elsewhere of an estimated $1 billion (see Cybercrime Gang: Fraud Estimates Hit $1B).

"If the ATMs were compromised via the banking computer network, versus the physical ports on the ATMs themselves ... additional analytics on the network traffic connecting the ATMs to the core banking platforms likely could have uncovered anomalies that would have indicated that the ATMs were in the process of being compromised," McKenna says. "We will continue to see attacks such as these through 2016 and beyond, as financial institutions work to improve their processes for keeping their ATMs protected against the latest malware threats."

ATM Malware Threat Growing

In its announcement, Europol's European Cybercrime Centre notes that the threat of malware attacks waged against ATMs is increasing, and Europol is working with the European ATM Security Team to regularly issue and update best practices for ongoing ATM security.

"Over the last few years we have seen a major increase in ATM attacks using malicious software," says Wil van Gemert, Europol's deputy director operations. "The sophisticated cybercrime aspect of these cases illustrates how offenders are constantly identifying new ways to evolve their methodologies to commit crimes. To match these new technologically savvy criminals, it is essential, as it was done in this case, that law enforcement agencies cooperate with their counterparts via Europol to share information and collaborate on transnational investigations."


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network