Sophos Cloud Optix
London police made three arrests last week in connection with the theft of up to £1.6 million ($2.58 million) from over 50 ATMs in cities across the UK.
The crimes took place over this year’s May Day holiday weekend (3 – 5 May) and hit 51 cash machines in multiple areas, including Brighton, Portsmouth and London in the south and Blackpool, Doncaster, Liverpool and Sheffield in the north of England.
The machines affected are described by police as being in “standalone public places”, rather than attached to banks or other secure areas, and were apparently physically broken into by criminals who planted malicious code onto their systems.
This “specialist malware” allowed the crooks to empty the machines of large amounts of cash, averaging over £30,000 per machine, although police reports suggest the malware later removed itself before it could be inspected by investigators, leaving its exact nature something of a mystery.
The crime spree was investigated by officers from the London Regional Fraud Team (LRFT), made up of staff from various forces including the Met Police and City of London Police, backed by intelligence from the National Crime Agency’s Economic Crime Command.
The arrests were made on 23 October, with a 38-year-old man and a 37-year-old woman picked up in Portsmouth and another man, aged 24, arrested in London. The woman is suspected of money laundering offences, and the two men of conspiracy to defraud. The older man remains in custody, while the other two have been released on bail.
Further details on the suspects remain sparse, but the police described them as part of an “organised eastern European crime gang”, while local media reports refer to them as a “Romanian gang”.
As the thieves targeted weaknesses in the systems underlying the ATMs rather than individual cards or transactions, it’s not believed that any ATM users were directly defrauded by the gang.
ATM security remains an issue for end users, with skimmers and card-catchers a common problem.
But larger-scale fraud and theft involving ATMs tends to make use of stolen account data to produce cloned cards, which are then used in synchronised cash-withdrawal operations.
ATMs tend to fall into that category of hardware which lives longer than the developers of the software powering it may have expected, with many still running aged and unsupported versions of Windows.
As older machines are slowly replaced, the availability of retired hardware becomes a playground for hackers wanting to figure out how they work and how to break into them, either for fun or profit. The availability of old hardware manuals aids this process.
This seems to be allowing more mass heists of the type seen in the UK. A recent incident in Malaysia, again involving multiple machines hit in the space of a few days, apparently involved inserting some sort of media and uploading malware which unlocked the machine’s test functions.
Initial speculation suggested the attack was highly sophisticated, but later reports imply that the machines were rather old and lacked up-to-date protections.
That’s not to say that shiny new machines are immune from compromise though, with every fancy new security process implemented by banks balanced out by ever more devious techniques to subvert their security.
ATMs are basically big boxes full of cash sitting by the side of the road, and so will always be a very tempting target for crooks. Whether they target the underlying software, the authentication process, or simply hit them with hammers until they break open, there will always be fraud and theft.
Ultimately it’s each of us who ends up paying for the losses banks incur in this way, so it’s always good to see those behind these crimes being tracked down and brought to book.
Image of ATM courtesy of Shutterstock.
Doesn’t happen if you use BitCoin! Nuff said?
Exactly! Who would want to use old fashion cash when, with bitcoin, you only have to worry about your wallet being hacked (much better than being physically mugged), places to exchange bitcoin into cash (some places don’t accept bitcoin yet), bitcoin exchanges being hacked (Mt. Gox among others), and the large changes in valuation of the currency throughout the day (1 bitcoin is worth $1000, no wait it’s $850, hold on it’s $550, ah crap it’s worth $342)!
Personally, I don’t mind bitcoin as a hobby that might make me some money but it is to unreliable as a replacement for cash.
Nuff to know you just don’t get it.
Arg. With all the shops and restaurants leaking card details everywhere, I was planning on ONLY using cash. But if I can’t get it from ATMs without worrying about skimmers and card catchers and infected XP backends, I guess it’s time for plan C – go into bank, take out cash from cashier, keep it under the bed until needed.
That way all I have to worry about is burglars. Oh, and of course bank robbers. And crooked cashiers.
“Oh, and of course bank robbers”
You must live in LA.
So let me get this straight, some person unlocked the back of the ATM, probably using a key. The didn’t trigger an alarm or unauthorised access sensor, probably because the bank didn’t have anyone monitoring this machine. They then rebooted the ATM machine, again without the Bank noticing or doing anything about it. The criminals got lucky because the Bank security team probably forgot to mandate any Bios level boot controls or a have a password preventing its Bios settings from being changed. The criminals also got lucky because the machines hard disk was not encrypted. The criminals then booted the machine using a CD or USB key. They probably created a rogue service or modified some local batch file to load the malware 2 minutes after ATM booted from a temporarily USB key the criminals temporarily introduced. The ATM didn’t have any application whitelisting software like solid core despite it being recommended by most ATM vendors. The malware which was introduced didn’t get detected by AV to no ones surprise. And the Bank investigators probably didn’t think to dump the ATM’s memory before powering off the machine or rebooting it. Hence the malware becomes unknown. But luckily the Police caught the money mules on video and they were known to police. Phew.
Anti-virus and “allowlisting” software are both a bit of a red herring if you have boot-level/root-level access to the ATM without triggerering any alarms. (You’d turn them off, wouldn’t you?)
I think your conclusion (“phew”) is probably quite an apposite one.