Arrests made after ‘specialist malware’ used in £1.6 million ATM heist

£1.6 million ATM heist spree leads to 3 arrests

Image of ATM courtesy of ShutterstockLondon police made three arrests last week in connection with the theft of up to £1.6 million ($2.58 million) from over 50 ATMs in cities across the UK.

The crimes took place over this year’s May Day holiday weekend (3 – 5 May) and hit 51 cash machines in multiple areas, including Brighton, Portsmouth and London in the south and Blackpool, Doncaster, Liverpool and Sheffield in the north of England.

The machines affected are described by police as being in “standalone public places”, rather than attached to banks or other secure areas, and were apparently physically broken into by criminals who planted malicious code onto their systems.

This “specialist malware” allowed the crooks to empty the machines of large amounts of cash, averaging over £30,000 per machine, although police reports suggest the malware later removed itself before it could be inspected by investigators, leaving its exact nature something of a mystery.

The crime spree was investigated by officers from the London Regional Fraud Team (LRFT), made up of staff from various forces including the Met Police and City of London Police, backed by intelligence from the National Crime Agency’s Economic Crime Command.

The arrests were made on 23 October, with a 38-year-old man and a 37-year-old woman picked up in Portsmouth and another man, aged 24, arrested in London. The woman is suspected of money laundering offences, and the two men of conspiracy to defraud. The older man remains in custody, while the other two have been released on bail.

Further details on the suspects remain sparse, but the police described them as part of an “organised eastern European crime gang”, while local media reports refer to them as a “Romanian gang”.

As the thieves targeted weaknesses in the systems underlying the ATMs rather than individual cards or transactions, it’s not believed that any ATM users were directly defrauded by the gang.

ATM security remains an issue for end users, with skimmers and card-catchers a common problem.

But larger-scale fraud and theft involving ATMs tends to make use of stolen account data to produce cloned cards, which are then used in synchronised cash-withdrawal operations.

ATMs tend to fall into that category of hardware which lives longer than the developers of the software powering it may have expected, with many still running aged and unsupported versions of Windows.

As older machines are slowly replaced, the availability of retired hardware becomes a playground for hackers wanting to figure out how they work and how to break into them, either for fun or profit. The availability of old hardware manuals aids this process.

This seems to be allowing more mass heists of the type seen in the UK. A recent incident in Malaysia, again involving multiple machines hit in the space of a few days, apparently involved inserting some sort of media and uploading malware which unlocked the machine’s test functions.

Initial speculation suggested the attack was highly sophisticated, but later reports imply that the machines were rather old and lacked up-to-date protections.

That’s not to say that shiny new machines are immune from compromise though, with every fancy new security process implemented by banks balanced out by ever more devious techniques to subvert their security.

ATMs are basically big boxes full of cash sitting by the side of the road, and so will always be a very tempting target for crooks. Whether they target the underlying software, the authentication process, or simply hit them with hammers until they break open, there will always be fraud and theft.

Ultimately it’s each of us who ends up paying for the losses banks incur in this way, so it’s always good to see those behind these crimes being tracked down and brought to book.

Image of ATM courtesy of Shutterstock.