Mystery surrounds $2M ATM “jackpotting” attack in Taiwan

ATM1

Mystery still surrounds a recent series of bank heists in Taipei, Taiwan.

Crooks apparently made off with NT$70,000,000 (more than US$2M) in a spate of fraudulent ATM withdrawals just over a week ago, leaving both the banks and investigators unsure quite what happened.

Usually, casher crews, who are the feet-on-the-street of the crooks behind banking cybercrime, take a stash of cloned cards and stolen PINs on a withdrawal spree, hitting ATM after ATM to suck hard cash out of unsuspecting users’ accounts.

But in the recent Taipei attack, no cards were inserted.

Apparently, the crooks jackpotted the ATMs in a series of cardless “transactions.”

Taiwanese authorities now say they are after two Russian nationals, who allegedly wore masks to try to dodge surveillance cameras.

They’re also alleged to have relied on malware implanted on the ATMs to provide a hidden feature to make the ATMs disgorge money without going through the usual transaction process.

They also carried out the attacks, whether by accident or design, while authorities were otherwise occupied by typhoon weather.

Unfortunately, it looks as though part of the reason the Russians are persons of interest in the investigation is that they left Taiwan on the Monday immediately following the fraudulent withdrawals.

That adds yet another layer of complexity to the case.

We can’t be sure, of course, that malware was involved, and if so, how the ATM network was breached.

But it’s always disappointing to hear of malware on specialised computers such as ATMs or cash registers, not least because you’d hope that trusted devices of that sort would be kept on a dedicated network of their own, to reduce their exposure to the rest of the world.

Sadly, as far as we can tell, that sort of network segregation seems to be the exception, rather than the rule.

If there’s a silver lining for customers, it’s the suggestion that the ATMs were reprogrammed to count out banknotes on demand, without linking the dispensed money to any account.

Of course, as a society, we all lose when this happens, but it sounds as though no individual customers will be left with phantom withdrawal posted against their accounts.

Want to segregate the computers on your own network? Personal laptops on one network, visitors on another, and IoT devices separate from both? The Sophos XG Firewall is 100% free for home use, including email scanning, web filtering, intrusion prevention, a VPN and much more.