Hackers insert malware onto Thai ATMs, steal 12 million baht

The central bank of Thailand (BoT) has shut down about half of its ATMs, suspecting an Eastern European gang of being responsible for planting malware on the machines in order to siphon off 12 million baht ($350,000, £263,000).

The Bangkok Post reported on Tuesday that according to the president of the state-run Government Savings Bank (GSB), Chartchai Payuhanaveechai, malware was found on one of three brands of ATMs used by the bank: those from NCR.

The bank said in a press release that it had detected that the NCR machines had been showing problems with missing money.

An initial examination revealed that 960,000 baht had gone missing from five of the automatic teller machines during 1-8 August.

GSB decided to close down all the NCR machines. That amounts to 47%, or around 3,300, of its 7,000 ATMs nationwide, according to the Bangkok Post.

Further investigation revealed that a total of 12 million baht was missing from 21 machines.

Thai police said that some of the machines were spilling out up to 1 million baht at a time.

This particular type of malware reportedly attacks stand-alone machines.

Chartchai said in the press release that the theft wasn’t related to customers’ accounts, nor to their bank balances. He told local media that the cash machines were tampered with to spew out cash: up to 40,000 baht per transaction.

If that sounds familiar, it’s probably because the same thing happened in a $2 million ATM attack in Taiwan last month.

In that attack, neither cloned cards nor stolen PINs were used to drain bank customers’ accounts.

Instead, the crooks allegedly “jackpotted” the ATMs in a series of cardless “transactions.”

Taiwanese authorities said at the time that they were looking for two Russian nationals, who allegedly wore masks to try to dodge surveillance cameras.

They’re also alleged to have relied on malware implanted on the ATMs to provide a hidden feature to make the machines disgorge money without going through the usual transaction process.

A Latvian and two Romanians were subsequently arrested over the Taiwanese heist, but 13 other suspects – including 2 Russians – managed to escape the country.

According to Reuters, as of 17 July, investigators had identified 3 different malware programs that were used to trigger withdrawals in the Taiwan heist.

The bank is now working with NCR on a fix, having sent infected hard disks to the ATM supplier so it can identify and protect against the malware.

The GSB plans to demand compensation from the ATM supplier.

The Bangok Post’s police sources said that the hack first happened at an ATM in Phangnga province some six months ago, when a suspect used a keyboard and an electronic device to transmit malware to the bank’s system through the ATM.

That tampering should have set off an alarm, but the gang reportedly triggered false alarms repeatedly leading up to the attack in order to throw off local police and bank staff.

The sources said that unlike the Taiwan heist, there were actually rigged chip cards involved in the Thai robbery. The crooks allegedly inserted the cards into GSB’s ATMs, forcing them to dispense 40 banknotes automatically, instead of the 20 they’d normally release.

In spite of what appears to be somewhat different modes of attack with regards to using tampered-with cards or not, Police General Panya Mamen told reporters that Thai police are “confident,” given the evidence, that the group who targeted the GSB ATMs is the same as that responsible for the robbery in Taiwan.

He said that at least 5 foreign suspects traveled from Taiwan to Thailand to carry out the theft, and that they’d probably fled the country by now:

Investigators believe their identity is Eastern European though we are investigating whether any Thais were involved.

After checking machines, the bank has since resumed service for 3,343 NCR ATMs that are in safe locations.