A new very sophisticated set of attacks on European ATMs—using malware that has now spread to U.S. ATMs—involves knowing the time of day when the ATM malware is expecting instructions.
“Video footage obtained from security cameras at infected ATMs shows that the hacks occur at night and only on Sundays and Mondays. The malware only accepts commands at specific times on Sunday and Monday nights, so that the scam is harder to spot,” reported The Wall Street Journal.
The story reported that researchers for security vendor Kaspersky Lab and INTERPOL discovered ATM malware that allows criminals to empty cash machines and cash. “At the time of the investigation around March this year, the malware was active on more than 50 ATMs at banking institutions in Eastern Europe and Russia. Kaspersky says the malware has spread to the U.S., Israel, Malaysia, France, India and China. ATMs are not connected to the Internet, so it may not be possible to register attacks unless the victim bank reports it. The confirmation of the spread of the malware is made possible through local contributions to sites that register computer viruses, as well as from law enforcement agencies.”
The methodology details are intriguing. The attacks starts by inserting a bootable disk into the ATM, in the same manner that the devices are routinely accessed for maintenance. This causes the ATM to reboot and the attacks is then performed by hitting specific digits on the ATM’s keyboard. The attacks are on ATM machines deployed on the street, not at their point of assembly, the story notes.
“Kaspersky Labs said the key to the scam was a two-step verification process based on specific timing: a unique digital combination is generated for every ‘withdrawal,’ which ensures that no random ATM customer can unwittingly profit from the scam,” the story said, adding that the attack even has safeguards to prevent one attacker from ripping off other attackers. “Next, the hacker on site makes a call to receive further instructions from an operator and enters another set of numbers. The criminals do this, according to the security company, so that those actually taking the money can’t perform the entire operation themselves. Once the correct set of numbers is punched in, the ATM starts giving out cash. The whole operation, from infecting the machine to withdrawing the cash, takes about four minutes, Kaspersky Lab said.”