When Kaspersky Lab’s released its report in February detailing how the Carbanak gang, among other things, was able to manipulate ATMs so they’d dispense cash to money mules without any physical interaction, it made quite a few headlines.
Since then, vendors like Israeli-based ThetaRay have been approached by banking institutions to help combat the problem.
“It was very surprising for people. Even I didn’t think it was possible,” said ThetaRay’s CEO Mark Gazit, who got his start 20 years ago by getting paid to break into banks. “But now we see [ATMs are] just like any other device that can be hacked.”
ATMs have long been a favorite target of financially motivated criminals whether through skimming devices, malware, or simple destruction. What’s different about the recent attacks is the ability to compromise multiple ATMs at once, Gazit said.
“What we see recently evolving is a new breed of attacks, which are central-based attacks, against ATM chains. So basically instead of coming and trying to break into each and every ATM and hoping to steal money, what hackers do is they break into central networks and then they can do various types of attacks.”
Carbanak Attacks Steal Millions
When Group-IB and Fox-IT released their report on the former Carberp group members (now known as the Carbanak gang) in December 2014, they confirmed the group had gained access to 52 ATMs via isolated bank network segments that handled ATM transactions. The group was then able to change the denominations of issued banknotes – receiving notes worth 5,000 rubles, for example, instead of 100 rubles.
When Kaspersky released its report two months later, it came with the number that made all the headlines: 100 financial institutions hit with potential losses as high as $1 billion.
While the group approached each institution on a case-by-case basis, one victim faced $7.3 million in losses due to ATM fraud alone.
No U.S. banks have been compromised by the attack, according to what executives with the Financial Services ISAC and the American Bankers Association told American Banker in February.
“That doesn’t mean our banks shouldn’t be watchful as the threat continues, because as long as the criminals are successful and continue to advance, we need to be aware of that as a potentially,” said Doug Johnson, senior vice president of payments and cybersecurity policy at the ABA. “But it appears to be fairly concentrated on Russian banks at this point.”
Despite the damage occurring mostly overseas, the attacks have generated a lot of interest. Automated Teller Machines is the third most discussed cybercrime target tag in the Financials sector so far this year, and the Carbanak backdoor is the fifth most discussed cybercrime practice.
The Carbanak’s gang targeting of ATMs, which made headlines in February, has helped push ATMs to the number three trending target and Carbanak backdoor to the number five trending practice in the Financials sector, according to Hacksurfer security data.
“ATMs in a way are one of the last remnants of the old physical world,” Gazit said, noting that ThetaRay got its start protecting critical infrastructure and that the financial sector has similar threats. “An ATM is a machine. It’s one of the only things in the world of financial organizations that is not software only. It’s a physical machine with physical bills.”
Tyupkin Malware Infects ATMs, Steals Cash
In October 2014 Kaspersky identified another threat targeting ATMs: the Tyupkin malware.
The attack played out like this: without inserting a credit card into the ATM slot, a money mule would enter a combination of digits on an ATM’s keypad, make a phone call to receive further instructions from an operator, and then enter another set of numbers.
“The ATM starts giving out cash, lots of cash,” Kaspersky Lab wrote. “Then they leave.”
In fact, when a bank in Ukraine called Kaspersky to investigate what turned out to be Carbanak, they initially thought it may have been the Tyupkin malware. Both attacks ended with ATMs spewing cash and no card being used.
However, unlike the Carbanak attacks, Tyupkin required physical access to the ATM in order to insert a bootable CD that installed malware. The gang behind the attack even went so far as to make sure only they could get the money. A unique digit combination was needed for every session, ensuring no one outside the gang could accidentally profit from the fraud, and a second number was required to ensure the mules collecting the cash didn’t try to go rogue.
The attack was just one example of a much larger trend.
“Over the last few years, we have observed a major upswing in ATM attacks using skimming devices and malicious software,” said Vicente Diaz, principal security researcher at Kaspersky Lab’s global research and analysis team, in October. “Now we are seeing a natural evolution of this threat with cybercriminals moving up the chain and targeting financial institutions directly.”
While both Tyupkin and Carbanak bypass the consumer in favor of the banks, Carbanak takes it a step further by using a centralized approach to target many ATMs at once, Gazit said.
“It’s the first time in financial institutions that network attacks, financial attacks and physical attacks against machinery meet each other.”