Picture this: a late night, a badly lit corner in the slums; aside from a lonesome streetlamp, there\u2019s yet another dim light source \u2013 a lobby of a small sub-office of a major bank. It\u2019s too late for anyone to be around, street is empty, the surroundings have fallen asleep long ago.<\/p>\n
Cash out with ease: why and how #ATMs get attacked<\/p>Tweet<\/a><\/blockquote>\n
A shady figure emerges from the dark. It\u2019s next to impossible to tell the gender: the person is wearing a baggy street-style hoodie. The figure enters the lobby, comes to one of those cash dispensers, then freezes. A moment or two later, he (or maybe she? \u2013 you never know) starts packing something into a knapsack he has brought along. Once everything\u2019s done, the figure vanishes into the dark again\u2026<\/p>\n
\u2026In the morning the bank workers discover that at least one ATM is empty of cash.<\/p>\n
As readers could have already guessed, the hooded figure was a so-called money mule, the person hired for taking the cash from the compromised ATM \u2013 most likely the compromise had been performed remotely. \u00a0There\u2019s a reason this is a simple act to perform.<\/p>\n
Easy come, easy go<\/strong><\/p>\n
In fact, modern ATMs are basically construction kits comprised of a number of hardware modules such as cash dispenser, a card reader, a keypad, the display (touch-sensitive or not), etc. But the main system unit is a very mundane PC; whatever custom software is installed there \u2013 ATM units management software, programs used to interact with the user, to communicate with the processing center, etc., all of it run on a quite common operating system.<\/p>\n
And the vast majority of today\u2019s ATMs still use Windows XP. For some reason certain banks also install Acrobat Reader 6.0, Radmin, TeamViewer and other unnecessary programs, and in some cases even dangerous software, making the device even more vulnerable.<\/p>\n
As we know, Microsoft finally dropped the support of this OS in 2014<\/a>. Two years onwards, it\u2019s still around in various forms. ATMs aren\u2019t exactly cheap devices, so it seems quite logical that as long as they can perform their functions, they are exploited, no matter what OS they are using.<\/p>\n
Microsoft dropped the support, so all newly discovered vulnerabilities are there to stay. And not just them: Securelist reports that many machines still have the unpatched critical vulnerability MS08-067<\/a> which allows remote code execution.<\/p>\n
In 2014, Kaspersky Lab researchers discovered Tyupkin<\/a> \u2013 one of the first widely known examples of malware for ATMs, and in 2015 company experts uncovered the Carbanak<\/a> gang, which, among other things, was capable of jackpotting ATMs through compromised banking infrastructure. Both examples of attack were possible due to the exploitation of several common weaknesses in ATM technology, and in the infrastructure that supports them. This is only the tip of the iceberg.<\/p>\n
Attackers sometimes use very sophisticated, multistage operations ending up with mass ATM compromise. The \u201cchain\u201d may indeed be long: some hacking group may compromise infrastructure of some telecom operator using a plain and simple social engineering technique. Having installed backdoors, the hacking group #1 may sell it to somebody else, who then discovers that the telecom company is serving some banks networks. Further research by hacking group #2 shows that ATMs are remotely accessible. Then hacking group #2 deploys some malware to redirect money to the rogue accounts or to force the cash out of certain ATMs at a certain time, which is picked by \u201chooded figures\u201d.<\/p>\n