A cyber-criminal collective known as the Cobalt Group is suspected to be behind the ATM malware “touchless jackpotting” attacks across 14 countries in Europe, including Netherlands, Russia, Britain, Poland, Romania and Spain.
According to analysis from Comodo Labs, hackers typically initiate an infection using phishing attacks to gain access to the bank’s network. From there, they pivot through the network to gain access to an ATM’s individual system and plant the bad code. Once the malware is installed, the team can simply send a remote command to specific ATMs to spit out cash. This money is then collected by money mules, who get a share of the whole amount collected.
“In this attack, the cyber criminals themselves did not have to go to the individual ATM machines to plant the malware,” Comodo explained, in a blog. “From the server, they spread the malware to specific ATM machines across Europe…The malware is so potent that once it just enters the financial network of any bank, it can spread to the server.”
The firm also thinks that there could be a link between Cobalt and Buhtrap, another cyber-criminal group that works on the similar kinds of attacks. Buhtrap, known for stealing money through fraudulent wire transfers, has been testing ATM hacking techniques on Russian banks, and will soon look to try them out on financial institutions in other countries, according to the FBI. The FBI also recently said that it was “monitoring emerging reports indicating that well-resourced and organized malicious cyber-actors have intentions to target the US financial sector,” including ATM jackpotting attacks.
“These kinds of attacks are dangerous as the complete attack happens logically; physical presence is not involved,” the Comodo team said. “When cyber-criminals infected the banking servers, they have also been able to compromise the SWIFT (a secure messaging provider) system to issue fraudulent money transfers through the SWIFT system.”
To thwart their efforts, employee education is an obvious place to start. Training on cybersecurity measures, various types of malware attacks—phishing, spear phishing, spoofed mails, etc.—and how to identify fraudulent emails should be front and center. It’s also advisable to place ATMs in buildings that can be completely covered by security cameras, to deter money collectors who would get recorded on the cameras.
And, of course, updating ATM operating systems with the latest patches and employing effective security systems to detect and block malicious activity in real-time are other best practices.
Photo © Dragon Gordic