The bank robbery has been a staple of the criminal world for years, beloved by ne'er do wells for its simplicity and high-risk, high-return pay offs.
Such activities seem antiquated in the era of cyber crime, but a new twist on the bank robbery is now menacing banks across the world: the use of malware to enslave the humble ‘hole in the wall’ and turn it into a personal cash machine.
The modus operandi has become increasingly popular in the past 12 to 18 months, according to principal security researcher at Kaspersky Labs, David Emm.
“The first malware of this kind we saw dates back to 2009 but I think it’s become more of an issue in the last 12-18 months,” he told V3.
This was underlined by a recent report by Kaspersky that uncovered a malware called Tyupkin. It was found installed on over 50 ATMs at banks in eastern Europe and is believed to have spread to India, China and even the US.
The raids combine the high-end sophistication of malware with the basic simplicity of a robbery to lucrative effect. For Emm this focus on ATMs represents a ‘middle way’ to money that crooks have identified.
“Typically if cyber criminals want to go after money they go to the individual and assume we will not be secure. They could target banks' systems at the back-end, but they will likely be a lot more secure,” he explained.
“However, with individuals they may get the money but they will likely make anywhere between £200 and £300.
"The ATM sits in the middle, though. It is controlled by the bank, but it’s an outcrop of their system and you don’t need access to the bank’s computers to access it.”
Pick-pocketing an ATM
But how do you 'hack' an ATM? Emm explained to V3 that, generally, crooks gain physical access to the ATM and insert a CD that contains the malware. This then gives them control of the terminal.
While opening an ATM and inserting a CD may sound complex, especially as many ATMs are located inside or outside banks in public areas, Emm likens this element of the scam to the operations of a pickpocket.
“When you think of a pickpocket you think: ‘How does someone manage to steal from someone in that way?' But usually they use techniques like misdirection to distract people.
"With ATM raids the crooks sometimes stage a fracas that distracts people while the front is loosened and the CD inserted.”
Once installed, the crooks can simply reboot the system and force it to hand over cash. This plays on another problem with ATMs that the crooks have recognised.
“One of the problems [with ATMs] is they are closed systems. So once they are put in place the mindset is to not mess with it again. This means it won’t be patched or updated,” noted Emm.
ATMs, which are manufactured by third parties and supplied to banks, can also contain some of the same basic security flaws that affect all systems.
Many come with default alarm codes that are never changed. If the crooks find this out they can easily disable them. Similarly, many have default locks and are never fitted with new, bespoke locks on delivery so the crooks know what lies in wait.
V3 contacted Link, the organisation that oversees the ATM industry in the UK, to ask for its stance on the rise of such threats and how it is liasing with members.
Link told V3 that it was aware of the recent Tyupkin malware discovered by Kaspersky and that no-one should have been affected.
“Link continuously works closely with law enforcement and ATM operators to counter threats such as these to the UK’s ATM network,” the company said.
“We are aware of this type of malware attack and would like to reassure that no customers are left out of pocket as a result of it, and no personal details would be compromised.”
Raids and arrests
This could well be because, as Kaspersky noted, the Tyupkin malware was found operating in eastern Europe, rather than the UK. However, such activities are not confined to the continent.
UK police recently raided properties in the UK targeting those believed to be behind a £1.6m ATM heist that took place over a Bank Holiday weekend in May.
The police revealed that the attack method was almost identical to that seen by Kaspersky, as the machines were physically broken into and infected with malware, allowing the gang to extract large amounts of cash.
The police also revealed that the malware deletes itself from the system once used, making it hard to identify the cause of the attacks. They did not name the malware in use, but it could well be the same code uncovered by Kaspersky.
Cooperation between the London Regional Fraud Team, a specialist unit of detectives from British Transport Police, City of London Police and the Metropolitan Police Service, helped track down those believed to be behind the scam.
"This operation represents a significant disruption against a sophisticated criminal enterprise who used specialist malware to target cash points and steal large quantities of cash," said Nigel Kirby, deputy director for the NCA's Economic Crime Command, after the raids.
The rise of such scams should come as no surprise to banks, as crooks have always come up with new ways extract money without their knowledge.
Clearly criminals no longer need sawn-off shotguns and balaclavas - a CD and some software is all it takes to make off with millions in ill-gotten gains.
Moon's dark side is mountainous, rugged and never visible from the Earth
The groundwater basins in some areas of Tehran have been damaged irreversibly
This is the first time that any spacecraft on Mars has recorded air vibrations on the planet
Arctic sea ice is thickening at a faster rate during winter, thus slowing down long-term decline: NASA
But, the seasonal ice growth could only delay the demise of the Arctic ice cap for a few more decades