At first, by means of a boot compact disk criminals got access to the computers installed in ATMs under control of one of old versions of Windows and infected them with a malware. This virus had some features: it turned off the set antivirus protection, and also carried out a best part of the week "in hibernation": accepted commands from criminals at night — since Saturday on Sunday and since Sunday on Monday. Also the trojan could disconnect a local network that services of bank could not be connected far off to the ATM and check what happens to it.
To receive money, the malefactor approached the infected ATM and entered a certain PIN code then got access to the confidential command menu from where it was possible or to begin process of issue of money, or to make operations with a trojan, including to delete it.
So, in Eastern Europe through infection more than 50 ATMs criminals received money for hundreds of thousands of dollars, without causing any suspicions.
According to "Kaspersky Lab", "Meanwhile hackers learned to infect ATMs only of the certain vendor, but nothing prevents them to go further and to compromise other models. If vendors and banks do not take care of more advanced physical security of ATMs, similar stories will repeat more often".
Thus, arrest caught as a result of searches in Romania and the Republic of Moldova of eight people can not stop this type of fraud, vendors of ATMs and financial institutions should be alert: to change all passwords which are established by default, and, above all — to review measures of physical protection of the ATMs, to open the ATM not so difficult as it seems:
Well also you should not forget, that recently there was other history with use of ATMs in Eastern Europe in which fraud also did not affect clients of banks, namely: Hackers invented the new scheme of theft of money, having stolen 250 million rubles.
Then the criminal received a payment card, filled up it and right there withdrew the placed money in the ATM, requesting the check. Further data on transactions went to the accomplice who had access to the infected POS terminals. Via terminals, on an operation code, cash withdrawal canceling formed. As a result the card balance was instantly recovered and the malefactor had "cancelled" money on the account. Criminals repeated these actions repeatedly while in ATMs hard cash did not come to an end, modifying the scheme after correction of an error by banks. Several lawsuits concerning guilty persons were open, "monetary mules" were from London, Ukraine, Latvia and Lithuania.
The link to office news about detention of eight people on the website Europol.
Additional information about cracking of ATMs and the Tyupkin virus can be gathered here:
As "Tyupkin" plundered ATMs,
Tyupkin: a manipulation ATMs by means of malicious software,
Attack to the ATM by means of Raspberry Pi.
This article is a translation of the original post at habrahabr.ru/post/274679/
If you have any questions regarding the material covered in the article above, please, contact the original author of the post.
If you have any complaints about this article or you want this article to be deleted, please, drop an email here: firstname.lastname@example.org.
We believe that the knowledge, which is available at the most popular Russian IT blog habrahabr.ru, should be accessed by everyone, even though it is poorly translated.
Shared knowledge makes the world better.