A new hacking technique called jackpotting allows cyber criminals to make ATMs spit out cash

ATMs in Europe remotely mass-hacked to spit out cash

Image credit: Public Domain Pictures

Cash machines in at least 14 countries including the UK and the Netherlands have been remotely hacked by an organised gang to spit out cash for rapid collection by the attackers.

The recent cyber attack is described in a report by Russian cyber security firm IB Group, released yesterday, which said it marks a significant shift in the attackers’ ability to steal money from ATMs as it requires no immediate physical manipulation with the ATM and allows targeting of a large number of machines at once.

“They know they will be caught fairly quickly, so they stage it in such a way that they can get cash from as many ATMs as they can before they get shut down,” commented Nicholas Billett, senior director of core software and ATM security at Diebold Nixdorf, one of the world’s largest ATM manufacturers.

The IB Group said the perpetrator of this ‘jackpotting’ of cash machines was an Eastern European hacking group known as Cobalt. ATMs in Malaysia, Belarus, Armenia, Bulgaria, Estonia, Georgia, Kyrgyzstan, Moldova, Poland, Romania, Russia and Spain were also affected.

The IB Group, however, didn’t disclose the names of affected banks. The attack was executed from remote control centres and involved infecting the banks’ systems with malicious software.

Earlier this year, similar attacks were reported from Thailand and Taiwan. “What we are seeing demonstrated is the new model of organised crime,” said Shane Shook, an independent security consultant who helps banks and governments investigate cyber attacks and reviewed Group IB’s findings. 

While in the past attackers were only able to target a few cash machines at once or relied on stealing customers’ payment card numbers and online banking credentials, they can now efficiently penetrate banks’ networks to steal money on a much larger scale. 

Earlier this month, the UK’s Tesco Bank became the first western-world victim of a large-scale bank hacking. The bank, owned by retail giant Tesco, was forced to completely shut down online banking for its customers and later revealed that up to £2.5m had been stolen from accounts of 9,000 of its clients. 

Taiwanese First Bank lost $2.5m this summer from the ATM hack while Thailand’s state-run Government Savings Bank was robbed of $350,000. A February attack on servers at Bangladesh’s central bank that controlled access to the SWIFT messaging system yielded more than $81m in one of the biggest digital heists on record. Russian banks lost over $28m in a series of wire-fraud cases that were identified earlier this year. 

“We have been working actively with customers, including those who have been impacted, as well as developing proactive security solutions and strategies to help prevent and minimise the impact of these attacks,” said Owen Wild, global marketing director for enterprise fraud and security at NCR, which also makes cash ATMs.

Group IB said the Cobalt group used similar tools and techniques to a well-known cyber-crime gang dubbed Buhtrap, suggesting the two might be connected. Buhtrap stole 1.8 billion roubles ($28m) from Russian banks from August 2015 to January 2016 through fraudulent wire transfers.

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles