As ATMs have become ubiquitous, so too have attacks that turn these automated tellers into robotic thieves. In July 2016, a group of masked cyber-criminals cashed out 34 ATMs operated by the First Commercial Bank, one of Taiwan’s largest banks. Criminals had collected more than 83.27 million New Taiwan dollars (US$2.6 million) in cash — without using ATM cards. The criminals did not physically damage the ATMs, nor did they use skimmers or bank cards. According to CCTV footage, the thieves used cellphones to trigger the ATMs to automatically dispense money. The Wall Street Journal reports that twenty-two people, most from Eastern Europe, waited by ATMs to remove the money. Three suspects were later arrested and over NT$77 million recovered.
Following this, criminals used a similar scheme in August to steal 12 million baht (US$350,000) from the Government Savings Bank ATMs in Thailand. In September, the same kind of attacks was detected in Europe; however, this fact was not made public. The criminals programmed bank ATMs to spew cash. Gang members stood in front of the machines at the appointed hour and collected millions of dollars. The Wall Street Journal has reported that the threat could be linked to malicious software used by the Russian gang known as Buhtrap, known for stealing money through fraudulent wire transfers.
To perform a logical attack, hackers access a bank’s local network, which is further used to gain total control over ATMs in their system. Cash machines are then remotely triggered to dispense money, allowing criminals to steal large amounts with relative ease. With full control over ATMs, criminals can choose the exact attack time to loot newly filled ATMs. This result in millions of dollars lost, as in the case of the First Commercial Bank. Sometimes the hackers break into the systems that process transactions on banking payment networks; other times they have hit ATM networks directly.
The computer code for the attacks was released recently by a member of Buhtrap and is now being used by others. In addition, another group called Cobalt has begun to carry out attacks on banks in Europe and Asia as well, The Wall Street Journal reported. Cobalt is reportedly active since June 2016. Their key targets are ATM control systems. As of September 2016, the group is believed to have attacked banks in Russia, the UK, the Netherlands, Spain, Romania, Belorussia, Poland, Estonia, Bulgaria, Georgia, Moldova, Kyrgyzstan, Armenia, and Malaysia.
Earlier this month, the Federal Bureau of Investigation (FBI) warned U.S. banks of the potential for similar attacks. The FBI said in a bulletin that it is “monitoring emerging reports indicating that well-resourced and organized malicious cyber actors have intentions to target the U.S. financial sector.” The FBI reported hackers used “phishing” emails to break into the Taiwan and Thailand banks. The emails were designed to look like messages from ATM vendors or other banks, The Wall Street Journal reported.