Money mule connects to ATM, boss issues command from afar

Jan 7, 2015 16:43 GMT  ·  By

Cybercriminals have resorted to a simple, yet effective attack to make ATM systems dispense the cash stored in their money cases, without the need to insert a card, relying on certain commands sent through a Samsung Galaxy 4 phone.

The type of the smartphone does not have any relevance for successfully carrying out the robbery, as it is used only to relay commands to the machine from another individual, located at a distant place.

Physical access to the machine is required

The cybercriminals target ATMs that are poorly protected from unauthorized access, such as standalone units in dimly lit places, because they need to gain physical access to the internals of the system.

Basically, the cybercriminals disconnect the cash dispenser from the computer it is connected to and hook the smartphone instead.

In one case, the perpetrators also used a circuit board with USB connection to hook it to the system, probably in an attempt to trick the computer into believing it was still connected to the cash dispenser. However, this device was unnecessary for the success of the criminal operation.

Such incidents, called “black box attacks,” have been conducted against units made by NCR, a major player in this market, security blogger Brian Krebs reports.

The company’s products have been targeted in the past by a different logical attack that entailed getting access to the CD-ROM of the ATM's computer and uploading a malware piece that allowed control of the machine.

Kaspersky analyzed the malware piece, which was dubbed Tyupkin, and published at the beginning of October 2014 information on how the operation was run by the cybercriminals.

Speaking to Charlie Harrow, solutions manager for global security at NCR, Krebs learned that NCR had some trouble finding out how the commands reached the dispenser, since the mobile phone received commands from a remote server.

New firmware released for NCR machines

Only two black box attacks have been recorded by NCR thus far, but the company has already issued a firmware update to its customers that strengthens the encryption for the communication between the cash dispenser and the computer.

Currently, the encryption key exchange necessary for the communication to occur is done only if a specific authentication sequence becomes available.

“All things considered, this is a pretty cheap attack,” Harrow said. “If you know the right commands to send, it’s relatively simple to do. That’s why better authentication needs to be there,” he added.

Another modification included in the update refers to blocking the possibility to roll-back the version of the firmware so that the machine becomes vulnerable again.