ATM machine |
Researchers have revealed how cyber-thieves
sliced into cash machines in order to infect them with malware earlier this
year.
The
criminals cut the holes in order to plug in USB drives that installed their
code onto the ATMs.
Details of
the attacks on an unnamed European bank's cash dispensers were presented at the
hacker-themed Chaos Computing Congress in Hamburg, Germany.
The crimes
also appear to indicate the thieves mistrusted each other.
The two
researchers who detailed the attacks have asked for their names not to be
published
Access code
The thefts
came to light in July after the lender involved noticed several its ATMs were
being emptied despite their use of safes to protect the cash inside.
After
surveillance was increased, the bank discovered the criminals were vandalising
the machines to use the infected USB sticks.
USB stick
The malware
was installed onto the ATMs via USB sticks
Once the
malware had been transferred they patched the holes up. This allowed the same
machines to be targeted several times without the hack being discovered.
To activate
the code at the time of their choosing the thieves typed in a 12-digit code
that launched a special interface.
Analysis of
software installed onto four of the affected machines demonstrated that it
displayed the amount of money available in each denomination of note and
presented a series of menu options on the ATM's screen to release each kind.
The
researchers said this allowed the attackers to focus on the highest value
banknotes in order to minimise the amount of time they were exposed.
But the
crimes' masterminds appeared to be concerned that some of their gang might take
the drives and go solo.
To counter
this risk the software required the thief to enter a second code in response to
numbers shown on the ATM's screen before they could release the money.
The correct
response varied each time and the thief could only obtain the right code by
phoning another gang member and telling them the numbers displayed.
If they did
nothing the machine would return to its normal state after three minutes.
The
researchers added the organisers displayed "profound knowledge of the
target ATMs" and had gone to great lengths to make their malware code hard
to analyse.
However,
they added that the approach did not extend to the software's filenames - the
key one was called hack.bat.
From bbc