ATMs are literally boxes of cash—too good for criminals of any stripe to pass up. When ATMs first emerged, thieves used brute-force tools like crowbars, explosives, and propane torches to remove the ATM machine itself or get at the cash inside. As recently as April, three men were charged in Salt Lake City, UT, for trying to blow up ATMs and steal the cash.
Brute-force methods might net a street criminal several thousand dollars, but trying to destroy or remove an ATM machine, or hold up a cash loader, carries a high amount of risk for a relatively limited reward.
ATM thieves quickly adopted more sophisticated tools, such as skimming devices, "shimming" techniques, and jackpotting attacks to steal card data, PINs, and cash. The newest step in attackers' evolving portfolio of bank robbery techniques is a network-based ATM cyberattack. Attackers can break into institutions' corporate networks from anywhere, steal customer information, and manipulate ATMs to enable cash withdrawals by a mule on the street.
Using APT tactics, attackers secure bigger gains
Network-based attacks are easier and safer (for the thieves). In 2017, a Turkish Hacker was convicted for a series of attacks in which he successfully made off with $55 million in cash from ATM robberies in at least 24 countries. Because it was cash, the money was untraceable—just gone.
Cyber-thieves gain access to bank networks through spearphishing attacks, compromised consumer accounts, or insider assistance. Once inside, they search for credentials and connections that offer a path to ATM management, card processing, and wire transfer systems. With inside access, they can launch large-scale malware infections of ATMs, steal card information, or manipulate account data. Why open just the ATM and grab thousands of dollars when, by accessing a network of resources, you can make off with millions?
Organized cybercrime groups, like MoneyTaker and the Cobalt group have done just that. In 2016, the Cobalt group stole more than $2 million from First Bank (Taiwan) ATMs. From 2016 through 2017, MoneyTaker conducted more than 20 successful attacks on financial institutions and law firms in the US, UK, and Russia—almost completely unnoticed. In the US, MoneyTaker gained access to First Data's STAR network operator portal. Not only did they steal money, they also stole documentation on interbank payment systems.
Stop ATM cyberattacks by stopping lateral movement
The key to executing these more lucrative network-based ATM attacks is to navigate the corporate network without being detected. Once inside the network, attackers conduct extensive reconnaissance and lateral movement in order to reach their jackpot.
Organizations can catch advanced attackers in these early stages through endpoint-based deception technology. Deceptive assets distributed through the network create a fog of deception in which the attacker can't help but make wrong choices and be detected. Using Illusive’s Attack Surface Manager, organizations can also preemptively harden their networks against lateral movement by discovering and removing misplaced domain admin credentials and other elements that could promote an attacker’s ability to traverse the environment. Deception platforms can stop the quiet—and far more dangerous—persistent network-based attacks on ATMs and other payment systems.
For more information, download A Deception Approach to Protecting ATM Networks.