ATM Malware Attack : Lesson That Never Learn by Malaysian Bank

Automatic Teller Machine (ATM) is one of the channel service provided by the Bank to their Customer in the Modern Banking era. For customer, ATMs will provide convenience to them in their Banking Transaction. Today, ATM not only for cash dispense, but other service were also provided by the Bank such bill payment, transfer money, buy prepaid etc .However, for the Robber and Hackers, ATMs machine is one of the valuable target. This is due to lot of money available in the ATM. Money inside the ATMs machine is vary depend on the Bank's Policies and type of Machine. In average, one Machine normally loaded with RM300,000 to RM600,00.00

ATMs were equipped with the security features such local alarm. Central Monitoring System (CMS) as an alert to trigger any attempted robbery and CCTV for recording. However, this is for physical security of ATM only. In fact, the ATM robbery cases still happened.  

Lately, we can read in the newpaper quite number the ATM been robbed. Previously“Oxy Gang”,is one of the common tactic used by robber in Malaysia. They using oxy-acetylene blow torch to open the machine’s cash compartment. The latest robbery incident was happened in September 2014. The STAR reported that Hacker form Latin American gang exploited flaws in the authentication process to hack into at least 14 ATM in Selangor, Johor and Malacca and got away with almost RM3mil."(The Star, 30 September 2014)

Based on the investigation, Bukit Aman Commercial Crime Investigation Department chief Comm Datuk Mortadza Nazarene told Bernama that the suspects used a computer malware known as “ulssm.exe” to hack into the ATMs.“The suspects were found to have opened the top panel of the machine without using a key and inserted a compact disc into the machine’s processing centre which caused the ATM’s system to reboot. He said they then used a keyboard to hack into the system and take out money. According to him, information obtained from the systems engineer of a bank indicated that up to 40 notes could be taken out in a single transaction using the method (The Star 30 September 2014)

Source:www.malaysianinsider.com

So why i said that Malaysian Bank never Learn  to protect their ATM from  Malware Attack? There are are Three Red Flag that supposedly triggered all the Banking Institution to take precaution in protecting their ATM .

1.  The Similar Modus Operandi were happened in other Country

This is not the first time a Malware attack used to steal money from banking institution. Similar case have also been reported in other countries. It was reported that the first incident were happened in 2009. In 2010, computer security experts the ATM machines can be hacked to spit money, using hardware kit that cost less than US$100 to make. And the ATM’s motherboard is only protected by a door, of which you can buy the “universal key” online (*grin*). You can then used a USB port on the motherboard to upload your own software (stored in your USB stick), which changed the device’s display, played a tune, and made the machine spit out money.

According to Kaspersky Lab, David Emm the criminals work in two stages. First, they gain physical access to the ATMs and insert a bootable CD to install the Tyupkin malware. After they reboot the system, the infected ATM is now under their control and the malware runs in an infinite loop waiting for a command.

There's are also another famous malware used i.e. 'Trojan Horse' which was discovered in 2013 to hack ATMs in Mexico. Amazing, this malware allowed hackers to simply send and SMS to the compromised ATM. Below diagram shows how the modus operandi work:

Source : www.financetwitter.com

• Connect a mobile phone to the machine with a USB cable and install Ploutus Trojan.
• Sends two SMS messages to the mobile phone inside the ATM.
• Mobile attached inside the ATM detects valid incoming SMS messages and forwards them to the ATM as a TCP or UDP packet.
•   Network packet monitor (NPM) module coded in the trojan receives the TCP/UDP packet and if it contains a valid command, it will execute Ploutus
• Amount for Cash withdrawal is pre-configured inside the trojan horse itself.

       

2. Microsoft Stopped Support the Window XP Operating System

Most of the ATM at Malaysian Bank used a Window XP Operating System. On 8th April 2014, microsoft had announced that they are no longer the operating system of window XP. In other word, even if the ATM Trojan Horse was discovered one day after the end-of-support date, Microsoft will not release any security patches to plug the threat, period. This should be a red flag to the Bank to do something to ensure their security level is not compromise.

3. Easy Access to top Panel of ATM Machine.

As mention earlier, the previous incident in other country, the Malware or Virus Trojan put into the ATM through Top Panel of ATM machine to get access to the mother Board. Currently, most of our ATM are very easy to remove the top panel. This is the gaps that our Malaysian Bank and Vendor to the ATM machine were not realized on the risk. Most of the ATM only protect the compartment that contain a money which high security level. But they they forgot that the ATM system inside the machine can easily access without any security level put in place.

Source : http://www.financetwitter.com/2014/09/here-is-how-malaysian-atms-were-hacked-of-rm3-million-by-latin-ameericans.html