Authorities in Taiwan are trying to work out how hackers managed to trick a network of bank ATMs into spitting out millions.
Police suspect that two Russian nationals wearing masks cashed out dozens of ATMs operated by Taiwan's First Bank on Sunday and left the country the following day. The crooks stole an estimated T$70m ($2.2m) hours after a typhoon battered the region around Taipei, the Taiwanese capital.
The two (or perhaps at least three) crooks behind the theft didn't use bank cards, judging from security camera footage. Instead, the cybercriminals appeared to gain control of the machines with a "connected device," possibly a smartphone, according to police.
Targeted ATMs were made by German manufacturer Wincor Nixdorf, which admits some of its machines in Taiwan were hacked as part of a "premeditated attack." Three different (unspecified) strains of malware were found on the compromised machines.
First Bank and other Taiwanese banks suspended withdrawals from their ATMs as a precaution following the attack, pending inspections to determine whether any cyber-tampering took place.
Security experts have already come up with some theories to explain how the systematic hack might have been pulled off.
Craig Young, a security researcher in the Vulnerability and Exposures Research Team at security tools firm Tripwire, said: "It may be that attackers have found another ATM jackpotting technique like the ones demonstrated by Barnaby Jack at Black Hat USA 2010. These attacks used malware to reprogram the machine so that a button sequence would dispense cash.
"Some ATMs have network management systems with well-known default passwords, and in many cases thieves access USB ports to load malware from a flash drive. From the description, it sounds like these thieves likely had installed malware ahead of time, enabling a wireless connection to 'jackpot' the ATMs. It is also possible that a vulnerable wireless service could allow unauthorized access from hackers." ®
Updated at 10:30, 18 July to add: ATM manufacturer Wincor Nixdorf has been in touch to add: "Our industry has knowledge of attacks that have been carried out in a similar manner on ATMs of various origins – of which both banks and manufacturers are aware.
"In this recent case, the police, the banks and experts from Wincor Nixdorf are currently collaborating on investigating the details of the attack. We have dispatched security experts to support the local teams. As the investigation is still ongoing, we aren't able to provide detail into. To this point, however, we have no indication that the ATMs themselves were the primary injection point for the malware attack."