Cybercriminals Steal from ATMs Without Malware

By Ava McKinneyOnline Safety

Cybercriminals Steal from ATMs Without Malware

Experts from the antivirus company Kaspersky Lab have detected a new wave of ATM thefts, dubbed KoffeyMaker. Throughout this year, criminals have been emptying ATMs in Eastern European countries using only laptops and a couple of legitimate programs. One of these was a modified version of a utility for testing the cash dispenser—KDIAG. Previously, the same version of this program was used by the Carbanak cybercriminal group.

The KoffeyMaker heist method is similar to Cutlet Maker, but this time, the criminals did not need any malware. All the necessary tools and instructions could be downloaded from specialized websites. To carry out the attack, the perpetrators had to physically open the ATM and connect their laptop directly to the dispenser via USB. After that, the criminal would leave their device inside the ATM, close it up, and walk away. The laptop was then controlled remotely.

Pre-installed drivers helped “trick” the ATM, making the dispenser recognize the external laptop as the ATM’s own computer. The attacker would then run the modified KDIAG utility, which allowed them to dispense all the cash at the right moment. All that was left was to return at the designated time and collect the money. After a while, the criminals would come back to retrieve their device.

“No malware was used in these robberies, and the laptops connected to the dispensers were taken away by the criminals after the operation. This makes it extremely difficult to determine who is behind the incidents or whether it’s a new group or isolated cases,” says Sergey Golovanov, lead antivirus expert at Kaspersky Lab. “These incidents once again confirm that criminals don’t need deep IT knowledge. More and more often, they choose legitimate tools to achieve their goals and remain unnoticed.”

How to Protect Against Such Attacks

To counter these types of attacks, it is essential to securely protect the connection between the dispenser and the ATM’s computer—no unauthorized person should have access. If technically possible, encryption should be set up between the dispenser and the computer. This measure will help prevent the replacement of the ATM’s control center.

Leave a Reply