London Police Arrest ATM Malware Suspect

Attacks Compromised Standalone ATMs
London Police Arrest ATM Malware Suspect
Officers prepare to make the arrest. (Credit: City of London Police)

London police have arrested a suspect on charges that he participated in a series of ATM malware attacks that resulted in the theft of £1.6 million ($2.6 million) from 51 cash machines over the course of a three-day holiday weekend in May.

See Also: Webinar | Key Trends in Payments Intelligence - Machine Learning for Fraud Prevention

The 37-year-old suspect hasn't been named by authorities. But based on a months-long investigation, police say that an Eastern European crime gang appears to be behind the attacks.

"An extensive, intelligence-led investigation has uncovered what we believe is an organized crime gang systematically infecting and then clearing cash machines across the U.K., using specially created malware," says Detective Inspector Dave Strange, who heads the London Regional Fraud Team. That's composed of detectives from London's three police forces - British Transport Police, City of London Police and the Metropolitan Police Service.

The arrest follows Interpol's issuance earlier this month of an alert that attackers had successfully installed malware on 50 ATMs in Eastern Europe (see Malware Attacks Drain Russian ATMs). Interpol warned that the attacks could spread globally, and just one week later, reports surfaced of more so-called jackpotting ATM malware attacks in Western Europe.

The suspect's attacks against the U.K. ATMs - better known as "cash points" - were largely centered in London, which is where 30 of the malware-compromised machines were located, police say. But the attacks stretched across England, also infecting machines in Blackpool, Brighton, Doncaster, Liverpool, Portsmouth and Sheffield.

The attacks came to light after being reported by the victims, which in this case were private operators of standalone ATMs, police say.

ATM Malware Targets U.K.

A City of London Police spokeswoman says officials know the type of malware that was used in the recent ATM attacks, but so far they are declining to reveal details. Information security experts say criminals targeting ATMs have increasingly been switching from skimming attacks to malware attacks (see ATM Malware: Hackers' New Focus).

Troels Oerting, head of Europol's European Cybercrime Center, has said that ATMs are an obvious target for cyber-savvy attackers, because successfully installing malware can enable criminals to create their own personal "money machines," cashing them out in mere minutes.

Technically speaking, it isn't difficult to develop malware that exploits ATMs, Brian Honan, a Dublin-based information security consultant who also serves as a cybersecurity adviser to Europol, tells Information Security Media Group. "Once you know what operating system is in place on the ATM and what security mechanisms are in place, such as anti-virus and/or whitelisting software, it can be relatively straightforward to develop malware for any platform, be that an ATM or any other device," he says.

Physical Security Questions

But ATM security relies largely on the physical security of the machines themselves. Indeed, the U.K.'s ATM Security Working Group recommends ATM operators follow a number of physical-security guidelines, including making sure that the ATM is always visible by staff and watched using video-monitoring devices.

"As with all computers, if you do not control and manage physical security to them you are at a greater risk of the device being compromised," Honan says.

But for these malware attacks, the physical security fault may not lie with the merchants whose stores offer an ATM. "We should remember shop owners may not have any control over these machines, but rather rely on the ATM supplier and vendor to conduct the necessary maintenance and ensure the security of the devices," Honan says.

Of course, attackers who can gain physical access to an unattended ATM can do more than just install malware. At last week's Black Hat Europe conference, for example, two penetration-testing experts demonstrated an attack that used a low-cost Raspberry Pi computer (see Hacking ATMs: No Malware Required).


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.