Hackers were able to steal an estimate $346,000 from ATMs in Thailand using a previously unknown form of malware. Cyber security experts are now calling the malware RIPPER based on information found in the source code. The discovery highlights the growing sophistication of ATM attacks and the vulnerable nature of these machines in general.
The group responsible for the Thai ATM attacks loaded the malware onto machines operated by the state-run Government Savings Bank beginning in July. This was in the wake of a similar attack that netted $2.5 million earlier this year.
RIPPER was first discovered on August 23 by the IT security company FireEye. The malware contains a number of features noted in other types of ATM malware including the ability to target a specific brand of ATM, control the card reader, disable the ATM connection to the network, and automatically withdraw the maximum amount of currency.
Several new features were also discovered that have experts concerned about the safety of ATMs worldwide. RIPPER is uniquely able to target three of the largest international ATM vendors, potentially putting tens of thousands of machines at risk. It is also notably harder to detect and remove compared to previous forms of malware.
Once the malware is present on a machine, a member of the criminal group responsible can interact with it using the pinpad. They have the option to erase data from the machine, disconnect it from the local network, reboot the system, or dispense currency, among other commands.
Researchers from FireEye noted that “This malware family can be used to compromise multiple vendor platforms and leverages uncommon technology to access physical devices. In addition to requiring technical sophistication, attacks such as that affecting the ATMs in Thailand require coordination of both the virtual and the physical.”
Police were able to catch a number of suspects related to the earlier attack, including nationals from Latvia, Romania, and Moldova. They were also able to recover close to $2.3 million of the stolen currency. However, five Russian suspects were able to flee internationally. The location and full scope of the gang is not yet known.
Thailand is one of the most frequently target countries for cyber criminals located both within the borders and in locations around the world. The current government has vowed to crack down on these attacks as part of a program named “Good guys in, bad guys out”. The first major victory from this program came in July when Thai authorities in partnership with the FBI apprehended a couple believed to be running a hacking ring that stole $29 million from bank accounts.