Monday, December 6, 2010

Cybergang infects all ATMs in Russian city

from help net security ...

A group of fraudsters has been arrested in Yakutsk and Moscow for allegedly compromising all the ATMs in the city of Yakutsk - population: around 210,000 - in the Republic of Yakutia in the Russian Federation.

Three of the men formed the actual criminal group, and the fourth - a Moscow-based malware developer - was "subcontracted" by them and received 100,000 rubles (some $3200) to develop a a custom ATM virus with which they would infect the devices.

Every man had his role in the operation: one who used to work as a head of an IT department obtained access to the ATMs, the second one - a system administrator - infected them, and the third one was supposedly intended to be the money mule.

According to the press release (Google translation) issued by the Ministry of Internal Affairs' cybercrime division, a coordinated raid of the three's apartments led to their arrest and the confiscation of copies of the malware and credit card information that - according to the investigators - they didn't have time to take advantage of.

The malware author was arrested in Moscow a week after. All four have been detained and will likely be charged for creation, use and distribution of malicious computer programs, and hopefully fraud.


this is not good .....

12 comments:

Gabrielle Miller said...

The two aspects of this story which I find most unbelievable are 1- the fact that only four men were involved and 2- how they were able to infect every ATM in a city. The ease with which these modern day fraudsters conduct their illegal activities is really terrifying.

A comment posted in response to one particular article on the case read, "Why aren't they just a "gang"? Is it because this crime has to do with technology and is, therefore, magically different than any other crime?" I think this comment represents the widespread ignorance about just how detrimental cyber crime (etc) really is. Just four men were able to take control of an entire city's worth of ATMs - so yes I think that this is "magically different" than any other crime.

My question is - how did they manage to get caught? None of the articles I read on the case explained how the police were able to catch them.

Tevans said...

I'd like to know a little more about the charges brought against these guys. What does the legislation (in both Russia and the US) look like when it comes to the "creation, use and distribution of malicious computer programs"?

Kaley said...

An interesting aspect about this case is how the criminals still needed to have physical access to the ATM machines, gained via the credentials of the one who was "head of an IT department", in order to upload their custom virus.

This raises two interesting points - one, how much scarier would it be if they hadn't needed physical access to the ATM systems in order to put a bug like this together? It would be much harder to attribute and ultimately bring in those responsible.

Two, this shows how successful cyberattacks often still need a human actor to put them in motion. It's not a stretch to imagine cyber-aggressors (whether criminal or governmental) targeting individuals they suspect having access to the system they wish to infiltrate or attack in order to get them (willingly or unknowingly) to drop the malware payload.

Ryan said...

Does nobody find it amazing that this virus was developed for a mere $3,200? Nobody goes through this process to simply scam people of a few thousand dollars...I can only imagine the hundreds of thousands (or even millions?) of dollars the other three men were planning on transferring to their personal accounts.

On a note related to policy/punishment....I'm curious as to the varying degree of time each of the defendants will serve depending on their specific role. For instance, does the money mule serve less time than the malware developer? Or is the actual role thrown out the window and all of them are in the same boat?

Adam Fine said...

This article was really interesting, and prompted me to look into similar cases. An article from wired.com (http://www.wired.com/threatlevel/2009/06/new-atm-malware-captures-pins-and-cash/) has a link to a pdf that provides the details on how these types of malware actually work. The article also mentions that researchers have discovered that ATM malware is tested in one country and once proven executable, is then transferred into other countries such as the U.S. This is alarming because attacks like this one in Russia that appear to be by just 4 or 5 people have parallel cases where they may be orchestrated by many more people across national boundaries.

David Hernandez said...

From this story, it seems like theft in almost every aspect just seems to be getting easier. The simplicity of the procedure was presented as something almost any group of technologically savvy individuals could accomplish which shouldn't be the case. Have there been similar cases in the US that were as easily accomplished but successful? And one has to consider that there's a possibility that the malware developer could've sold the other men out since he didn't get arrested until a week later and was only given $3200 to create the virus that infected EVERY atm. I also wonder if this was the first step, maybe used as a test, in preparation for a much larger maybe even global project.

Sean Delaney said...

This is a very scary development for a number of reasons.

The first, which has been mentioned in detail by other members of the class, is (a) the relative cheapness of developing and implementing this piece of malware and (b) the huge potential for identity theft.

The secondary effect of this type of malware is potentially even more frightening. Think about the implications on cash velocity and the consequent effect on consumer buying habits. If this type of malware becomes commonplace, and people believe that ATM's are untrustworthy, that could have a crippling effect on overall economic growth.

Morgan Falzone said...

Like Ryan, I’m curious to see how each member is reprimanded. Even though the malware developer was brought into the group, I almost think he should be one of the most severely punished. He’s demonstrated he has the ability create a large-scale attack, and he seemed to have no qualms selling his service. Without him (or any other malware developer), the other criminals wouldn’t have been able to succeed.
It’s also frightening to think about what could happen if the criminals weren’t greedy and just wanted to cause damage. What if they decided to just shut down every ATM in the city? Or if they decided to shut down the entire automated banking system. I’m sure it would be incredibly complex, but I’m also sure there is someone (or many someones) out there with the capability to do it. Would it be possible to even erase all the banks records? The resulting panic, outrage, and confusion would be devastating and would not be easy to come back from. But then again, maybe I’m being extreme and we have another year or two before someone develops the technology to take down a bank indefinitely.

Patrick Gordon said...

Reading all of these comments, I thought many of the same things, but one particular aspect that Kaley touched upon was that they needed physical access to a machine. The one issue that bugged me with this article was the treatment of the term malware. We've spoken countless times in class about phishing and various other manners of malware such as worms, etc. I had a hard time fitting what was done in this instance into that concept of malware. Certainly, to take the simple definition of malware as any sort of software designed to surreptitiously changed something for the worse, then yes, it does fit. My problem was with reconciling the notion I have of a link in an email or an infected PDF. To me, this example just seems like what we talked about with putting card readers and pinhole cameras. Granted, the scope of this operation was much more systemic rather than focusing on one or two ATMs, and that is surely frightening. What makes this example interesting is that it is a hybrid example of malware in my mind. It's not solely conducted computer to computer. Rather, it requires, in this case an inside man, physical guidance of the "malware" and then it may perform in the manner of how we usually see malware. Furthermore, this example reminds me almost of a Zeus Junior rather than the manner I'm used to reading about malware. A final striking thing to me was that I frankly never thought about the physical ATM falling victim to malware, as many have stated on this blog.

Patricia Kehoe said...

Yes it is frightening to put myself in the shoes of a Russian citizen denied access to my money.. but I wonder what an increase in the number of attacks like this will do to force Russia into action against its cyber-crime syndicate. It is easy to say "we have no control over what they do, sorry..." when the attacks target U.S. and Western European citizens, but I imagine there is going to be a political backlash if Russia doesn't make a public effort to enhance its domestic cyber-security.

Christ Mika said...

What I don't understand is how the criminals were actually found out! According to the report, the men did not have time to take advantage of the credit card information which they stole. If they had not yet begun to leak money off of their victims' accounts, how did the authorities discover their actions?

(Unless I'm missing something obvious here) The only ways I could see this playing out are: 1. the had human intelligence notifying them the crime was being committed; 2. the malware developer had made a serious error in his coding, which caused the ATM system to act differently than it is supposed to, raising alarm and an investigation; or 3. they criminals HAD actually used the information, and stolen enough money for the authorities to notice their actions.

But....it's Russia. And in Russia, anything goes.

Diana Sainvil said...

I find it very interesting how these men were able to compromise all the ATMs in the city of Yakutsk. I didn’t not it was possible for someone to create a virus to infect this virus or it’s just maybe I am not aware of the things people can do to computers. Its surprising to only know that four men were able to accomplish this tasks of infecting every ATM in the city. My question is: How did these men get caught? Are the ATMs back to normal now? What happens to the money the company lost from these ATMs?