A new strain of ATM jackpotting malware dubbed ATMJackpot has been discovered by experts at Netskope Threat Research Labs.

The malware is still under development and appears to have originated in Hong Kong, it has a smaller system footprint compared with similar threats.

“Netskope Threat Research Labs has discovered a new ATM malware, “ATMJackpot.” The malware seems to have originated from Hong Kong and has a time stamp on the binary as 28th March 2018.” reads the analysis published by the experts at Netskope.

“It is likely that this malware is still under development. Compared with previously-discovered malware, this malware has a smaller system footprint,”

The malware has a smaller system footprint, it has a simple graphical user interface that displays a limited number of information, including the hostname, the service provider information such as cash dispenser, PIN pad, and card reader information.

At the time, it is not clear that attack vector for the ATMJackpot malware, usually this kind of malware are manually installed via USB on ATMs, or downloaded from a compromised network.

“ATM Malware propagates via physical access to the ATM using USB, and also via the network by downloading the malware on to already-compromised ATM machines using sophisticated techniques.” continues the analysis.

ATMJackpot malware first registers the windows class name ‘Win’ with a procedure for the malware activity, then the malicious code creates the window, populates the options on the window, and initiates the connection with the XFS manager.

The XFS manager implements API to access that allow controlling the ATM devices from different vendors. The malware opens a session with the service providers and registers to monitor events, then it opens a session with the cash dispenser, the card reader, and the PIN pad service providers.

Once the session with service providers are opened, the malware is able to monitor events and issue commands.

Experts believe authors of the malware will continue to improve it and they expect it will be soon detected in attacks in the wild.

The number of ATM jackpot attacks is increasing in recent years, in January US Secret Service warned of cybercriminals are targeting ATM machines in the US forcing them to spit out hundreds of dollars with ‘jackpotting‘ attacks.

In May 2017, Europol arrested 27 for jackpotting attacks on ATM across Europe, in September 2017 Europol warned that ATM attacks were increasing.

Criminal organizations are targeting ATM machines through the banks’ networks, the operations involve squads of money mules for the cashout.

“The malware being used has evolved significantly and the scope and scale of the attacks have grown proportionately,” said Steven Wilson, head of Europol’s EC3 cyber crime centre.

A few weeks ago, the alleged head of the Carbanak group was arrested in Spain by the police, the gang is suspected of stealing about £870m (€1bn) in a bank cyberheist.

Further information on ATM Malware and jackpotting are available here.

Pierluigi Paganini

(Security Affairs – ATMJackpot, jackpotting )

The post ATMJackpot, a new strain of ATM Malware discovered by experts appeared first on Security Affairs.

North Korea-linked Lazarus Group has been using FastCash Trojan to compromise AIX servers to empty tens of millions of dollars from ATMs.

Following the above alert, Symantec uncovered the malware used in the FastCash scheme that was designed to intercept and approve fraudulent ATM cash withdrawal requests and send fake approval responses.

“Following US-CERT’s report, Symantec’s research uncovered the key component used in the group’s recent wave of financial attacks. The operation, known as “FASTCash”, has enabled Lazarus to fraudulently empty ATMs of cash. To make the fraudulent withdrawals, Lazarus first breaches targeted banks’ networks and compromises the switch application servers handling ATM transactions.” reads the analysis published by Symantec.

“Once these servers are compromised, previously unknown malware (Trojan.Fastcash) is deployed. This malware in turn intercepts fraudulent Lazarus cash withdrawal requests and sends fake approval responses, allowing the attackers to steal cash from ATMs.”

The malicious code was specifically designed to be injected into a legitimate process on application servers running the IBM’s AIX operating system. Symantec discovered that all the switch application servers targeted by the Lazarus APT Group were running unsupported versions of the AIX OS.

The hackers inject a malicious Advanced Interactive eXecutive (AIX) executable, tracked as Trojan.Fastcash, into a network handling ATM transactions. The malware is able to forgefraudulent ISO 8583 messages, where the ISO 8583 is the standard for financial transaction messaging.

Trojan.Fastcash has two primary functions:

1. It monitors incoming messages and intercepts attacker-generated fraudulent transaction requests to prevent them from reaching the switch application that processes transactions.
2. It contains logic that generates one of three fraudulent responses to fraudulent transaction requests.

Trojan.Fastcash will read all incoming network traffic, scanning for incoming ISO 8583 request messages, and when a Primary Account Number (PAN) used by the attackers is detected the malware will attempt to modify these messages.

The messages are modified depending on each victim organization, the malicious code will generate a fake response message approving fraudulent withdrawal requests. In this way, the hackers get the attempts to withdraw money via an ATM approved.

Symantec has discovered multiple versions of the FastCash Trojan that implement a different response logic tailored for a specific transaction processing network.

Further details, including IoCs, are reported in the analysis published by Symantec.

The post Symantec shared details of North Korean Lazarus’s FastCash Trojan used to hack banks appeared first on Security Affairs.

Malware researchers from Kaspersky Lab have detected a new piece of malware dubbed WinPot that was designed to target automated teller machines (ATMs).

Security experts from Kaspersky Lab have discovered a new piece of malware dubbed WinPot that target ATMs, it could be used by crooks to make the ATMs automatically dispense all cash from their cassettes.

WinPot was first detected in March 2018 when it infected ATMs of a popular vendor.

The malicious code has a user interface that looks like a slot machine, it represents each cassette with a reel numbered 1 to 4. The UI includes a button for each cassette to dispense the cash and information on bank note value and the number of banknotes inside. 

The interface has two other buttons, the SCAN and STOP ones. The former allows to rescan the ATM and update the information in the UI, the latter allows to the halt the dispensing in progress.

“The criminals had clearly spent some time on the interface to make it look like that of a slot machine.” reads the analysis published by Kaspersky.

“Likely as a reference to the popular term ATM-jackpotting, which refers to techniques designed to empty ATMs. In the WinPot case, each cassette has a reel of its own numbered 1 to 4 (4 is the max number of cash-out cassettes in an ATM) and a button labeled SPIN.”

Researchers from Kaspersky Lab discovered multiple WinPot samples over the past year, the experts observed minor changes, such as a different packer or changed time period during which the malware was programmed to work. Like other malware such as the Cutlet Maker, WinPot is offered for sale on the Dark Web, it goes for a price of $500 up to $1000. 

“One of the sellers offers WinPot v.3 together with a demo video depicting the “new” malware version along with a still unidentified program with the caption “ShowMeMoney”. Its looks and mechanics seem quite similar to those of the Stimulator from the CutletMaker story. ” continues the expert.

Due to its nature, ATM malware will remain the same except for little changes that will allow:

• To trick the ATM security systems (using protectors or other ways to make each new sample unique);
• To overcome potential ATM limitations (like maximum notes per dispense);
• To find ways to keep the money mules from abusing their malware;
• To improve the interface and error-handling routines.

“The preferred way of protecting the ATM from this sort of threat is to have device control and process whitelisting software running on it. The former will block the USB path of implanting the malware directly into the ATM PC, while the latter will prevent execution of unauthorized software on it,” Kaspersky concludes. 

Pierluigi Paganini

(SecurityAffairs – POS malware, ATMs.)

The post The interface of WinPot ATM Malware looks like a slot machine appeared first on Security Affairs.

Automated teller machine vendor Diebold Nixdorf has released security updates to address a remote code execution vulnerability in older ATMs.

Diebold Nixdorf discovered a remote code execution vulnerability in older ATMs and is urging its customers in installing security updates it has released to address the flaw.

The vulnerability affects older Opteva model ATMs, Diebold Nixdorf will start notifying the customers next week.

The group of security researchers NightSt0rm published technical details about the vulnerability in a blog post on Medium. The experts explained that had access to an ATM of Diebold vendor and started analyzing the machine a simple PC running Windows OS and exposing some services implemented by the ATM provider. The focused their analysis on the Spiservice service listening on post 8043.

“Look at the output of command, there is a service (Spiservice) which running on port 8043. The SpiService.exe is associated with XFS, the Extension for Financial Services DLL library (MSXFS.dll) that is specifically used by ATMs.” reads the post published by the experts. “The library provides a special API for the communication with the ATM’s PIN pad and the cash dispenser.”

The ATM tested by the expert is running Aglis XFS for Opteva version 4.1.61.1. Attempting to connect to the service via a web browser, experts noticed it calls many libraries, including a library called VDMXFS.dll.

According to Diebold Nixdorf, this service only runs on Opteva version 4.x software, successive versions are not affected.

The application use RemotingConfiguration.Configure and accepts “server.config” as a parameter used to load config. Analyzing the file, the experts discovered that the program uses the .NET Remoting technique. This technique allows different applications to communicate with each other. 

The researchers created two applications to remotely interact with the application and captured the network traffic, with this trick they found the application HTTP SOAP protocol used for the communication.

The ATM maker released Agilis XFS for Opteva – BulkCashRec (BCRM) version 4.1.22 that doesn’t expose the service’s configuration online.

The experts pointed out that this attack could be prevented by properly configuring the terminal-based firewall that is included in the older version of Opteve ATMs. the good news is that the firewall is enabled by default, this means that only ATM owners that disabled it are at risk.

The NightSt0rm team attempted to report the issue to Diebold Nixdorf but did not receive a reply.

At the time, there is not news of attacks in the wild that exploited this RCE flaw.

Pierluigi Paganini

(SecurityAffairs – Diebold Nixdorf, ATM)

The post Critical RCE affects older Diebold Nixdorf ATMs appeared first on Security Affairs.

Kaspersky experts spotted a new piece of ATM malware, dubbed ATMDtrack, that was developed and used by North Korea-linked hackers.

Kaspersky researchers discovered a new piece of ATM malware, tracked as ATMDtrack, that was developed and used by North Korea-linked hackers.

Threat actors deployed the malware on ATM systems to steal payment card details of the back customers.

ATMDtrack has been spotted on the networks of Indian banks since late summer 2018, a more sophisticated version tracked as Dtrack, was involved in attacks aimed at Indian research centers.

“In the late summer of 2018, we discovered ATMDtrack, a piece of banking malware targeting Indian banks. Further analysis showed that the malware was designed to be planted on the victim’s ATMs, where it could read and store the data of cards that were inserted into the machines.” reads the analysis published by Kaspersky.

According to Kaspersky, the most recent attacks involving the malware were observed at the beginning of September 2019.

DTrack, was developed to spy on the victims and exfiltrate data of interest, it supports features normally implemented in remote access trojan (RAT).

Below a list of some functionalities supported by the Dtrack payload executables analyzed by Kaspersky:

• keylogging,
• retrieving browser history,
• gathering host IP addresses, information about available networks and active connections,
• listing all running processes,
• listing all files on all available disk volumes.

The experts were able to analyze only dropped samples, as the real payload was encrypted with various droppers. The samples were detected because of the unique sequences shared by ATMDtrack and the Dtrack memory dumps.

“At this point, the design philosophy of the framework becomes a bit unclear. Some of the executables pack the collected data into a password protected archive and save it to the disk, while others send the data to the C&C server directly.” continues Kaspersky.

“Aside from the aforementioned executables, the droppers also contained a remote access Trojan (RAT). The RAT executable allows criminals to perform various operations on a host, such as uploading/downloading, executing files, etc.”

Once decrypted the final payload, Kaspersky researchers noticed similarities with the Dark Seoul campaign uncovered in 2013 and attributed to the Lazarus APT group. The attackers reused part of their old code in the recent attacks on the financial sector and research centers in India.

“The most obvious function they have in common is the string manipulation function. It checks if there is a CCS_ substring at the beginning of the parameter string, cuts it out and returns a modified one. Otherwise, it uses the first byte as an XOR argument and returns a decrypted string.” states the analysis.

The discovery of the ATMDTrack malware confirms the intense activity of the Lazarus APT group.

The state-sponsored group continues to develop malware that was used in both financially-motivated attacks and cyber espionage operations.

“We first saw early samples of this malware family in 2013, when it hit Seoul. Now, six years later, we see them in India, attacking financial institutions and research centers.” concludes Kaspersky. “And once again, we see that this group uses similar tools to perform both financially-motivated and pure espionage attacks.”

Technical details, including IoCs, are reported in the analysis published by Kaspersky.

Pierluigi Paganini

(SecurityAffairs – APT, hacking)

The post North Korea-linked malware ATMDtrack infected ATMs in India appeared first on Security Affairs.

Visa Payment Fraud Disruption warns of a new JavaScript skimmer dubbed Pipka used to siphon payment data from e-commerce merchant websites.

Visa Payment Fraud Disruption warns of a new JavaScript skimmer dubbed Pipka that was used by crooks to steal payment data from e-commerce merchant websites.

Experts discovered the Pipka while investigating an e-commerce website that was previously infected with the Inter JavaScript skimmer. Unlike other skimmers, Pipka has the ability to remove itself from the compromised HTML code after execution, in an effort to avoid detection, Visa notes in a security alert (PDF).

“In September 2019, Visa Payment Fraud Disruption’s (PFD) eCommerce Threat Disruption (eTD) program identified a new JavaScript skimmer that targets payment data entered into payment forms of eCommerce merchant websites. PFD is naming the skimmer Pipka, due to the skimmer’s configured exfiltration point at the time of analysis (as shown below in the Pipka C2s).” reads the advisory published by VISA. “Pipka was identified on a North American merchant website that was previously infected with the JavaScript skimmer Inter, and PFD has since identified at least sixteen additional merchant websites compromised with Pipka.”

Similar to Inter, Pipka allows configuring which fields in the target forms it will parse and extract. The skimmer software is able to capture payment account number, expiration date, CVV, and cardholder name and address, from the checkout pages of the targeted sites.

In the cases investigated by PFD, the skimmer was configured to check for the payment account number field. Data captured by the skimmer is base64 encoded and encrypted using ROT13 cipher. Before sending the data to the C2, the skimmer checks if the data string was previously sent in order to avoid sending duplicate data.

Experts noticed that all the samples they analyzed contained the same value for scriptId: ‘#script’. One sample analyzed by the experts was specifically customized to target two-step checkout pages that collect billing data on one page and payment account data on another.

“This sample uses two different lists to target form fields, inputsBill and inputsCard, and the variable curStep to calculate which form’s data is being stored in a cookie instead of the variable name trigger.” continues the advisory.

One of the analyzed samples was designed to target two-step checkout pages, where billing data and payment account data is collected on different pages.

The Pipka skimmer implements some unique anti-forensics features, it is able to remove its code from the HTML code of the page that is hosting it.

“The most interesting and unique aspect of Pipka is its ability to remove itself from the HTML code after it is successfully executed. This enables Pipka to avoid detection, as it is not present within the HTML code after initial execution.” states VISA. “This is a feature that has not been previously seen in the wild, and marks a significant development in JavaScript skimming,”

Pipka also uses a new technique to hide the exfiltration of harvested data. The skimmer uses an image GET request, but unlike other skimmers instead of loading and then immediately removing the image tag, Pipka sets the onload attribute of the image tag. The ‘onload’ attribute executes supplied JavaScript when the tag is loaded, in this case, the JavaScript includes the code to remove the image tag once it is loaded

VISA PFD believes that Pipka will continue to evolve and that its use will increase in the cybercrime ecosystem to target eCommerce merchant websites.

Pierluigi Paganini

(SecurityAffairs – Pipka, software skimmer)

The post A new sophisticated JavaScript Skimmer dubbed Pipka used in the wild appeared first on Security Affairs.

ATM maker Diebold Nixdorf is warning banks a new ATM black box attack technique that was recently employed in cyber thefts in Europe.

Black box attacks are a type of jackpotting attack aimed at forcing an ATM to dispense the cash by sending a command through a “black box” device.

In this attack, a black box device, such as a mobile device or a Raspberry, is physically connected to the ATM and is used by the attackers to send commands to the machine.

The ATM black box attacks are quite popular in the cybercrime underground and several threat actors offer the hardware equipment and malware that could be used to compromise the ATMs.

This week, Diebold Nixdorf, a leading manufacturer of ATM machines, has issued an alert to customers warning all banks of a new variant of ATM black box or jackpotting attacks.

The alert was issued after the Agenta Bank in Belgium was forced to shut down 143 ATMs after a jackpotting attack.

All the compromised machines were Diebold Nixdorf ProCash 2050xe devices. This is the first time that Belgian authorities observe this criminal practice in the country.

According to a security alert issued by Diebold Nixdorf, and obtained by ZDNet, the new variation of black box attacks has been used in certain countries across Europe.

“In the recent incidents, attackers are focusing on outdoor systems and are destroying parts of the fascia in order to gain physical access to the head compartment.” reads the alert issued by the vendor. “Next, the USB cable between the CMD-V4 dispenser and the special electronics, or the cable between special electronics and the ATM PC, was unplugged. This cable is connected to the black box of the attacker in order to send illegitimate dispense commands. Some incidents indicate that the black box contains individual parts of the software stack of the attacked ATM.”

The experts are still investigating how these portions of the stack code were obtained by the crooks, they speculated that attackers could have had offline access to an unencrypted hard disc.

The alert includes recommendations for countermeasures, such as:

• Implement protection mechanisms for cash modules;
• Implement hardening of the software stack;
• Limit physical access to the ATM

Pierluigi Paganini

(SecurityAffairs – hacking, black box)

A cyber criminal organization has stolen money from at least 35 Italian ATMs with a black box attack technique.

A criminal organization has stolen money from at least 35 ATMs and Post Office cash dispensers operated by Italian banks with a new black box attack technique.

The Carabinieri of Monza dismantled by the gang, the Italian law enforcement agency confirmed that the cybercrime organization stole about 800,000€ in just 7 months using #ATM Black Box attack.

The Italian Carabinieri identified 12 people, 6 have been already arrested, 3 are currently restricted in Poland, one has returned to Moldova before being stopped and 2 may no longer be on Italian territory.

According to local media, the gang had numerous logistical bases in the provinces of Milan, Monza, Bologna, Modena, Rome, Viterbo, Mantua, Vicenza and Parma.

Black box attacks are a type of jackpotting attack aimed at forcing an ATM to dispense the cash by sending a command through a “black box” device.

In this attack, a black box device, such as a mobile device or a Raspberry, is physically connected to the ATM and is used by the attackers to send commands to the machine.

The ATM black box attacks are quite popular in the cybercrime underground and several threat actors offer the hardware equipment and malware that could be used to compromise the ATMs.

Below the list of the compromised ATM:

• UFF PP TT 12/07/2020 BELLUSCO
• BANCA POPOLARE DI NOVARA 07/16/2020 CRODO
• BPM 07/18/2020 WEEKLY
• BPM 07/20/2020 MORAZZONE
• UFF PP TT 03/08/2020 SANT’ILARIO D’ENZA
• CASSA SAVINGS 04/08/2020 SAONARA
• UFF PP TT 08/05/2020 CARUGATE
• UFF PP TT 08/08/2020 PESSANO WITH BORNAGO
• UFF PP TT 08/18/2020 SEVESO
• UFF PP TT 08/19/2020 FAGNANO OLONA
• BBPM 08/21/2020 COMO
• BANCA INTESA 08/27/2020 GRONTARDO
• BBPM 01/09/2020 BREMBATE DI ABOVE
• UFF PP TT 01/09/2020 SIZIANO
• UFF PP TT 02/09/2020 MELZO
• UFF PP TT 09/04/2020 CARATE BRIANZA
• UFF PP TT 07/09/2020 SENAGO
• UFF PP TT 11/09/2020 BRESCIA
• BPM 11/09/2020 PARMA
• UFF PP TT 09/14/2020 BUSNAGO
• BBPM 09/18/2020 ROZZANO
• BBPM 09/18/2020 CARONNO PERTUSELLA
• UFF PP TT 21/09/2020 GHEDI
• BBPM 09/22/2020 CASARILE
• BBPM 09/24/2020 MACHERIO
• BBPM 09/30/2020 RESCALDINA
• BBPM 09/30/2020 LIMENA
• VOLKS 21/10/2020 VILLAVERLA
• UNICREDIT 22/10/2020 GRISIGNANO DI ZOCCO
• BANCO S. MARCO 10/28/2020 SPINEA
• BANCA CAMBIANO 10/30/2020 MONTELUPO FIORENTINO
• BBPM 11/06/2020 BIASSONO
• BBPM 11/8/2020 Santo Srefano Ticino
• BCC 10/11/2020 Junction of Capannelle (RM)
• OFFICE PP. TT. 11/11/2020 Vermicino- Frascati

Poorly protected ATMs are more exposed to this type of attack because crooks can easily tamper with their case in order to connect the mobile device.

In July, Diebold Nixdorf, a leading manufacturer of ATM machines, issued an alert to customers warning all banks of a new variant of ATM black box or jackpotting attacks. The alert was issued after the Agenta Bank in Belgium was forced to shut down 143 ATMs after a jackpotting attack.

All the compromised machines were Diebold Nixdorf ProCash 2050xe devices. This was the first time that Belgian authorities observe this criminal practice in the country.

According to the security alert issued by Diebold Nixdorf, and obtained by ZDNet, the new variation of black box attacks has been used in certain countries across Europe.

Pierluigi Paganini

(SecurityAffairs – hacking, black box attack)

Researchers demonstrated how crooks could hack Diebold Nixdorf’s Wincor Cineo ATMs to bypass black-box attack protections and withdraw cash.

Positive Technologies researchers Vladimir Kononovich and Alexey Stennikov have discovered security flaws Wincor Cineo ATMs that could be exploited to bypass Black-Box attack protections and withdraw cash.

“According to Vladimir Kononovich, some manufacturers rely on security through obscurity, with proprietary protocols that are poorly studied and the goal of making it difficult for attackers to procure equipment to find vulnerabilities in such devices. However, our research shows that such equipment is not difficult to find on the open market and analyze, which can be used by criminal groups.” reads the post published by Positive Techologies.

Black box attack is a type of jackpotting attack aimed at forcing an ATM to dispense the cash by sending a command through a “black box” device.

In this attack, a black-box device, such as a mobile device or a Raspberry, is physically connected to the ATM and is used by the attackers to send commands to the machine.

The ATM black box attacks are quite popular in the cybercrime underground and several threat actors offer the hardware equipment and malware that could be used to compromise the ATMs.

The vulnerabilities discovered by the security duo impacts the Wincor Cineo ATMs with the RM3 and CMD-V5 dispensers. Wincor is currently owned by ATM manufacturer giant Diebold Nixdorf.

An attacker with access to the dispenser controller’s USB port can install an outdated or modified firmware version to bypass the encryption and make cash withdrawals.

A research published by Positive Technologies in 2018 revealed that 69 percent of ATMs were vulnerable to such attacks and could be easily hacked in a few minutes.

ATM vendors have implemented a built-in protection against black-box in modern systems, typically using end-to-end encryption between an ATM computer and the dispenser. The use of end-to-end encryption allows to create a protected communication channel between the central using that sends commands to the dispenser and the dispenser itself. An attacker without encryption keys cannot withdraw money.

“In the case of Wincor Cineo, we managed to figure out the command encryption used in the interaction between the PC and the controller, and bypass the protection against black-box attacks. At a popular website, we bought the same dispensing controller as the one used in Wincor’s ATMs. Bugs in the controller code and old encryption keys allowed us to connect to an ATM using our own computer (as in a classic black-box attack), bypass the encryption, and make a cash withdrawal. Currently, the attack scenario consists of three steps: Connecting a computer to an ATM, loading outdated and vulnerable firmware, and exploiting the vulnerabilities to access the cassettes inside the safe.” explained Vladimir Kononovich, Senior Specialist of ICS Security at Positive Technologies.

The two vulnerabilities, tracked as CVE-2018-9099 and CVE-2018-9100, resides in the firmware of the CMD-V5 dispenser and RM3/CRS dispenser respectively. Both issues received a CVSSv3.0 score of 6.8.

“The first flaw, CVE-2018-9099, was detected in the firmware of the CMD-V5 dispenser (all versions up to and including 141128 1002 CD5_ATM.BTR and 170329 2332 CD5_ATM.FRM). The second, CVE-2018-9100, was detected in the firmware of the RM3/CRS dispenser (all versions up to and including 41128 1002 RM3_CRS.BTR and 170329 2332 RM3_CRS.FRM).” continues the post.

The vendor has already released security fix to address bot flaws, for this reason banks and financial organizations have to install the latest firmware version on their ATMs. Experts recommend to enable physical authentication for the operator during firmware installation.

Vladimir Kononovich has recently details the two vulnerabilities at the Hardwear.io hardware security conference in The Netherlands

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, black-box)

The FBI warns of an increase of fraudulent schemes leveraging cryptocurrency ATMs and QR Codes to facilitate payment.

The FBI Internet Crime Complaint Center (IC3) published an alert to warn the public of fraudulent schemes leveraging cryptocurrency ATMs and Quick Response (QR) codes to complete payment transactions.

This payment option makes it quite impossible to recover the money stolen with fraudulent schemes.

“The FBI warns the public of fraudulent schemes leveraging cryptocurrency ATMs and Quick Response (QR) codes to facilitate payment. The FBI has seen an increase in scammers directing victims to use physical cryptocurrency ATMs and digital QR codes to complete payment transactions.” reads the alert.

QR codes can be used at cryptocurrency ATMs to transfer money to an intended recipient and crooks started using them to receive payments from victims.

Fraudulent schemes include online impersonation in which scammer poses as a familiar entity (i.e. The government, law enforcement, a legal office, or a utility company), romance scams, and lottery schemes (scammer attempt to convince victims that they have won an award).

In all the fraudulent schemes, scammers provide a QR code associated with the scammer’s cryptocurrency wallet that the victim has to use during the transaction. The victims are instructed to make the transition at a physical cryptocurrency ATM where inserting money that can purchase cryptocurrency before transferring them using the provided QR code.

In these schemes, the scammers are in constant online communication with the victims and provide step-by-step instructions to make the payment.

“Cryptocurrency’s decentralized nature creates challenges that makes it difficult to recover. Once a victim makes the payment, the recipient instantly owns the cryptocurrency, and often immediately transfers the funds into an account overseas. This differs from traditional bank transfers or wires where a payment transaction can remain pending for one to two days before settlement.” continues the FBI. “It can also make law enforcement’s recovery of the funds difficult and can leave many victims with a financial loss.”

Below are the tips provided by the FBI to avoid being victims of this kind of scam:

• Do not send payment to someone you have only spoken to online, even if you believe you have established a relationship with the individual.
• Do not follow instructions from someone you have never met to scan a QR code and send payment via a physical cryptocurrency ATM.
• Do not respond to a caller, who claims to be a representative of a company, where you are an account holder, and who requests personal information or demands cryptocurrency. Contact the number listed on your card or the entity directly for verification.
• Do not respond to a caller from an unknown telephone number, who identifies as a person you know and requests cryptocurrency.
• Practice caution when an entity states they can only accept cryptocurrency and identifies as the government, law enforcement, a legal office, or a utility company. These entities will likely not instruct you to wire funds, send checks, send money overseas, or make deposits into unknown individuals’ accounts.
• Avoid cryptocurrency ATMs advertising anonymity and only requiring a phone number or e-mail. These cryptocurrency ATMs may be non-compliant with US federal regulations and may facilitate money laundering. Instructions to use cryptocurrency ATMs with these specific characteristics are a significant indicator of fraud.
• If you are using a cryptocurrency ATM and the ATM operator calls you to explain that your transactions are consistent with fraud and advises you to stop sending money, you should stop or cancel the transaction.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, scam)

The post FBI warns of fraudulent schemes using cryptocurrency ATMs and QR for payments appeared first on Security Affairs.

Threat actors have exploited a zero-day vulnerability in the General Bytes Bitcoin ATM servers to steal BTC from multiple customers.

Threat actors have exploited a zero-day flaw in General Bytes Bitcoin ATM servers that allowed them to hijack transactions associated with deposits and withdrawal of funds.

GENERAL BYTES is the world’s largest Bitcoin, Blockchain, and Cryptocurrency ATM manufacturer.

The ATM machines manufactured by the company are remotely controlled by a Crypto Application Server (CAS), which manages the operation of the devices.

The company published a security advisory on August 18th admitting the existence of a zero-day flaw actively exploited by threat actors in the wild. The attackers exploited the issue to create an admin user account via the CAS admin panel

“The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user. This vulnerability has been present in CAS software since version 20201208. Read more information in the ‘What happened’ section.” reads the advisory.

The active exploitation of the issue was also confirmed by BleepingComputer which was contacted by a General Bytes customer who told them attackers were stealing bitcoin from their ATMs.

According to the advisory, the issue resides in the CAS admin interface. Threat actors scanned Digital Ocean cloud hosting IP address space for CAS services exposing ports 7777 or 443. Then attackers exploited the vulnerability to create a new default admin user, organization, and terminal. Threat actors accessed the CAS interface and renamed the default admin user to ‘gb,’ then modified the crypto settings of two-way machines with his wallet settings and the ‘invalid payment address’ setting.

These settings allowed the attackers to forward coins to the attacker’s wallet when customers sent coins to ATM.

According to the advisory, the attacks came three days after the company publicly announced the help Ukraine feature on ATMs.

General Bytes recommends customers install the two server patch releases 20220531.38 and 20220725.22.

The company also shared instructions for configuring server firewalls to control access to Crypto Application Server.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, General Bytes Bitcoin ATM)