There are all kinds of viruses out there prowling around to get us. And the creators of those viruses are creative to use various methods to ‘infect’ us. During the World Cup this year, culprits took advantage of the hype to lace websites with malware by using Cristiano Ronaldo’s name in Google search results.
Some malware, like one named Onion, are programmed to ‘abduct’ personal information or files and then use that to demand for a ransom from the victims. And in Malaysia recently, the Zeus malware has infected banking websites and it directs users to fake websites and requests for the victim’s smartphone operating system and phone number, which will be then used by the culprit to interfere with the TAN code that banks send to the victim’s phone for online transactions.
It’s no surprise that virus creators are getting increasingly smarter and employ more cunning methods to get your money. And in Malaysia, a certain virus has gone from ‘behind the scenes’ to ‘robbery in broad daylight’.
The ATM Virus Heist
Police today had released images of suspected individuals from a Latin American syndicate who were believed to be responsible for the hacking and theft from Automated Teller Machines (ATMs) in Malaysia. The images were taken from the closed-circuit television cameras (CCTV) installed at some ATM kiosks.
The syndicate used a computer virus known as ‘ulssm.exe.’ to steal money from the ATMs, Bernama reported. This is the first time in Malaysia that a virus or a malware has been used to directly steal money from ATMs. The syndicate has collected about RM3 million over the weekend at ATMs in Kuala Lumpur, Selangor, Malacca, and Johor.
The crime was first detected at an Affin Bank branch in Johor on last Friday.
Federal Commercial Crime director Datuk Seri Mortadza Nazarene yesterday said initial investigations showed that the suspects would opened a panel on the top of the ATMs using a ‘common key’ and infect the machines by inserting a compact disc into the CD-ROM.
“After infecting the machine with the malware, the suspects removed the CD and relocked the panel before starting to withdraw money from the machine,” Mortadza was quoted saying by The Malaysian Insider.
He added that the suspects will then wait for other members to provide them with codes via phone so that they could enter the code using the normal way on the ATM’s keypad to withdraw money. The virus infected earlier will then reboot the ATM’s system and allows the suspects to withdraw money multiple times. Due to the maximum cash output limit programmed into the ATM software, the suspects had to make multiple withdrawals to empty the cash from the machines.
After the crime, Mortadza said to prevent others from using the same ATM, the suspects will block the ATC card slot with a mobile SIM card or with cigarette butts.
This heist was clearly well thought out and planned in detail for smooth execution.
Police Reponse And Defense
Police said so far branches from three banks – Affin Bank, Al-Rajhi Bank and Bank Islam have been targeted. A special task force called “Ops Albatross” has also been set up by the police to investigate and hunt down the syndicate.
Public with information on this case are also urged to contact Senior Assistant Commussuiner Mohd Kamarudin Md Din at 03-26163839 or the nearest police station.
Deputy Home Minister Datuk Seri Dr Wan Junaidi Tuanku Jaafar said the incident did not compromise the banking computer network system in the country as the ATM hacking cases only involved individual machines.
“I am confident our banking network system is still secure, and the people need not worry,” he told reporters after a National Warriors Service Medal Award presentation in Malacca yesterday.
Meanwhile, Association of Banks Malaysia (ABM) said no customer account balances and information were compromised during the spate of the hacking of ATM.
“The Association of Banks in Malaysia (ABM) wishes to assure the public that our member banks with ATM networks are collaborating closely with the relevant authorities with regard to the recent cases of ATM heists,” the association said in a statement yesterday.
The ‘ulssm.exe’ Virus
According to Symantec Security, a leading Internet security company, the virus ‘ulssm.exe’ also known as Backdoor.Padpin was first discovered in May 9 this year. It affect machines that using Windows XP and Windows 7 operating system. It is a Trojan horse that targets ATM and enables attacker to use the ATM pad to submit commands to the Trojan.
The Trojon opens a back door on the compromised machine and allows attacker to perform the following actions:
- Dispense money from the compromised ATM
- Select which cassette the ATM dispenses money from
- Display cassette information such as bills left, denomination and total amount per cassette
- Temporarily disable the local network to avoid triggering alarms when withdrawing money
- Extend the duration of the session in order to continue stealing money
- Delete the Trojan from the compromised ATM
With approximately RM3 million gone in just a few days, how much more can this group steal from other ATM machines? Hopefully with the images captured by the cameras at the ATM kiosks, the culprits will be caught so further incidents can be avoided.