ATM

$4K stolen from Raleigh man's bank as ATM skimmer fraud spreads to Wake County

RALEIGH (WTVD) --

A Raleigh man who used a CashPoints ATM in North Raleigh nearly two weeks ago says when he checked his bank account online he noticed two $2,000 cash withdrawals this week--withdrawals he didn't make.

His discovery comes on the heels of a warning from police in Hillsborough about skimmers found on CashPoints machines there and in Alamance County.

"This is something you think happens to somebody else," said Charlie Spahr the man whose account was debited $4,000.

The CashPoints ATM he used is at a gas station on Leesville Road near I-540.

He uses it often, and he and his wife Lee Ann soon found out so do a lot of other people.

"I put it on Nextdoor immediately. And the responses started popping up with people saying, 'This has happened to me.' Basically at that same ATM," Lee Ann Spahr told ABC 11.

We showed the Spahr's a video posted on abc.11.com with the story about the warning from Hillsborough police.

In it police from a suburb of Houston, Texas explain how skimmers work.

One officer holds up a piece of plastic shaped just like the plastic trim where you insert your card into an ATM.

He shows how it slips over the original card slot and then copies information from your card when you insert it.

He recommends tugging on that piece of plastic before inserting your card saying a skimmer will likely pull off while the original hardware will not.

He also shows how another piece of plastic trim with a small hole in the top is slipped over the cash dispenser.

A camera inside the hole looks at the keypad and records you entering your personal identification number or PIN.

The Spahr's were both shaking their heads as they watched the video.

"It's just unbelievable what they're doing," Lee Ann Spahr said.

The Spahr's called Wells Fargo bank to report the unauthorized transactions - the first made at a Wells Fargo branch ATM in Northern Durham and the other at a branch ATM in the Alamance County town of Mebane.

Charlie Spahr said he was relieved by what the bank representative told him.

"It's obvious what's happened and your account will be credited the full $4,000 and any fees, which there won't be any, within a week."

Still they say they wanted to warn others in Wake County to be cautious when using their cards.

(Copyright ©2019 WTVD-TV. All Rights Reserved.)

Card skimmer found in Jackson ATM, estimated 600 accounts compromised

JACKSON, MI – About 600 people who used an American 1 Credit Union ATM in Jackson this month have had their account information compromised after a card skimmer was found hidden inside the machine, company officials said.

American 1 Credit Union issued a warning to all of it customers on Tuesday, Feb. 19, informing them about the discovery of the card skimmer, which company officials said had been collecting ATM user’s information for days.

The bank is not disclosing the location of the compromised ATM.

American 1 cards associated with the compromised accounts were deactivated and any funds reported missing were credited back to the account holder, officials said.

Residents who are not American 1 Credit Union members who used the bank’s ATM recently should contact their banking provider if they believe they may have had their account compromised, officials said.

Company officials noted the compromises were solely caused by the skimmer in an ATM, and that the bank’s computer systems were not breached.

Anyone with questions or are concerns that they may have had their account compromised is asked to contact American 1 Credit Union at 1-888-213-2848.

The credit union offered the following tips on how to avoid being the victim of a card skimmer:

Examine the card reader closely – Does it look like something has been added to it? Does there appear to be an extra piece? Report anything on a reader that looks wrong.

Look for a security seal on your gas station pump - many gas stations use them as a way to prevent tampering.

Wiggle the reader before swiping or inserting your card to see if something is loose or comes off. If a skimmer has been added, the card reader may feel loose.

Check for any signs of tampering. If there appears to be tampering anywhere on the ATM or gas pump, or if things simply do not look right, do not use it and report your concern.

Never get comfortable with an ATM or gas pump that you use frequently – always take the time to look over the machine.

Review your account balances regularly using your mobile banking app. If you notice any unauthorized charges, contact American 1 or your other financial institution immediately to report it. You can also use your mobile app to temporarily shut off your card by selecting the menu, then “Card Controls,” and using the toggle switch to toggle off the card in question.

ATM Hacking Has Gotten So Easy, the Malware's a Game

As long as there are ATMs, hackers will be there to drain them of money. Although ATM-targeted “jackpotting” malware—which forces machines to spit out cash—has been on the rise for several years, a recent variation of the scheme takes that concept literally, turning the machine’s interface into something like a slot machine. One that pays out every time.

As detailed by Kaspersky Lab, so-called WinPot malware afflicts what the security researchers describe only as a “popular” ATM brand. To install WinPot, a hacker needs either physical or network access to a machine; if you cut a hole in the right spot, it's easy enough to plug into a serial port. Once activated, the malware replaces the ATM's standard display with four buttons labeled “SPIN”—one for each cassette, the cash-dispensing containers within an ATM. Below each of those buttons, it shows the number of bank notes within each given cassette, as well as the total values. Tap SPIN, and out comes the money. Tap STOP, and well, you know. (But at that point, ATM cyberthief, why would you?)

“These people do have a sense of humor and some spare time.”

Konstantin Zykov, Kaspersky Lab

Kaspersky started tracking the WinPot family of malware back in March of last year, and in that time has seen a few technical versions on the theme. In fact, WinPot appears to be something of a variation in its own right, inspired by a popular ATM malware dating back to 2016 called Cutlet Maker. Cutlet Maker also displayed detailed information about the contents of its victim ATMs, though rather than the slot motif it used an image of a stereotypical chef giving a wink and the hand gesture for “OK.”

Kaspersky Lab

The similarities are a feature, not a bug. “The latest versions of ‘cashout’ ATM software contain only small improvements compared with previous generations,” says Konstantin Zykov, senior security researcher at Kaspersky Lab. “These improvements allow the criminals to automate the jackpotting process because time is critical for them.”

That also goes some way to explaining the absurdist bent ATM hackers have embraced of late, an atypical trait in a field devoted to secrecy and crime. ATM malware is fundamentally uncomplicated and battle-tested, giving its proprietors space to add some creative flair. The whimsical tilt in WinPot and Cutlet Maker “is not usually found in other kinds of malware,” Zykov adds. “These people do have a sense of humor and some spare time.”

After all, ATMs at their core are computers. Not only that, they're computers that often run outdated, even unsupported versions of Windows. The primary barrier to entry is that most of these efforts require physical access to machine, which is one reason why ATM malware hasn’t become more popular in the US, with its relatively pronounced law-enforcement presence. Many ATM hackers deploy so-called money mules, people who assume all the risk of actually extracting money from the device in exchange for a piece of the action.

But WinPot and Cutlet Maker share an even more important trait than waggery: Both have been available for sale on the dark web. Kaspersky found that one could purchase the latest version of WinPot for as little as $500. That’s unusual for ATM hackers, who have historically kept their work closely guarded.

“More recently, with malware such as Cutlet Maker and WinPot, we see this attack tool is now commercially for sale for a relatively small amount of money,” says Numaan Huq, senior threat researcher with Trend Micro Research, which teamed up with Europol in 2016 for a comprehensive look at the state of ATM hacking. “We expect to see an increase in groups targeting ATM machines as a result.”

WinPot and Cutlet Maker represent only a slice of the ATM malware market. Ploutus and its variants have haunted cash machines since 2013, and can force an ATM to spit out thousands of dollars in mere minutes. In some cases, all a hacker needed to do was send a text message to a compromised device to make an illicit withdrawal. Typukin Virus, popular in Russia, only responds to commands during specific windows of time on Sunday and Monday nights, to minimize the chances of being found. Prilex appears to have been homegrown in Brazil, and runs rampant there. It goes on and on.

Stopping this sort of malware is relatively easy; manufacturers can create a whitelist of approved software that the ATM can run, blocking anything else. Device control software also can prevent unknown devices—like a malware-carrying USB stick—from connecting in the first place. Then again, think of the last bodega ATM you used, and how long it's been since it got any kind of updates.

So expect ATM hacking to only get more popular—and more farcical. At this point, it's literally fun and games. “Criminals are just having fun,” says Zykov. “We can only speculate that since the malware itself is not that complicated they have time to spend on these ‘fun’ features.”