Trend Micro, a multinational security software company, has warned that cyber criminals are increasingly targeting ATMs through the banks’ networks, shifting the landscape from physical to network-based attacks.
Trend Micro and Europol’s European Cybercrime Center (EC3) have collaborated to examine how ATM malware, as a formidable threat, has evolved over the years and continued to gain stealthier features that target a multitude of ATMs.
“Over the years, ATM thefts have been undertaken in a variety of ways: from blowing up safes to gluing on skimmers and attaching fake keypads to installing malware executables. In particular, the use of malware in attacking ATMs has seen considerable adoption among cybercriminals, and one of the primary factors contributing to its sustained use is the fact that many of the targeted machines still use outdated operating systems,” said Trend Micro.
“Such systems no longer receive critical security updates, so in the most basic sense, system vulnerabilities are not addressed, let alone resolved.”
Among cyber criminals who use malware to attack and steal cash from ATMs, gaining physical access has become perhaps the most common approach, the security firm said. “However, these criminals have found an even more nefarious infection vector, where no removable drives are inserted and no incriminating footages or fingerprints are found.
“There is no indication that the ATMs have been physically tampered with, but still, the machines are found to have been emptied of cash. The machines do not even have to be stationed on shady streets, remote locations, or other unsecured spots to be thus compromised.”
“Cyber criminals, in their ceaseless attempt to rake in profits, have found another way to target ATMs: via the bank’s network,” it said.
It said it is worth noting that the first entry into the network is usually by social engineering, making bank employees the weakest link in this infection chain. Network-based ATM heists are far more elaborate than physical attacks, but they have proved to be a more profitable money-making scheme, Trend Micro said.
ATM Malware: Targeting Safes Since 2009
Traditional physical access-based attacks have been happening on ATMs since 2009, when the malware Skimer was discovered. With such malware, once physical access is gained, the cyber criminals take advantage of the USB port or the CD-ROM drive to infect the ATM.
In some cases, they could also connect an external keyboard to be able to operate the machine.
Since then, Trend Micro said that different types of ATM malware have entered the scene with their respective capabilities, including dispensing cash or “jackpotting” in its most stripped-down design and often exhibiting the cybercriminals’ penetrating technical know-how on ATMs.
The installation of ATM malware often requires physical access to the targeted machine. Once the malware is installed, the cyber crooks send commands to the machine through the eXtensions for Financial Services (XFS) middleware in order to dispense cash.
“Now, banking institutions should be vigilant not only of malware infection due to poor physical ATM security, but also about the very real possibility of attackers infiltrating their networks,” Trend Micro warned.
It said that while network-based attacks require more work than do physical attacks, their appeal lies in allowing cyber criminals to extract cash on command without having to seek out the targeted ATMs.
They involve phishing emails, containing malicious executables, to bank employees. Once the malware gets executed, banks’ internal networks are penetrated.
“Criminals use this network access to move laterally within the banks’ network and control ATMs — even simultaneously infecting multiple machines in a single attack. Some malware families even have self-deleting capabilities, effectively dissolving most traces of the criminal activity,” Trend Micro said.