ATMs have been prime targets for criminals, including both those in the physical realm as well as the digital. After all, all that stands between a thief and stacks of cold, hard cash is a plastic teller machine, and there are more than three million ATMs in the world today.
In recent years, we've seen a number of trends impact ATM theft, including skimming machines. As Trend Micro noted, these are pieces of hardware that can be fit over the regular card reader on the machine, enabling a hacker to view and steal the payment card details of customers using the terminals. In fact, these devices have even been mass produced and sold by hackers.
Now, however, cyber criminals are putting the hardware away in favor of another tried-and-true favorite: malware.
"[ATMs] are no longer just affected by the physical attempts of emptying the money safe," Trend Micro researchers David Sancho and Numaan Huq wrote. "Now logical attacks an ATMs are slowly being recognized as an emerging threat by the security industry and law enforcement agencies."
Trend Micro reported in April that ATM malware had been on the rise recently, both in the U.S. as well as abroad.
Malware makes attacks easier
This shift toward launching attacks via the digital realm is significant in the cyber criminal world. For years, hackers relied on physical hardware and even small cameras to snoop banking customers' financial details, including card and PIN numbers. Now, however, these processes can take place with malware, and in a way that is much safer for the hacker. On the flip side of that coin, though, this does create an increasingly threat-prevalent environment for financial firms and their clients.
"The shift to the digital means of attack reveals a realization among criminal groups – that the use of malware is an easier and safer way to steal money and card information from ATMs," Sancho and Huq observed.
Statistics are in
Trend Micro's ATM attack research supports Sancho and Huq's statement here. According to these numbers, there has been a significant rise in fraudulent ATM attacks using malware, as well as a parallel decline in physical attacks on the machines themselves.
Overall, researchers discovered a 15 percent increase in fraud attacks on ATMs from 2014 to 2015. Less than 7,000 malware-based attacks were reported in 2014, and this number jumped to more than 7,000 in 2015.
Top ATM malware attack samples
Researchers were also able to pinpoint several malware samples that have been used in this recent rash of ATM attacks. This includes a number of different malware families and variants, which are leveraged to steal credentials as well as evade detection. Trend Micro identified the following malware samples being used in specific geographic locations:
- In Eastern European ATM malware infections, samples including Skimer, Padpin and Suceful have become common. Skimer was first discovered in 2009. Padpin was first observed in 2014, and Suceful is the newest of the three, found in 2015.
- In South America, Skimer has also been leveraged by hackers to infect ATMs. In addition, Ploutus, Green Dispenser and NeoPocket have been used. Ploutus was found in 2013, NeoPocket in 2014 and Green Dispenser in 2015.
The motivation behind the malware
Trend Micro researchers worked with Europol's European Cybercrime Center to study the rise in ATM malware, and discovered a few interesting insights. The coming together of these prominent organizations not only shows the wide reach of cyber criminal activities here, but the overall seriousness of the issue as well. There were specific motivations behind this shift, besides the fact that the millions of ATMs across the globe represent the portal through which customers withdraw EUR 8.6 billion, or $9.71 billion annually.
A main reason for the trend toward ATM malware is the fact that many of these machines rely on outdated operating systems like Windows XP. This OS in particular is especially threat-prone, as Microsoft ended support for it more than two years ago. This means that security patches are no longer released, leaving any systems using this OS open and unprotected against a range of new and emerging threats.
Researchers also discovered that many ATMs leverage application programming interfaces (APIs) that enable easy communication between the machine's PIN pad, cash dispenser and other peripheral devices. This API middleware makes it simpler for a hacker to break into an ATM's inner workings and control its mechanisms.
"Through the use of specially designed malware, attackers no longer need to use traditional safe cracking methods to empty an ATM's money safe," a press release from EC3 and Trend Micro stated.
Ensuring safety in the age of ATM malware
When it comes to guaranteeing the security of these machines, the responsibility falls upon the financial institution. One step in the right direction here is to update all ATMs to an operating system that is still supported by the technology provider. This means that when a new threat arises, the firm can update its ATM OS to include the latest security patch, reducing the chances of successful malware intrusion.
Banks should also monitor all network interactions taking place between the ATM, any APIs or other attempts at communication. In this way, any suspicious activity can be spotted right away, and the institution's IT team can work proactively to prevent attack.
Financial institutions must be vigilant in their protection of ATMs in order to properly safeguard customers.