Automated Teller Machines (ATM) are no longer just affected by the physical attempt of emptying the money safe. Now logical attacks on ATMs are slowly being recognized as an emerging threat by the security industry and law enforcement agencies. ATM malware had been detected by various researchers for a few years now and we have already seen incidents of their successful use. For this type of crime, malware, specifically targeting ATMs, is employed. The shift to the digital means of attack reveals a realization among criminal groups–that the use of malware is an easier and safer way to steal money and card information from ATMs. This tendency will only grow in the future and should make us mindful of the different pathways criminal groups have gained access to and have created for themselves.
Figure 1. European ATM attack statistics from 2011 to 2015
Fraud and physical attacks on ATMs
The statistics above show a general increase in ATM fraud attacks over the past year (+15% from 2014 to 2015 in ATM related fraud attacks). The growing trend of software attacks in all areas also means that the most sophisticated criminal groups have already realized the hidden opportunity in a hacking toolset for this area. The statistics only indicate the very beginning of malware usage for ATM fraud, but it definitely is a trend that is here to stay.
Although we don’t have any ATM malware attack statistics for the U.S., the European ATM Security Team states that “International losses were reported in 53 countries and territories outside of the Single Euro Payments Area (SEPA) and in 10 within SEPA. The top three locations where such losses were reported are the USA, Indonesia, and the Philippines.”
What brought about the advent of ATM malware?
Trend Micro and Europol’s European Cybercrime Center (EC3) worked together to examine the evolving cyberthreat targeting ATMs. Our research indicates that there are many factors that facilitated the shift toward the use of a hacking toolkit to target ATMs, alongside more traditional attack vectors.
One major factor is the use of an outdated operating system (OS) such as Windows XP® that cannot receive security patches anymore. Another reason can be found in the increasing sophistication of criminals and their realization that the digital way is less risky and that it allows them to move around more stealthily. Another significant factor is the ATM vendors’ decision to employ middleware that provide Application Programming Interfaces (APIs) to communicate with the machine’s peripheral devices (such as PIN pad, cash dispenser etc.) –regardless of the model. This middleware is known as the eXtensions for Financial Services (XFS) middleware. In simple terms, if we think of a modern ATM as a MS Windows® PC with a money box attached to it that’s controlled through software, it is easy to see how it becomes an attractive target for any malware writer.
Figure 2. XFS system architecture
The main ATM malware families in existence
The collaborative research from Trend Micro and Europol’s European Cybercrime Center (EC3) also looked at the main malware types in circulation at the moment. The map above reveals an interesting pattern in terms of origin of the code. A lack of security measures implemented by commercial banks in Latin America and Eastern Europe, has opened the door for criminals to victimize ATMs in these regions. Though very slowly, we are also witnessing the export of these techniques into other regions. Although we have not yet seen ATM malware being traded in the underground, this is an anticipated development expected in the not-so-distant future.
Each of the malware families listed above has a particular functional set-up that can be distinguished by two main characteristics: 1) the ATM manufacturer type, and 2) the specific malware capabilities – whether it is used for skimming the machine for user input such as card numbers and PIN codes, or for actually dispensing cash. What the malware have in common is that it is typically installed manually via USB or the CD-drive.
Figure 3. ATM malware families and their geographical origins
These findings are based on an investigation that Trend Micro and Europol’s European Cybercrime Center (EC3) have worked on together in order to examine the current state of ATM malware. The result is a comprehensive document highlighting the evolving cyberthreat targeting ATMs including an analysis of the new methods used and corresponding key defensive approaches for the organizations concerned to protect their businesses and customers. This joint report is another example of the successful collaboration between law enforcement and industry in fighting cybercrime.
You can read the press release here.