ATM malware has evolved and no longer requires physical access to machines to infect them, a report reveals.
Previously, criminals used physical “skimming” devices, USB sticks or CDs to install malware within automated teller machines (ATMs) but since 2015 the attacks have become increasingly remote.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
“If we think of a modern ATM as a Microsoft Windows PC with a safe box full of money attached to it and controlled by software, we can see how it becomes a lucrative target for malware creators,” the report said.
The report dissects recent attacks using bank networks to both steal money and credit card data from ATM machines, regardless of network segmentation.
The primary goal of ATM malware is to connect to and control peripheral devices inside the ATM to withdraw stored cash and/or collect information from bank customers, the report said.
One method of infecting ATM networks is through tricking bank employees into opening emails that contain malware.
Once the malware has targeted an ATM to dispense cash, “standby money ‘mules’ will pick up the cash and go,” the report said.
Another vulnerability criminals are exploiting is the fact that many ATMs are running on obsolete or unsupported operating systems.
A majority of ATMs installed worldwide still run either Windows XP or Windows XP Embedded, while some of the older ATMs run Windows NT, Windows CE, or Windows 2000.
“This means there are at least hundreds of thousands of ATMs running an OS that no longer receive software patches for new vulnerabilities or will soon have security patch updates discontinued,” the report said.
Unpatched operating system software a major vulnerability
Unpatched operating system software was highlighted as a major vulnerability by the WannaCry and NotPetya global cyber attacks in May and June 2017, which exploited vulnerabilities that had been patched by Microsoft.
These attacks not only risk personally identifiable information (PII) and large sums of money, but also put banks in violation of the payment card industry data security standard (PCI DSS), the report said.
“The joint industry–law enforcement report shows the malware being used has evolved significantly, and the scope and scale of the attacks have grown proportionately,” said Steven Wilson, head of EC3.
“While industry and law enforcement cooperation has developed strongly, the crime continues to thrive due to the major financial rewards available to the organised crime groups involved,” he said.
A blueprint for future cooperation
Wilson said the report assesses the developing nature of the threat: “I hope that it serves as a blueprint for future industry and law enforcement cooperation.”
Max Cheng, chief information officer for Trend Micro said protecting against today’s cyber threats and meeting compliance standards require increased resources that are not always available for organisations, including those in the financial services industry.
“Public-private collaborations strengthen the global, ongoing fight against cyber crime, and help fill the resource gap for organisations,” he said. “This report furthers Trend Micro’s commitment to helping law enforcement and private businesses mitigate future attacks and protect individuals.”
A limited-release version of the report is available to law enforcement authorities, financial institutions and the IT security industry. This private report provides greater detail for organisations to harden ATM and network systems and prevent future attacks against financial institutions.
The report concludes that law enforcement agencies should be well informed that criminals have ATMs firmly in their crosshairs, and financial organisations need to take more steps to secure their ATM installations by deploying more security layers.
Although there has been a “considerable effort” undertaken by banks, ATM suppliers and security companies to create and deploy solutions that solve all of the security gaps outlined, the report said this does not mean ATMs can be 100% secured.
“However, a well-designed security plan can go a long way towards ensuring an ATM installation can become very difficult to exploit and victimise,” the report said.