by David Sancho and Numaan Huq (Trend Micro Forward-Looking Threat Research Team), Massimiliano Michenzi (Europol EC3)
Infecting automated teller machines (ATMs) with malware is nothing new. It’s concerning, yes. But new? Not really. We’ve been seeing physical attacks against ATMs since 2009. By physical, we mean opening the target machine’s casing, accessing the motherboard and connecting USB drives or CD-ROMs in order to infect the operating system. Once infected, the ATM is at the attackers’ mercy, which normally means that they are able to empty the money cassettes and walk away with fully loaded wallets. In 2016, we released a joint paper with Europol’s European Cybercrime Centre (EC3) that discussed the shift from physical to digital means of emptying an ATM and described the different ATM malware families that had been seen in the wild by then.
What has happened since? On top of many more malware families entering the landscape – something that was expected in these cases – there is one new development we forecast that unfortunately has come to pass: Attackers have started infecting ATMs with malware through the network. Five distinct incidents of network-based ATM malware attacks have already been reported in the media, and we believe this to be significant because it shows how cybercriminals have had ATMs firmly in their crosshairs.
As with physical ATM malware attacks, stealing cold, hard cash isn’t the sole objective of cybercrooks in targeting ATMs through the network. Looking to squeeze out their victims for as much as possible, these criminals could also compromise bank customer data and subsequently steal money in the form of ones and zeroes — making the malware act like a virtual skimming device.
A Stealthier Way in – Attacking Through the Network
Gaining access to banks’ networks and successfully installing ATM malware would mean that criminals don’t have to go to the machines anymore. They simply have money mules on-site and at the ready to collect the money for them and go.
However, network infections require more work and technical knowledge on the attackers’ side, compared with the more common approach of gaining physical access to ATMs. The complication lies in actually being able to access the ATM network from the main bank’s network.
In a well-planned network architecture, the ATM network and the bank’s main network should be separated. This way, having access to one would not mean gaining admission to the other network. Having access to both networks would ideally involve bypassing firewalls and other security protocols in place.
Unfortunately, not all banks implement network segmentation. Some reported incidents have even demonstrated how, despite the two networks being separated, criminals could establish a solid foothold in a bank’s main network and use it to install malware on the bank’s ATMs.
Based on our observation of the different known network-based attacks, criminals infiltrate banks’ networks through ways as simple as sending phishing emails to bank employees. Once in, they perform lateral movement to identify and access subnetworks, including the ATMs.
One of the most noteworthy network-based attacks involves Ripper, the first known ATM malware that uses the network as an infection vector. Targeting ATMs made by three of the major ATM manufacturers, the malware was responsible for the attacks against thousands of ATMs in Thailand in 2016. Ripper has jackpotting capabilities, allowing it to dispense cash from ATMs in large quantities to the point of emptying the machines. Another insidious feature of this malware is that it can self-destruct, removing any incriminating traces of its activity in the operating environment and making post-infection forensics difficult.
To explain this topic in detail and give our readers an overview of the kinds of ATM malware in existence, we have written with Europol’s EC3 an updated comprehensive paper on physical and network-based malware attacks against cash machines. It can be publicly downloaded here: Cashing in on ATM Malware: A Comprehensive Look at Various Attack Types.