Thursday, April 23, 2020
From remote administration and jackpotting, to malware sold on the Darknet, attacks against ATMs have a long and storied history. And, much like other areas of cybercrime, attackers only refine and grow their skillset for infecting ATM systems from year-to-year. So what does the ATM landscape look like as of 2020? Let’s take a look.
ATM attacks aren’t new, and that’s not surprising. After all, what is one of the primary motives driving cyber criminals? Money. And ATMs are cash hubs—one successful attack can net you hundreds of thousands of dollars. In the past, even high-profile threat actors have made ATMs their prime target.
However, attacking ATMs is a bit different from traditional financial-related threats, like phishing emails or spoofed websites. That’s because ATMs operate in a unique space in the tech world: they’re still connected to the corporate networks but at the same time must be accessible to anyone that passes by. The resulting technical differences means the attack methods differ from those used for traditional endpoints.
ATMs also share several common characteristics that make them particularly vulnerable to attacks:
Old software means unpatched vulnerabilities—ones criminals can exploit—and isolated areas makes it easier for criminals to gain physical access to the internal ports of the motherboard. This is especially typical for the old ATM machines located in many regions with low resources and no budgets for ATM upgrades. When combined, ATMs become not only a highly profitable target—but an easy one.
From 2017 to 2019, there has been a marked increase in ATM attacks, due to a few families being particularly active. These target systems around the globe, regardless of the vendor, and have one of two goals: either stealing customers’ information or funneling funds directly from the bank.
Considering all of the above, we decided to delve further into what has been happening in the world of ATM/PoS malware for the last few years.
Number of unique devices that encountered ATM/PoS malware, 2017-2019
To gain a closer look at ATM malware worldwide, we utilized the statistics processed by Kaspersky Security Network (KSN) over the course of the past three years globally.
The results showed that the number of unique devices protected by Kaspersky that encountered ATM/PoS (point-of-sale) malware at least once experienced a two-digit growth in 2018—and this number held steady, even increasing slightly, in 2019.
Geography of unique devices that encountered ATM/PoS malware, 2017
TOP 10 countries by number of unique devices that encountered ATM/PoS malware in 2017
|
Country |
Users |
1 |
Russian Federation |
1016 |
2 |
Brazil |
423 |
3 |
Vietnam |
281 |
4 |
United States |
148 |
5 |
India |
137 |
6 |
Turkey |
96 |
7 |
China |
94 |
8 |
Germany |
58 |
9 |
Philippines |
53 |
10 |
Mexico |
51 |
The ten countries that had the greatest number of unique devices affected by ATM/POS malware were relatively dispersed around the globe, with the highest number in Russia. Russia has had a long history of threat actors targeting financial institutions. For example, it was in 2017 that Kaspersky researchers uncovered an ATM malware dubbed “ATMitch” that was gaining remote access control over ATMS at Russian banks. In addition, the relatively high rates in both Brazil and Mexico can be partially attributed to Latin and South America’s longstanding history as a hotspot of ATM malware.
Geography of unique devices that encountered ATM/PoS malware, 2018
TOP 10 countries by number of unique devices that encountered ATM/PoS malware in 2018
|
Country |
Users |
1 |
Russian Federation |
1370 |
2 |
Brazil |
753 |
3 |
Italy |
537 |
4 |
United States |
519 |
5 |
Vietnam |
433 |
6 |
India |
408 |
7 |
Thailand |
369 |
8 |
Germany |
277 |
9 |
Turkey |
224 |
10 |
Iran |
198 |
In 2018, the countries with the greatest number of ATM/PoS malware incidents recorded by unique devices remained distributed worldwide, but the countries remained similar to 2017, with the highest activity recorded in Russia and Brazil.
The overall increase in the number of users affected can be attributed to both the reappearance of new ATM malware and the development of new families:
Geography of unique devices that encountered ATM/PoS malware, 2019
TOP 10 countries by number of unique devices that encountered ATM/PoS malware in 2019
|
Country |
Users |
1 |
Russian Federation |
2306 |
2 |
Iran |
1178 |
3 |
Brazil |
819 |
4 |
Vietnam |
416 |
5 |
India |
353 |
6 |
Germany |
228 |
7 |
United States |
220 |
8 |
Italy |
197 |
9 |
Turkey |
149 |
10 |
Mexico |
114 |
This past year, the ten countries with the highest level of ATM/PoS malware activity remained the same, with only one change: Mexico once again entered the top ten, while Thailand left.
Overall, the total number of users affected increased once again. In fact, ATM/PoS malware activity reached new levels by the spring of 2019 with a string of operations: ATMqot, ATMqotX, and ATMJaDi. ATMgot operates directly on the ATM using the dispenser to withdraw the maximum number of banknotes allowed; if it cannot do this, it will default to 20 notes. This malware also possesses anti-forensic techniques that allow it to delete traces of the infection from the ATMs, as well as some video files, which could potentially be used as part of video monitoring.
ATMJadi orginated in Latin America and is capable of cashing out ATMs. Since it’s a Java-based project, it’s platform-dependent—and thus highly targeted. In order to be installed, the attackers must gain access to the bank’s network. This suggests the attackers first compromise the bank’s infrastructure. But what’s perhaps most interesting is the false flag section with strings in the Russian language.
The problem of cyberattacks is compounded by the use of outdated and unpatched systems. That means that, even as new 2019 malware families were developed, the old ATM families from the previous years can still be used to launch successful attacks.
ATM/PoS malware will only continue to evolve, and so, we will continue to monitor the ecosystem closely. We’ve already seen WinPot, first discovered in 2018, active this year in different parts of the world.
Latin America has long been known as a region of innovative cybercriminals who adopt techniques other region uses. It’s not surprising then that a new trend was recently discovered in development: an ATM MaaS project whereby a group in Latin America is attempting to sell ATM malware developed for each major vendor on the market. Projects like these provide further evidence that the world of ATM malware is still evolving, with cybercriminals continuously developing better attack strategies.
Our research has also shown that, beyond Latin America, countries in Europe and the APAC region are of particular interest to ATM attackers, as is the United States. This signifies that ATM malware is a truly global threat. After all, ATMs are located in nearly every country and few systems offer access to such massive amounts of fund.
How, then, can you protect your money? No matter how digital banking has become, ATMs are still an inevitable part of managing your funds. While you can’t control whether or not an ATM machine is attacked, by conscientiously monitoring your accounts and financial transactions, you can make sure suspicious activity is quickly identified and the proper channels duly notified. This should help mitigate the damage caused by any attack.
For financial institutions, staying secure requires a comprehensive, multi-step approach:
PoS terminals are in many aspects similar to ATMs, but still possess a number of differences to be mindful of—and tackled accordingly. Apart from the steps mentioned above (which remain applicable), the following must be taken into account: