ATM Malware Attacks Spreading

New Report Says Incidents Migrating to New Markets
ATM Malware Attacks Spreading

Just a week after the international police organization Interpol issued an alert warning that criminals may soon use malware against ATMs around the world, a new report from the European ATM Security Team says at least 20 ATM malware incidents have been reported by a single unnamed ATM deployer based in Western Europe.

See Also: OnDemand | Payments Without Borders: Prevent Fraud and Improve the Customer Experience

This latest development comes after a report earlier this month about so-called jackpotting attacks that had infected at least 50 ATMs in Eastern Europe, including Russia (see Malware Attacks Drain Russian ATMs). The jackpotting malware enabled criminals to within minutes drain these ATMs, netting attackers millions of dollars (see ATM Malware Attacks Rise in Europe).

As ATM malware continues to spread globally, security experts advise banking institutions and other ATM deployers to enhance the physical security of their ATMs; update operating systems; and work with equipment manufacturers to address software vulnerabilities.

ATM Malware

In its just-released ATM Crime Report for the first half of 2014, EAST warns ATM malware attacks are spreading. EAST is an international ATM network that drives cross-border cooperation and information sharing to thwart ATM crimes.

Although the report notes 20 ATMs in Western Europe were recently infected by malware, EAST does not name the make or model of ATM that was compromised, but says the attack targeted a specific type of off-premises terminal.

ATM malware attacks have migrated within Europe in just the last nine months. Until recently, these malware attacks had been seen primarily in Russia, Ukraine and parts of Latin America.

EAST Executive Director Lachlan Gunn says the trend is troublesome.

"While [the latest incident] was one group of criminals attacking a single ATM type in a specific type of location, this is a worrying new development for the industry in Europe," Gunn says. "Through the EAST Expert Group on ATM Fraud, we have been working with the ATM vendors, and vendors of logical security systems and services, to communicate the steps that should be taken by ATM deployers and networks to mitigate these risks across all ATM types and locations."

ATM Fraud Trends

Because anti-skimming technology and payment card enhancements, such as EMV, have made skimming attacks less profitable, fraudsters are focusing more attention on ATM malware and card-trapping, EAST reports (see ATM Malware: Hackers' New Focus).

Among the 21 European countries included in the report, ATM-related fraud attacks have dropped 42 percent in the last year, according to EAST. But for the first time, card trapping incidents accounted for the majority of incidents reported.

Source: European ATM Security Team. H1 stands for the first six months of the year.

EAST warns of two types of ATM malware attacks that have been identified in the wild - both with the ability to compromise any Windows-based ATM.

"As a significant number of Europe's ATMs continue to use the Windows XP operating system, there are concerns that many remain vulnerable to ATM malware if the necessary preventive measures are not taken," EAST reports. "The main ATM vendors clearly highlight what these necessary preventive measures are."

One type of malware attack, known as jackpotting, hit the 20 ATMs in Western Europe. This malware takes control of the ATM's cash-dispensing function. After the virus has been installed, the ATM is rebooted and then automatically spits out cash.

The other type of malware attack affects an ATM's PIN pad, allowing criminals to intercept card and PIN data. This type of attack allows the hackers to create counterfeit magnetic-stripe cards.

Graham Mott, director of the LINK Scheme, the United Kingdom's ATM network, points out that mag-stripe cards can still be used for fraudulent online purchases worldwide or in markets, such as the U.S. and parts of Asia, where mag-stripe cards are still the norm.

Physical Security

But Mott says the main issue leading to the spread of malware is poor physical ATM security.

Hackers are targeting ATMs with enclosures that are easy to access, either with a universal key or a default passcode. Once attackers are able to open the enclosure, they install malware, usually by inserting a USB or CD that has the malicious code saved to it, Mott says.

Mott and Gunn urge ATM deployers to take steps to make it difficult for attackers to open the enclosures that house these machines.

But Gunn also notes that ATMs should be programmed not to reboot from any external media, such as a CD or USB. This would prevent the malware from running, even if it was installed, he says.

Still, ATM manufacturers, such as NCR Corp., are encouraging banks and others to ensure they are addressing operating system weaknesses, especially those related to Windows XP, which is no longer supported by Microsoft.

"Microsoft will no longer issue security updates for Windows XP Professional; this means that customers may lose their PCI-Data Security Standard (PCI-DSS) compliance," says Owen Wild, a security and compliance executive at NCR in a blog. "Basically, XP's security vulnerabilities will not be resolved or closed."

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.