ATMs have always been a lucrative target of cybercriminals to get some easy money. But, ATM hack usually required direct physical contact with the machine. Security researchers have now revealed that criminals no longer need to access the machines to load malware as they can remotely take over them exploiting outdated software flaws. Trend Micro and Europol have issued a warning alerting banks of hackers increasingly targeting their networks through phishing campaigns to infect ATMs with malware.
"Over the years, ATM thefts have been undertaken in a variety of ways: from blowing up safes to gluing on skimmers and attaching fake keypads to installing malware executables," security researchers at Trend Micro [PDF] wrote. "In particular, the use of malware in attacking ATMs has seen considerable adoption among cybercriminals, and one of the primary factors contributing to its sustained use is the fact that many of the targeted machines still use outdated operating systems."
Cybercriminals no longer need physical access to load ATM hack malware
Your nearest ATM is probably just a machine attached to a Windows PC, offering several vulnerabilities to attackers. Many of these are running on either obsolete or unsupported operating systems that no longer receive security patches.
"A majority of ATMs installed worldwide still run either Windows XP or Windows XP Embedded. Some of the older ATMs run Windows NT, Windows CE, or Windows 2000.
Microsoft support for Windows XP ended on April 8, 2014. Extended support for Windows XP Embedded ended on Jan. 12, 2016, and extended support for Windows Embedded Standard 2009 is scheduled to end on Jan. 8, 2019."
This latest cyber threat essentially shifts the malware landscape because it is different from skimmers and fake keypads or even malware that is injected on site, as it requires no physical interaction with the machine. The attack starts with a social engineering campaign, but surprisingly many do fall for these phishing emails and tricks.
"There is no indication that the ATMs have been physically tampered with, but still, the machines are found to have been emptied of cash. The machines do not even have to be stationed on shady streets, remote locations, or other unsecured spots to be thus compromised."
The security firm has called the development in network-based ATM heists "unnerving" as "criminals have realized that not only can ATMs be physically attacked, but it is also very possible for these machines to be accessed through the network."
These attacks are also more elaborate and dangerous as criminals can get access to virtually any ATM in the network and they also aren't restricted to working in the dark, hiding from security guards as they are in the onsite attacks. Once the hackers are inside a network, predominantly through malicious executable sent through phishing emails to bank employees, they can move laterally through the network to take over all the ATMs.
It should also be noted that these attacks aren't theoretical as cybercriminals have been taking control of ATMs through malware sent remotely. One prominent case was the attack on the First Commerce Bank in Taiwan where over US $2.4 million was stolen from 22 branches in 2016. The hackers never required to have physical access to the machines.
The report added that "some malware families even have self-deleting capabilities, effectively dissolving most traces of the criminal activity."
- More details in Cashing in on ATM Malware