ATM cash machine 700px
ATM cash machine 700px

Network segregation is no longer enough to keep bank ATM networks safe from cyber-crooks, and while network attacks have not been reported in bigger regions such as the United States and Canada, this is now expected to start happening in 2017 and beyond.

Those are among the conclusions of a new 40-page report on the current state of ATM Malware, Cashing in on ATM Malware, a comprehensive look at various attack types, published today by Europol's European Cybercrime Centre (EC3) and Trend Micro. It details and explains a wide range of both physical and network-based malware attacks on ATMs, as well as explaining where the malware is created.

The report also suggests that the lack of ATM malware attacks in the United States and Canada is perhaps because of cyber-criminals thought they are less likely to get caught by law enforcement agencies if they avoid attacking bigger countries. However, with amateur to highly skilled cyber-criminals continuing to develop, sell, and use ATM malware in the underground, the authors now believe it is only a matter of time before we see attacks in those regions.

Consequently law enforcement agencies are advised to be aware that that criminals now have ATMs firmly in their crosshairs, and financial organisations need to take more steps to secure their ATM installations by deploying more security layers.

“While industry and law enforcement cooperation has developed strongly, the crime continues to thrive due to the major financial rewards available to the organised crime groups involved. This report assesses the developing nature of the threat. I hope that it serves as a blueprint for future industry and law enforcement cooperation,” said Steven Wilson, Head of EC3.

The report explains recent attacks using bank networks to both steal money and credit card data from ATM machines, regardless of network segmentation, noting that these attacks risk both personally identifiable information (PII) and large sums of money, as well as putting the victim banks in violation of PCI compliance standards.

“Protecting against today's cyber-threats and meeting compliance standards require increased resources that are not always available for organisations, including those in the financial services industry,” said Max Cheng, chief information officer for Trend Micro. “Public-private collaborations strengthen the global, ongoing fight against cybercrime, and help fill the resource gap for organisations.”

In addition to the public report, a limited-release version is available to law enforcement authorities, financial institutions and the IT security industry. This private report provides greater detail for public and private organisations to harden ATM and network systems and prevent future attacks against financial institutions.

Network-based ATM attacks are reported to have taken off with both malware payloads and manufacturers' test tools being used to jackpot the machines. The report says that all the network attacks appear to have come from Eastern Europe. The current criminal landscape affecting ATM installations worldwide looks very similar to the Latin American side, still busy developing and using their malware, with Ploutus being the most often updated.

The Eastern European gangs have two different business models. One, practiced by the Padpin developers, seems to make money by reselling their malware to smaller gangs, which then organise smaller physical attacks in different countries with very short durations, often spanning only one weekend.

The second kind of Eastern European gang that has recently surfaced uses hackers to infiltrate the bank's network, locate and take over the ATM network, and target the machines - a very different business model from that of the Padpin gang.

The appearance of the Ripper gang in the malware scene crosses this gap very nicely says the report, noting: “Ripper is the first ATM malware that uses the network as an infection vector. The fact that this newcomer does not use any authentication method suggests that the developers and the criminals are the same group of people. We believe this is the first of others to come,” the report authors warn.

It continues: “It is also worth mentioning that the criminals behind the Padpin malware are very active in trying to monetise their creation. These people are reselling in the underground both access to the malware and instructions on how to access the insides of ATMs to enable the infection. They seem to be doing this mostly via the Tor network in order to remain anonymous. In the same way, the authors of Ploutus — or somebody, who claims to have the source code — is also reselling it. These criminals might not be the original developers, since they do not seem to provide full instructions and they leave it up to the seller to figure out how the malware works. It might also be a fake claim and these people could be trying to swindle other would-be criminals,” concluding, “In any case, the fact remains that ATM malware is picking up notoriety in criminal circles.