INTERPOL shares the latest malware attack findings
The Automated Teller Machine (ATM) has always been a popular target for criminals looking to quickly steal cash. More than likely, you have heard of criminals robbing people who have just made a cash withdrawal, but there are a range of other things criminals can do to manipulate the ATM itself. These attacks can range from subtle card skimming mechanisms to more brazen approaches such as removing the entire ATM using industrial equipment like a fork lift truck, exploding the ATM after filling it with gas, or even tunneling underground to penetrate the ATM from below.
Skimming ATMs with the intention of stealing customer information, which can then be used to make counterfeit payment cards is an old fraud tactic. Skimming usually involves the installation of illegal monitoring devices at various ATM interface points disguised as part of the machine, to record card data and steal PIN codes entered by cardholders. Once this data is cloned, it is then used to produce counterfeited cards. Later, the cards are used to withdraw cash or make online purchases.
The global adoption of EMV technology, has made it harder for criminals to skim card information. In recent years, criminals have evolved their tactics even further. INTERPOL has recently supported international investigations to counter the ever-evolving threat against ATMs.
The ATM is essentially just a general purpose computer with specialized programs to control access to cash and other customer banking activities. When you think of it this way, you realize that just like your laptop or home computer, it’s susceptible to malware or malicious software. In fact, in just the past two years, there’s been a dramatic rise in the use of malware attacks on ATMs.
In a recent investigation supported by INTERPOL, criminals were arrested after inserting a customized circuit board into the targeted ATMs through the card slot. Once inserted, the circuit board enabled malware to be deployed, compromising the ATM system. On the surface, the ATM functioned perfectly; however the malware quietly harvested card and PIN data from each and every user. The criminals later retrieved the stolen data and used it to produce counterfeit cards. In some ways, these attacks resemble skimming as they target consumer data in the same way as traditional ATM skimming.
A new method of ATM attack has now emerged where cybercriminals evolved malware to withdraw cash directly from ATMs without the need to compromise card data, as was done in the past. INTERPOL noticed cases in Latin American in recent years where criminals unlawfully accessed multiple ATMs and inserted a disk encoded with bespoke malware named “Ploutus.” Once the ATM was rebooted and a keyboard attached, the malware enabled criminals to dispense cash from the ATM on demand.
In 2014, banks in several countries in Europe, Asia, the Middle East and North America saw another malware identified as Tyupkin (or Padpin) attacking their ATMs. As with Ploutus, the sole purpose of Tyupkin is to dispense cash in larger amounts, effectively emptying the machines of hard currency stored inside. However, Tyupkin enables an attacker to use the ATM PIN pad to issue commands to the malware. Today, it also includes anti-virus disabling instructions and self-delete features.
While ingenious in carrying out the theft, ATM malware attacks like Ploutus and Tyupkin still have an obvious shortcoming for the criminals. They still need to physically gain access to the ATM computer. In all cases of Tyupkin, the perpetrators were captured on video surveillance breaking into the top box of the ATM or using a universal key. Once access was gained to the CD-ROM, a disc containing the malware was inserted; the malware was implanted by rebooting the ATM using the CD-ROM.
The ATM functioned normally after the infection and the malware remained in inactive mode. Usually in the middle of the night, criminals would return and activate the malware. After entering a secret code through the ATM PIN pad, the control panel of the malware would be displayed, enabling criminals to select which cash cassette to dispense. Before doing so, criminals still needed to obtain a session code from another accomplice by telephone — likely to be the operation mastermind — to unlock the function. Following an investigation into this incident, INTERPOL determined that communicating with the mastermind during the operation was done to exercise control over the very criminals deployed to perform the cashout.
Who is behind these attacks?
INTERPOL believes that the increase in ATM malware attacks is partially driven by traditional organised criminal groups adopting increasingly sophisticated cybercrime techniques. Criminals are honing their skills and relying on poor physical ATM security. The criminal groups involved in ATM attacks are highly organized and willingly travel to foreign jurisdictions to do their dirty work.
The attackers are not always the same individuals that are stealing money from ATMs. The criminal ring’s business model is also based on reselling stolen data which is available for sale on carding forums for the masses in the form of replicated cards and credit card verification or Credit Card Verification (CVC) code, used to verify that the customer has physical possession of the card.
Countering ATM malware
The overwhelming majority of ATMs in use have aged; they were designed and built when threats and risks were minimal. And any major changes to infrastructure will take time to implement, leaving the operators of ATMs vulnerable. To counter this clear threat, ATM manufacturers in coordination with INTERPOL, financial institutions, anti-virus companies and global law enforcement partners have commenced an awareness campaign to mitigate this risk.
The recommended preventative measures against malware for ATMs themselves include:
- Change all machine passwords
- Implement SSL (programming language) encryption
- Install a firewall
- Remove unused services and applications
- Upgrade to a more recent operating system and ensure regular patching for all software installed
- Lockdown machine privileges (lock down the BIOS of the ATM to prevent ability to reboot using USB or CD drive)
- Provide different users with appropriate access privileges
- Ensure all anti-virus software is up-to-date
- Change all machine locks and keys (do not use one set of the standard manufacturers’ lock and key for all ATMs)
- Utilise a machine alarm, which will alert when the ATM shell is tampered with
- Consumers continue to have a role in defending ATMs as they may be the first people to spot suspicious activity around an ATM. They should report any such activity to the local police.
The emergence of ATM malware gained much attention in 2014 and the financial losses were significant. One thing you can count on is that criminals will keep evolving their malware attacks throughout 2015. It will take a truly global, collaborative effort involving law enforcement, security companies, banks, ATM manufacturers and the public to effectively mitigate this threat and put those responsible for developing and carrying out these attacks behind bars.