Cyber attacks against ATMs aren’t new, but until now they’ve mostly required the attackers to have physical access to the target machine in order to compromise it.
However, a joint report by Europol and Trend Micro warns how hackers are increasingly targeting bank’s corporate networks in an effort to move across to ATMs and infect them with malware.
The fact the machines are basically moneyboxes attached to a Windows PC make them an appealing target for attackers, but the icing on the cake for criminals is how large swathes of ATMs are running on obsolete or unsupported operating systems.
“A majority of ATMs installed worldwide still run either Windows XP or Windows XP Embedded. Some of the older ATMs run Windows NT, Windows CE, or Windows 2000. Microsoft,” said the report.
Indeed, the Cashing in on ATM Malware report that means there are hundreds of thousands of cash machines which no longer receive support.
The WannaCry ransomware outbreak demonstrated how at risk unsupported and unpatched systems can be to cyber attacks, meaning that with the correct technical expertise, a criminal operation could exploit the vulnerabilities in an ATM to make off with a fortune via a network-based attack – or even shutting down machines.
“Should a worm like WannaCry or NonPetya ever manage to breach these networks, then the effect could be devastating, knocking out the whole network,” Simon Edwards, cyber security solution architect at Trend Micro told ZDNet.
It isn’t theoretical; hackers have already demonstrated how they can remotely attack ATMs without physical access to the device on a number of occasions – like many other forms of cyber attack, the infiltration begins with phishing emails sent to bank employees. If one of these is successful, the hackers can work on throughout the network.
One example is ATMitch, which saw hackers remotely infect banks – one in Khazakstan and one in Russia – with malware. The infection allowed the attackers to issue remote commands to the machine, allowing it to distribute money to people working alongside the hackers.
Another incident saw hackers able to access 41 ATMs in Taiwan, stealing a total of $2.5 million from 22 branches of First Commercial Bank without using cash cards or even touching the PIN pads. Some of the perpetrators were eventually tracked down and sentenced for their involvement, but not all of the funds were recovered.
Trend Micro and Europol have dubbed the rapid developments in network-based ATM malware attacks as “unnerving” because “the criminals have realized that not only can ATMs be physically attacked, but it is also very possible for these machines to be accessed through the network”.
While this type of attack has mostly only been seen in regions such as South America and Asia, the report warns that it won’t be long before North America and Europe sees this type of attack as “we believe this to be a new tendency that is probably going to consolidate in 2017 and beyond”.
As a result, the report warns, law enforcement agencies must be aware that cyber criminal groups are looking to target ATMs in this way and financial organisations must take more steps to secure their ATM installations by installing more security layers, such as keeping the machines on a separate part of the network.