Threat report: ATM/PoS malware attacks spike between 2017-2019

Cash dispensing terminals have become increasingly ripe targets for cybercriminals, with cybersec firm Kaspersky reporting a 250 per cent jump in malware-based attacks targeting Automatic Teller Machine (ATM) and Point of Sale (POS) terminals between 2017 and 2019.
 

2018, in particular, saw a massive spike in attacks targeting cash-dispensing systems – from 3,265 attacks in 2017 to 7,938 in 2018, globally – with criminal networks taking advantage of a range of newly developed malware families specifically built to exploit ATMs and PoS systems, including ATMJackpot (frequently used by criminals across Asia and, in particular, Hong Kong), WinPot (detected across Europe), Ice5, Peralta, ATMWizX, and ATMDtruck.

While the survey reveals only attacks levelled at Kaspersky-protected terminals, it nonetheless offers a reliable indication of the overall increase in threats targeting ATM/PoS machines.

Customer data is often a casualty, and sometimes the target, of these attacks, Kaspersky noted. However, quick cash appears to be the chief MO for most hackers, with “jackpotting” – or the illegal extraction of cash by exploiting software or hardware vulnerabilities in the machines – accounting for the vast majority ATM break-ins.

Early 2019 also saw the continuing upward trend in ATM/PoS malware activity, with Kaspersky identifying a “string of operations” by hackers, including ATMqot, ATMqotX, and ATMJaDi.

The ATMgot family is particularly noxious, possessing “anti-forensic techniques” that allow it to delete traces of infection from targeted ATMs as well as video files that monitor activity around the machine.

One notable malware threat doing the rounds, WinPot, which effectively transforms ATM interfaces into a literal poker machine-style game, has been particularly active this year, Kaspersky noted.

The 'brute force' malware, typically executed through physical manipulation (requiring hackers to drill through ATMs to access their serial port in order to ‘plug in’ the malware), forces ATMs to empty their cassettes of all funds.

However, sophisticated network-based exploits, including the ATMTest malware, have also grown in popularity. These multi-stage attacks often require hackers to first capture employees’ credentials, gain remote access to banks' networks, and then deploy malware on ATM or PoS systems. While such attacks can often yield enormous returns, their complexity limits their use.

Kaspersky warned that banks’ reliance on outdated or unpatched systems is exacerbating existing vulnerabilities in ATMs, laying the ground for black hat developers to repurpose and launch malware.

“That means that, even as new 2019 malware families were developed, the old ATM families from the previous years can still be used to launch successful attacks.”

Unpatched vulnerabilities, as well as the physical placement of ATMs in isolated areas, has made it even easier for criminals to gain physical access to the internal ports of the motherboard, the cybersec company noted.

“This is especially typical for the old ATM machines located in many regions with low resources and no budgets for ATM upgrades. When combined, ATMs become not only a highly profitable target – but an easy one.”

A 2018 report by Positive Technologies, a security vulnerability assessment firm, set a team of white hat hackers to penetrate ATMs using hackers’ toolkits – they did so within 20 minutes.

Of these, 85 per cent of the ATMs tested allowed attackers to access the network through physical ‘brute force’ methods: either by unplugging and tapping into Ethernet cables, or by spoofing wireless connections or devices to which the ATM usually connected to.

A further 27 per cent of tested ATMs had vulnerabilities exposed in their processing centre communications, while 58 per cent of tested ATMs had vulnerabilities in their network components or services that could be exploited to control the ATM remotely.

Furthermore, 23 per cent of the tested ATMs could be attacked and exploited by targeting other network devices connected to the ATM, for example through GSM modems or routers.


Frontlines of attack

Russia, Brazil, the United States, Iran, Italy and Vietnam remain prime targets for ATM or PoS- malware attacks, together representing more than two-thirds of the world's total compromise attacks targeting cash dispensing machines.

Australia, while far removed from the world’s major ATM/PoS attack centres, was not immune to the malware threat. The country recorded a more than four-fold jump in ATM or PoS attacks between 2017-18 on machines bearing Kaspersky software (rising from 13 to 59 separate attacks). However, this figure fell back to 18 attacks last year.

Australian institutions should, however, be wary of their extended ATM networks across Asia, which are likely to be within easy access of local, cyber-savvy criminal networks.

Since a late 2016 peak of 32,879 machines, the number of ATMs based in Australia has dropped markedly, falling to 27,958 last December, the lowest recorded since 2010, according to AusPayNet figures. As Australians turn increasingly to contactless payments, these numbers are expected to keep declining.

PoS machines, may, however, become the next focus point for hackers, with a veritable bounty of 926,436 eftpos terminals currently operating in Australia, according to the latest AusPayNet figures, a significant jump on the 707,303 reported in 2010 – though this remains slightly down on the June 2019 peak of 981,244 terminals.

Kaspersky’s SecureList ATM/PoS threat report can be accessed here.