ATM Based malware has been on the rise. New reports from the United States Secret Service has issued a warning last Friday to financial institutions. They said that there was credible information that planned attacks are targeting U.S. cash machines using malware that drains it of cash. This report was announced a day after ATM manufacturer Deibold Nixdorf warned its customers of potential ATM jackpotting attacks transitioning from Mexico to the U.S.
These attacks have been happening already since ATM maker NCR Corp have confirmed attacks have reached the U.S.
Although attacks do not specifically focus on the NCR ATM’s, it has been an industry-wide issue. This equates to losses caused by the attacks.
There were no further details from the U.S. Secret Service with what the nature of the attacks were. Brian Krebs who runs KrebsOnSecurity says tthat his sources said that the agency claims the recent attacks includes the use of jackpotting malware Ploutus.D.
Specific machines seem to be targeting Opteva 500 and 700 series Diebold ATMs using the Ploutus.D malware over the last 10 days. However, it is presumed that the attacks are still being planned all across the U.S.
Stand-alone ATMS seems to be the primary target as per the Secret Service. They are typically located in pharmacies, big box retailers, and drive-thru ATMs. Criminals doing the deed includes individuals or large organized groups, local and foreign organized crime syndicates.
The U.S. Electronic Crimes Task Force is credited for identifying the credible threats. Financial institutions and law enforcement have been notified.
ATM jackpotting has been around but U.S. has not reported anything like this before. Countries that been reported before were Japan, Thailand, Mexico and Europe. Malware such as Poutus, Prilex, Green Dispenser and Ice5 are the culprit for those breaches.
People are not aware that the Ploutus malware has been around since 2013. This malware needs physical access to a USB or CD to inject the malware, steal the ATM ID to activate and identify an ATM before it can dispense cash.
As per Krebs source, the attackers were using medical equipment such as endoscopes to navigate the internal workings of the ATM for them to intercept the cash communication port, synchronize with the computer and initiate the infection.
One this has been said and done, someone has to remotely control the ATMs to force the machine to dispense cash. It can tell the ATM machine to dispense thousands of dollars in just a few minutes.
FireEye researchers stated that the Ploutus-D typically targets Diebold ATMs. The main reason is that it runs the multi-vendor Kalignite platform. The samples they have obtained identified the ATM vendor Diebold as the target. Minimal changes to the code could be done to run on 40 different ATM vendors which uses the same Kalignite Platform that roughly 80 countries use.
This attack requires close contact with the machine before it can be successfully ran which gives it a high probability of getting caught. This is even riskier for ATMs still using Windows XP since it is vulnerable to attacks.
In Thailand, ATM roberies have been reported using the RIPPER malware what utilizes a specially crafted EMV chip-enabled ATM card. This chip is used for authentication which the RIPPER validates if it was present on the machine. This incident cost them more than $378,000.
These type of attacks have started to gain speed. It is alarming since ATMs is an important part of our daily lives how we go around getting cash conveniently.
With this trend going on, is it safer to go back to the bank doing over the counter transactions?
