[David Strom's Web Informant] The history of ATM-based malware
david at strom.com
Tue Nov 14 12:03:50 EST 2017
Web Informant, November 14, 2017: The history of ATM-based malware
I haven’t used a bank ATM for years, thanks to the fact that I usually
don’t carry cash (and when I need it, my lovely wife normally has some
handy). I still remember one time when I was in Canada and stuck my card in
one of the cash machines, and was amazed that Canadian money was dispensed.
I was amazed at how the machine “knew” what I needed, until I realized that
it was only loaded with that currency.
Well, duh. Many of you might not realize that underneath that banking
apparatus is a computer with the normal assortment of peripherals and
devices that can be found on your desktop. The criminals certainly have
figured this out, and have gotten better at targeting ATMs with all sorts
Back as recently as three years ago, most ATM attacks were on the physical
equipment itself: either by placing skimming devices over the card reading
slot to capture your debit card data or by forcing entry into the innards
of the ATM and planting special devices inside the box. Those days are just
a fond memory now, as the bad guys have gotten better at defeating various
For many years, almost all of the world’s ATMs ran on Windows XP. Banks
have been upgrading, but there are still a lot of XP machines out there and
you can bet that the criminals know exactly which ones are where.
But there is a lot happening in new ATM exploits, and my post for IBM’s
Security Intelligence blog on the history of ATM malware hacking
about these developments. In fact, ATM malware is now just as sophisticated
and sneaky as the kind that infects your average Windows PC, and ATM
malware authors are getting better at emptying their cash drawers. For
example, malware authors are using various methods to hide their code,
making it harder to find by defensive software tools. Or they are taking a
page from the “fileless” malware playbook
whereby the malware uses legit OS code so it looks benign.
There is also a rise in network-based attacks which exploit lax banking
networking topologies (segmentation seems to be a new technology for many
of them), or rely on insiders that either were willing or had compromised
accounts. Some of these network-based attacks are quite clever: a hacker
can command a specific ATM unit to reboot and thereby gain control of the
machine and have it spit out cash to an accomplice who is waiting at the
Sadly, there are no signs of this changing anytime soon and ATM malware has
certainly become mainstream.
Comments always welcome here: http://blog.strom.com/wp/?p=6251
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the WebInformant