ATM Malware Attacks Spreading

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/atm-malware-attacks-spreading-a-7437

Just a week after the international police organization Interpol issued an
alert warning that criminals may soon use malware against ATMs around the
world, a new report from theEuropean ATM Security Team says at least 20 ATM
malware incidents have been reported by a single unnamed ATM deployer based
in Western Europe.

This latest development comes after a report earlier this month about
so-called jackpotting attacks that had infected at least 50 ATMs in Eastern
Europe, including Russia (see Malware Attacks Drain Russian ATMs). The
jackpotting malware enabled criminals to within minutes drain these ATMs,
netting attackers millions of dollars (see ATM Malware Attacks Rise in
Europe).

As ATM malware continues to spread globally, security experts advise
banking institutions and other ATM deployers to enhance the physical
security of their ATMs; update operating systems; and work with equipment
manufacturers to address software vulnerabilities.

ATM Malware

In its just-released ATM Crime Report for the first half of 2014, EAST
warns ATM malware attacks are spreading. EAST is an international ATM
network that drives cross-border cooperation and information sharing to
thwart ATM crimes.

Although the report notes 20 ATMs in Western Europe were recently infected
by malware, EAST does not name the make or model of ATM that was
compromised, but says the attack targeted a specific type of off-premises
terminal.

ATM malware attacks have migrated within Europe in just the last nine
months. Until recently, these malware attacks had been seen primarily in
Russia, Ukraine and parts of Latin America.

EAST Executive Director Lachlan Gunn says the trend is troublesome.

"While [the latest incident] was one group of criminals attacking a single
ATM type in a specific type of location, this is a worrying new development
for the industry in Europe," Gunn says. "Through the EAST Expert Group on
ATM Fraud, we have been working with the ATM vendors, and vendors of
logical security systems and services, to communicate the steps that should
be taken by ATM deployers and networks to mitigate these risks across all
ATM types and locations."

ATM Fraud Trends

Because anti-skimming technology and payment card enhancements, such as
EMV, have made skimming attacks less profitable, fraudsters are focusing
more attention on ATM malware and card-trapping, EAST reports (see ATM
Malware: Hackers' New Focus).

Among the 21 European countries included in the report, ATM-related fraud
attacks have dropped 42 percent in the last year, according to EAST. But
for the first time, card trapping incidents accounted for the majority of
incidents reported.

EAST warns of two types of ATM malware attacks that have been identified in
the wild - both with the ability to compromise any Windows-based ATM.

"As a significant number of Europe's ATMs continue to use the Windows XP
operating system, there are concerns that many remain vulnerable to ATM
malware if the necessary preventive measures are not taken," EAST reports.
"The main ATM vendors clearly highlight what these necessary preventive
measures are."

One type of malware attack, known as jackpotting, hit the 20 ATMs in
Western Europe. This malware takes control of the ATM's cash-dispensing
function. After the virus has been installed, the ATM is rebooted and then
automatically spits out cash.

The other type of malware attack affects an ATM's PIN pad, allowing
criminals to intercept card and PIN data. This type of attack allows the
hackers to create counterfeit magnetic-stripe cards.

Graham Mott, director of the LINK Scheme, the United Kingdom's ATM network,
points out that mag-stripe cards can still be used for fraudulent online
purchases worldwide or in markets, such as the U.S. and parts of Asia,
where mag-stripe cards are still the norm.

Physical Security

But Mott says the main issue leading to the spread of malware is poor
physical ATM security.

Hackers are targeting ATMs with enclosures that are easy to access, either
with a universal key or a default passcode. Once attackers are able to open
the enclosure, they install malware, usually by inserting a USB or CD that
has the malicious code saved to it, Mott says.

Mott and Gunn urge ATM deployers to take steps to make it difficult for
attackers to open the enclosures that house these machines.

But Gunn also notes that ATMs should be programmed not to reboot from any
external media, such as a CD or USB. This would prevent the malware from
running, even if it was installed, he says.

Still, ATM manufacturers, such as NCR Corp., are encouraging banks and
others to ensure they are addressing operating system weaknesses,
especially those related to Windows XP, which is no longer supported by
Microsoft.

"Microsoft will no longer issue security updates for Windows XP
Professional; this means that customers may lose their PCI-Data Security
Standard (PCI-DSS) compliance," says Owen Wild, a security and compliance
executive at NCR in a blog. "Basically, XP's security vulnerabilities will
not be resolved or closed."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!