Positive Technologies researchers performed an extensive analysis on ATMs and how they can be attacked. ATMs from several vendors were tested, such a NCR, Diebold Nixdorf, and GRGBanking. The researchers tested a number of typical attacks and exploits that cybercriminals use in their attempts to harvest money from ATMs or to copy the information from bank cards, an attack known as skimming. The focus of the report is ATM malware.
ATM malware families, such as GreenDispenser, Alice, Ripper, Radpin, and Ploutus are relatively new to the market and are available for sale on dark web forums. With prices starting at $1,500, such malware is somewhat expensive but offers enormous profits. Attackers can recoup their initial costs with even one successful theft, the report notes.
The developers of ATM malware are also adapting their pieces to the ever-growing variety of ATM models, making their work even more efficient, and in many cases are giving complete instructions on how to use the particular malware. CutletMaker malware, for example, was sold openly together with detailed instructions for a price of $5,000.
As noted in the report, the most crucial thing that should be carefully examined in ATM malware is not its inner workings, but the installation method, because this is how a protection method can be outlined.
Vulnerabilities in ATMs
There are 4 basic categories of vulnerabilities that security researchers have encountered in their work:
- Insufficient network security, where a criminal with access to the ATM network can target available network services, intercept and spoof traffic, and attack network equipment.
- Insufficient peripheral security, usually caused by lack of authentication between peripherals and the ATM OS, enabling cybercriminals to infect the ATM with malware and eventually stealing cash or intercepting card data;
- Improper configuration of systems or devices, caused by lack of hard drive encryption, authentication errors, poor protection against exiting kiosk mode, and the ability to connect arbitrary devices;
Vulnerabilities or improper configuration of Application Control, where flaws lurk in Application Control code or result from improper configuration.
ATM Malware Attack Research Statistics
According to the researchers, 85 percent of the tested ATM devices can allow cybercriminals to access the network by unplugging and tapping into Ethernet cables, or by spoofing wireless connections. 27 percent of the tested machines were prone to spoofing, and 58 percent had security flaws in their network components that allowed for remote control.
23 percent of the machines can be successfully exploited by aiming at other network devices connected to the ATM in question. Such devices can be GDM models or routers. As explained in the report, consequences of these attacks include disabling security mechanisms and controlling output of banknotes from the dispenser. What is most concerning is that a network type of attack can be executed in less than 15 minutes.
For full technical disclosure, refer to the full report.