A Windows PC with a money box attached: Why hacking ATMs is big business for criminals

Use of outdated operating systems like Windows XP and lack of security means it's still possible to crack ATM security, warn researchers.
Written by Danny Palmer, Senior Writer

Researchers have warned that ATMs are easy targets for cybercrminals to infect with malware.

Image: iStock

With millions of cash dispensers across the globe and total withdrawals amounting to almost $10bn a year, ATMs already make an attractive target for thieves. But now a report by Europol and security researchers at Trend Micro has warned that criminals are turning to malware as a way to steal money from ATMs.

The problem will only get worse: there was a 15 percent jump in ATM-related fraud attacks from 2014 to 2015, during which time cybercriminals made off with over $150m.

"The statistics only indicate the very beginning of malware usage for ATM fraud, but it definitely is a trend that is here to stay," said a Trend Micro blog post by threat researchers David Sancho and Numann Huq.

Running old software is one reason why ATMs are targets of attack.

"One major factor is the use of an outdated operating system such as Windows XP that cannot receive security patches anymore," the researchers said.

Researchers also suggest that the decision by many ATM vendors to employ middleware that provides APIs to peripheral devices such as the PIN pad and the cash dispenser is something criminals can easily take advantage of.

"If we think of a modern ATM as a MS Windows PC with a money box attached to it that's controlled through software, it is easy to see how it becomes an attractive target for any malware writer," Sancho and Huq said.

Collaborative research carried out by Trend Micro and Europol's European Cybercrime Center (EC3) found that there were two main families of malware infecting ATMs -- one which provides criminals with the card details of users and another which can be employed to dispense cash.

Worryingly, criminals don't have to employ any sort of sophisticated hacking technique in order to install malware, rather they're installing it onto machines directly via USB or the CD-drive. The majority of targets -- so far -- are in Eastern Europe and South America, where banks' security measures aren't as tight as in other areas of the globe.

While cash-machine-targeting malware hasn't yet been spotted on underground cybercriminal forums, the authorities argue that the potential damage it could cause means ATM malware must be dealt with seriously.

"Logical attacks on ATMs are now recognized as a developing threat by the industry and law enforcement, and EC3 has already assisted a number of national police forces in successful investigations of this emerging crime threat," said Steven Wilson, Head of EC3.

"This report lists a number of key recommendations to address this growing crime trend both in preventive and investigative areas, and can serve as a valuable reference document to coordinate activities to tackle organized crime's expansion into this area of criminality."

The report, titled ATM Malware on the Rise, has been released to what has been described a closed audience consisting of law enforcement authorities, financial institutions, and the IT security industry.

Read more on malware

Editorial standards