Cybercriminals have hacked ATMs in more than a dozen countries in Europe this year using software that forces the machines to spit out cash, according to Russian cybersecurity firm Group IB.
This type of attack, known as "jackpotting", is part of hackers' shifting focus from stealing card numbers and online banking details towards a more lucrative method that gives them access to both ATMs and electronic payments.
The firm said attacks had successfully compromised banks in Armenia, Belarus, Bulgaria, Estonia, Georgia, Kyrgyzstan, Moldova, Poland, Romania, Russia, Spain, and the United Kingdom, as well as in Malaysia. However, the firm declined to disclose the banks' names.
ATM makers Diebold Nixdorf and NCR Corp said that they are aware of the attacks, and have been working with customers to mitigate the threat.
Dmitry Volkov, head of intelligence at Group IB, told Reuters that he expects more heists on ATMs in the future.
In January, a group of cyber attackers responsible for ATM malware attacks across Europe were arrested in Romania and Moldova on suspicion of stealing €200,000 ($218,000). The gang allegedly used Russian-made malware Tyupkin Trojan.
In Asia, ATM hacks occurred in Taiwan in July, when T$70 million was reportedly stolen from ATMs belonging to three major Taiwanese banks. The following month, an attack on Thailand's banking network led to the theft of 12 million baht, leading to the Central Bank of Thailand issuing a warning to big commercial banks about security vulnerabilities in more than 10,000 ATMs.
Malware was the root cause for the cyber attack on Bangladesh's central bank in February that yielded more than $81 million, one of the biggest heists on record.
The cybercriminals responsible were able to steal the funds through a series of rapid and large transactions made to entities across Asia, weeks after an unidentified type of malware infected the bank's computer systems. The unidentified malware likely contained surveillance functions that allowed the criminals to track the process.
It was also revealed that a simple typo in the name of a fake non-profit organisation prevented the cybercriminals from accessing a further $20 million in funds.
An investigator later said that the attack was made possible due to poor security measures such as a lack of firewall and inadequate switches used to connect computer systems to SWIFT.
Security firm BAE Systems published an analysis of the attack in May, suggesting that the malware used in the Bangladesh cyber attack was common to that used for the 2014 attack on Sony Pictures. BAE said the group is likely responsible for a decade-long operation.
"What initially looked to be an isolated incident at one Asian bank turned out to be part of a wider campaign. This led to the identification of a commercial bank in Vietnam that also appears to have been targeted in a similar fashion using tailored malware, but based off a common code-base," BAE Systems security researchers Sergei Shevchenko and Adrian Nish said in a blog post.