Threat Actors Demonstrate Persistent Interest in ATM Malware
By Amina Bashir
As giant boxes of cash, it’s understandable that ATMs are magnets for nefarious activity. Like many other forms of financially motivated crime, malicious activity against ATMs is supported by an underground ecosystem of illicit offerings and resources, as evidenced across Flashpoint’s datasets.
For example, information sourced across illicit online communities, encrypted chat services, and paste sites shows threat-actor mentions of ATMs on a par with mentions of distributed denial-of-service (DDoS) tools and attacks, far exceeding mentions of Remote Access Trojans, crypters, botnets, and ransomware. The interest in ATM malware and attacks is persistent and should be on the radar of financial institutions and ATM manufacturers alike.
Here’s a look at some known threats to ATMs:
Skimmers and Shimmers—Skimmers and shimmers are small, physical devices which are inserted into ATMs to steal payment card data. They are a popular commodity among fraudsters, but some criminals favor a more straightforward form of theft: directly stealing cash from the machine.
ATM Jackpotting—Jackpotting is the manipulation of an ATM so it ejects the cash within. It is often carried out with the help of specialized malware sold on illicit online marketplaces. During the past several years, malware-enabled ATM jackpotting attacks have been reported worldwide, from Europe and the U.S., to Latin America and Southeast Asia.
ATM Malware—ATM malware continues to be popular among threat actors operating across various platforms. Analysts have observed that ATM malware appears to be sold by only a few threat actors, some of whom may be associates. This is in contrast to other types of malware, which are sold by a wide range of vendors.
Inside the ATM Malware Market
WinPot, Cutlet Maker, and Yoda are among the most mentioned ATM malware variants. Due to similarities in posts, it is possible that some of these malware families are being created or sold by associated—if not the same—threat actors. Moreover, Flashpoint analysts have noted that many threat actors who advertise ATM malware also peddle other offerings on the cybercrime underground, including carding services and access to compromised bank accounts.
Uniquely among cyber threats, ATM malware attacks inherently require a physical presence at the targeted site. In fact, since most common and popular ATM malware variants are installed via USB, where attackers must physically open the machine’s exterior panel and connect an external device—attacking an ATM is hardly an inconspicuous endeavor.
And while some forms of ATM malware, such as ATMitch, can be administered without physical access to the machine by leveraging a known exploit against a financial institution’s servers, such an attack still requires the threat actor or a money mule to physically retrieve the stolen cash from the machine. As such, jackpotting crews are known to select their targeted sites carefully; ATMs stationed not at banks, but rather at small businesses, shopping centers, gas stations, and other retail locations are the most desirable targets for jackpotting crews.
So, in addition to keeping ATMs updated with the latest security software and patches, one of the best ways for operators to avoid being targeted in a malware attack is to noticeably bolster actual and perceived physical security at ATM sites. For example, an outdoor ATM set back from the sidewalk in a poorly-lit area could be a natural target for jackpotting, but the addition of motion-activated floodlights and conspicuous security cameras monitoring the premises from several angles to avoid blindspots could immediately deter threat actors.
In addition to enhancing visibility and surveillance, changing the lock on an ATM’s exterior panel is another simple way to thwart threat actors sniffing out vulnerable ATMs that use a generic, mass-produced key provided by the manufacturer.
Despite being controlled by a relatively small number of threat actors, Flashpoint analysts believe the underground market for ATM malware will continue to flourish, serving a global customer base of threat actors and posing a threat to financial institutions and ATM manufacturers worldwide.
Flashpoint analysts have observed wide variance in the price of ATM malware within illicit marketplaces, from as low as $25 USD up to $5,000 USD depending on the malware being offered, in addition to other factors, such the vendor’s reputation and level of customer support, customization, and bundled services.
For insight into the broader market for malware and other illicit offerings, download our Pricing Analysis of Goods in Cybercrime Communities report.
Associate Product Manager
As a former hunt team analyst, and now associate product manager, Amina Bashir has become a vital asset to Flashpoint since joining in 2017, managing collections across the analyst and engineering teams, analyzing malware, investigating threats, and supporting incident response efforts.
Bashir joined Flashpoint in 2017 after graduating from Hunter College, where she earned a Bachelor of Arts degree in computer science, served as an adjunct lecturer, and published research and delivered presentations on the topic of spectrum-aware IoT communications.
Bashir was recognized by SC Media as a Rising Star in the 2019 Reboot Leadership Awards.