Threat Intelligence Blog

Posted June 19, 2018

US Banks are getting Skin in the Game

How many times have you used an Automated Teller Machine (ATM) in your life? Probably too many times to count, and for some people it’s on a daily basis. Although not usually at the forefront of cyber headlines, ATM hacking has been on the uptick over the past few years and is reportedly to be a $2 billion global problem.

ATM hacking targets both financial institutions and individuals, depending on the type of attack. Reported losses to financial institutions since 2014 are in the millions of dollars. And of course the cost of absorption of these losses has a trickle-down effect to all banking customers.

Typically observed in Europe and South/Central Americas, incidents are increasingly being reported in the US. According to the European ATM Crime Report, ATM logical and malware attacks rose 287% from 2015 to 2016. In January of this year, the US Secret Service alerted banks that ATM attacks were being seen in the US, with losses reported to be as high as $1,000,000 over a few incidents.  Similarly, two major ATM manufacturers, Diebold Nixdorf Inc. and NCR Corp warned customers of the outbreak of ATM attacks in the US.

ATM Jackpotting Attack

Snippet from USSS Press Release Regard ATM Hacking


The color of money – not all attack types are the same

There are two primary types of ATM attacks: physical and logical. In a physical attack, the threat actor must be present at the ATM, either before, during, and/or after the attack. It’s reported that physical attacks increased by 12% from 2015 to 2016, and the volume of these types of attacks is much higher than logical attacks.

Types of physical attacks include the following:

  • Skimmers: a device is connected over the card slot of an ATM, which “skims” card information from the customer card upon insertion. Skimmer devices are easily purchased, and possessing one is not necessarily illegal. In Virginia, for example, state code only specifies illegality for possession if malicious intent can be proven.
ATM Card Slot

Skimmer Device Available for Purchase

  • Theft: the ATM is literally hauled away to be broken into at a more convenient time and location. Just this week in Wichita, Kansas, thieves towed an ATM out of a bingo casino, loaded it into the back of a pickup truck and, drove off.
  • Destruction: admittedly a much less sophisticated method, in this scenario attackers destroy the ATM in an attempt to access the cash. Observed techniques have included explosives, torches, “jaws of life” cutters, hammers, and more.
Broken ATM

ATM Destructive Physical Attack, Ireland, 2014 (image courtesy of

Logical attacks, or malware-based attacks, don’t necessarily preclude physical access. Physical access may be required to inject the malware and/or to operate a keyboard to run commands. Alternatively, attacks can leverage phishing emails to gain access to administrative credentials. In the case of remote or network-based ATM attacks, the ATM is accessed by “mules” to withdraw the money, typically using a one-time-use PIN or some other control to prevent them from taking money for themselves.

Skimer was the first known ATM malware, and requires manual installation via CD-ROM.  Skimer specifically targets Diebold ATMs.  First observed in 2009, Skimer is still found in the wild, with samples in VirusTotal collected as recently as May 2018.

Ripper was the was the first ATM malware observed to target multiple ATM vendor machines and features use of an ATM card embedded with a malicious Europay, Mastercard, and Visa (EMV) chip that activates the malware. Ripper was notoriously used in a number of ATM attacks in Thailand in 2016.

Other ATM-specific malware requiring physical access for installation includes Ploutus, Padpin-Tyupkin, GreenDispenser, and Alice.

The LookingGlass Cyber research team recently did a deep-dive on a relative newcomer to the ATM hacking scene, Cutlet Maker malware. Cutlet Maker is installed and launched via USB connection.  This minimally invasive and relatively easy-to-accomplish technique is often referred to as ATM “jackpotting” or a “black box” attack.  A full report with details of our analysis is available to STRATISS customers.

Cutlet Maker

Screenshot of Cutlet Maker ATM Malware

ATMitch is a network-based ATM malware that uses Remote Desktop Connection (RDP) from inside a bank’s network to install and execute commands.  This network-based malware is typically distributed via a phishing email sent to a bank employee.

Prilex ATM malware targets bank customers by stealing their card information and PIN. It is different from other malware in that it involves a Command & Control (C2) server, to which the credential are sent.

Show me the money – how ATM malware is distributed

ATM malware is often distributed via DarkNet forums. LookingGlass Cyber researchers have found numerous examples of the sale of various types of ATM malware, as seen in the following images:

Alice Message

Alice ATM Malware Advertised on Forum


ATM Trojan Topic

Cutlet-Maker ATM Malware Advertised on WSM Forum

The odds are stacked against the financial world

Contributing to the growth of ATM malware usage is the plethora of ATMs running outdated or even obsolete operating systems. While precise figures are not widely available, a CNN report from 2014 indicated that 95% of all ATMs were running Windows XP. Updating and/or upgrading the operating system of an ATM can be an expensive and laborious process, since each machine often has to be physically visited to either update the software or completely replace the hardware. A banking advisory company noted that overhauling a fleet of ATMs with new hardware or software is expensive, and banks are less likely to get a boost from marketing new features unless they are among the first to do so. Updates done solely to enhance security, without any anticipated marketing benefit, is unlikely to be appealing to ATM providers due to the cost; according to an FAQ sheet from the ATM Industry Association (ATMIA), as of 2014 there were over 3 million ATMs deployed globally.

Also complicating the issue of protecting ATM devices is the amount of information about them that is available. From manufacturers that provide descriptive marketing videos and user manuals to after-market vendors selling parts and refurbished machines, there is much that hackers can learn about how the machines operate, further aiding their efforts to successfully breach ATMs.

Further compounding the problem, ATM machines use a common specification, the XFS Interface promulgated by the European Committee for Standardization.  This openly available document provides detailed specifications for how ATMs are operated.


Leveling the odds in your favor

An ATM hack can have lasting effects on an organization. Not only are you liable for loss of money, but the biggest impact will likely be to your brand and reputation. Doug Hevner, of SunTrust Bank, had the following to say about skimming attacks: “So, it’s out there, it’s continuous, and if you haven’t seen it you’re going to see it. And it’s just a question of how do you prepare for that.”

The best way to protect your organization is to educate your employees on what to look for when at an ATM that could become a security risk.

There are a few ways to recognize if an ATM is breached, specifically if it’s been compromised by a skimmer device. The first is by tugging on the ATM to ensure that there is not a malicious overlay installed. We also suggest using ATMs that are located at banks, versus those that can be found in convenience stores, hotels, and other non-financial institutions. Increased surveillance and physical security methods at ATMs may also reduce the risk of attacks. Threat actors are less likely to target a well-lit, heavily-monitored ATM.

As we see ATM attacks increase in the US, financial institutions may find that the exposure to loss outweighs the cost of upgrades and it might be time to replace outdated software and hardware. Another option is looking into technology with the ability to mask vulnerabilities, allowing you time to upgrade outdated systems without compromising security.

The LookingGlass Cyber research team believes that ATM malware attacks will continue to grow in prevalence and popularity and that new malware will be developed. The lure of easy money is always strong. Until the banking industry takes serious steps to improve the security of ATMs, the problem will continue to increase. Outdated software and physically accessible hardware are primary contributors that organizations need to address if they want to avoid the monetary and reputation impacts of this attack vector.

So what do you do if one of your employee’s cards are breached by ATM malware?  Using our monitoring and look-up services you can proactively combat any potential fraud, ensuring the security of your organization and your employees.

Interested in more research like this? Learn more about our STRATISS digital library, where you can learn about cyber trends in your industry, specific threat actors, cyber attack vectors, and more.


Additional Posts

Weekly Threat Intelligence Brief: June 20, 2018

This weekly brief highlights the latest threat intelligence news to provide insight into the latest ...

Challenging the Economics of Cybersecurity with Cyber Threat Intelligence-Sharing Programs: Part 2

In the first part of this series, I defined cyber threat intelligence sharing and how it can ...