A Shift in the ATM Malware Landscape: From Physical to Network-based Attacks

A TrendLabs Research PaperCashing in on ATM MalwareA Comprehensive Look at Various Attack TypesTrend Micro Forward-Looking Threat Research (FTR) Teamand Europol’s European Cybercrime Centre (EC3) Written by:David Sancho and Numaan Huq of Trend MicroForward-Looking Threat Research (FTR) Team, and Massimiliano Michenzi of Europol’s European Cybercrime Centre (EC3)EUROPOL DISCLAIMER© European Union’s law enforcement agency, 2017. All rights reservedReproduction in any forms or by any means is allowed only with the prior permission of Europol.More information on Europol is available on the Internet:Website: www.europol.europa.euFacebook: www.facebook.com/EuropolTwitter: @EuropolYouTube: www.youtube/EUROPOLtubeTREND MICRO LEGAL DISCLAIMERThe information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise. Trend Micro reserves the right to modify the contents of this document at any time without prior notice.Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise related to the accuracy of a translation, please refer to the original language official version of the document. Any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes.Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any kind as to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro disclaims all warranties of any kind, express or implied. Neither Trend Micro nor any party involved in creating, producing, or delivering this document shall be liable for any consequence, loss, or damage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof. Use of this information constitutes acceptance for use in an “as is” condition.ContentsFrom Physical Access to Network-based Attacks: How ATM Malware Has Evolved6ATM Infrastructure – How to Move Around an ATM8Network-based ATM Malware Attacks20Physical ATM MalwareAttacks14Other Noteworthy ATM Malware Attacks27The Perpetrators of ATM Malware Attacks30Conclusion36 3 | Cashing in on ATM Malware: A Comprehensive Look at Various Attack TypesForewordApril 2016 saw the first joint industry – law enforcement report by Trend Micro and Europol highlighting the emerging threat of ATM malware. That report gave a detailed analysis of the developing threat as well as the actions required to tackle this type of crime. The forecasts of that report have unfortunately proved to be accurate, with a significant growth in this crime phenomenon having been observed both in complexity and in geographical distribution. The 2017 updated report shows that the malware being used has evolved significantly and the scope and scale of the attacks have grown proportionately. While industry and law enforcement cooperation has developed strongly, with a significant number of major arrests being made, the crime continues to thrive due to the major financial rewards available to the organized crime groups involved.This report assesses the developing nature of the threat. I hope that it serves as a blueprint for future industry and law enforcement cooperation.Steven WilsonHead of Europol’s European Cybercrime Centre (EC3) 4 | Cashing in on ATM Malware: A Comprehensive Look at Various Attack TypesATM malware attacks in various parts of the world continue to make headlines and cause significant costs to the financial industry. In the bigger scale of things, their persistence demonstrates the concerns that are attached to digital ATM security. We can gather that the use of ATM malware is becoming more commonplace, with cybercriminals constantly improving their attack methods in hopes of remaining undetected and unapprehended. This poses a growing problem to financial institutions and law enforcement agencies. However, togeth