From remote administration and jackpotting, to malware sold on the Darknet, attacks against ATMs have a long and storied history. And, much like other areas of cybercrime, attackers only refine and grow their skillset for infecting ATM systems from year-to-year. So what does the ATM landscape look like as of 2020? Let’s take a look.
The world of ATM/PoS malware
ATM attacks aren’t new, and that’s not surprising. After all, what is one of the primary motives driving cyber criminals? Money. And ATMs are cash hubs—one successful attack can net you hundreds of thousands of dollars. In the past, even high-profile threat actors have made ATMs their prime target.
However, attacking ATMs is a bit different from traditional financial-related threats, like phishing emails or spoofed websites. That’s because ATMs operate in a unique space in the tech world: they’re still connected to the corporate networks but at the same time must be accessible to anyone that passes by. The resulting technical differences means the attack methods differ from those used for traditional endpoints.
ATMs also share several common characteristics that make them particularly vulnerable to attacks:
- Traditional software that is part of the warranty offered by the vendors → If major changes occur that are not approved by the ATM vendor, including installing AV software, then sometimes this warranty is lost.
- Regular use of outdated operating systems and the apps its runs on
- Locations chosen in a way that provide access to as many customers as possible, including those in remote regions → These isolated locations often lack any reasonable physical security
Old software means unpatched vulnerabilities—ones criminals can exploit—and isolated areas makes it easier for criminals to gain physical access to the internal ports of the motherboard. This is especially typical for the old ATM machines located in many regions with low resources and no budgets for ATM upgrades. When combined, ATMs become not only a highly profitable target—but an easy one.
From 2017 to 2019, there has been a marked increase in ATM attacks, due to a few families being particularly active. These target systems around the globe, regardless of the vendor, and have one of two goals: either stealing customers’ information or funneling funds directly from the bank.
Considering all of the above, we decided to delve further into what has been happening in the world of ATM/PoS malware for the last few years.
ATM/oOS malware attacks: by the numbers
To gain a closer look at ATM malware worldwide, we utilized the statistics processed by Kaspersky Security Network (KSN) over the course of the past three years globally.
Number of unique devices that encountered ATM/PoS malware, 2017-2019 (download)
The results showed that the number of unique devices protected by Kaspersky that encountered ATM/PoS (point-of-sale) malware at least once experienced a two-digit growth in 2018—and this number held steady, even increasing slightly, in 2019.
Geography of unique devices that encountered ATM/PoS malware, 2017 (download)
TOP 10 countries by number of unique devices that encountered ATM/PoS malware in 2017