August 15, 2018 By Charles Henderson 2 min read

A new ATM fraud scheme has surfaced, and it’s more sophisticated than any other ATM attack we’ve seen.

First reported by Krebs on Security, the fraud scheme, known as an “ATM cash-out,” goes well beyond the typical threat of attackers planting physical skimmers on ATM machines. The criminals have upped their game, compromising ATMs and their surrounding infrastructure virtually — and they are reaping an exponential increase in revenue.

Why This Is Not Your Typical ATM Attack

Until now, criminals have mainly compromised ATMs using physical methods. They might plant skimmers on the front of machines to capture payment card data as customers insert their cards, for example, or install a piece of hardware that manipulates the ATM to spit out money (aka jackpotting). This newly discovered attack is mainly virtual. It is also twofold: Criminals compromise both the front and back ends of the ATM infrastructure.

On the front end, criminals are compromising financial organizations’ people, processes and technologies to collect customer payment card data in bulk and create fraudulent cards. They use various methods, such as socially engineering an employee who manages the ATM network or exploiting an infrastructure vulnerability to plant malware. However they get in, they are using high-efficiency card collection techniques and gathering thousands of customers’ payment card information in one swoop.

On the back end, they’re manipulating components of the ATM network to change the maximum amount of money a customer can withdraw. With an endless amount of cash at their disposal, they could potentially drain a customer’s entire bank account.

The pairing of these attacks — coupled with the fact that they are virtual and much more efficient than previous ones — makes this scheme more dangerous than the typical ATM compromise.

How Can Organizations Protect Themselves Against ATM Fraud?

To protect themselves from this attack, organizations should monitor customer withdrawal limits. It’s not unusual for customers to change their withdrawal limits. However, if they see a few customers a day skyrocket to 500 customers a day changing their limits, that should raise a red flag.

Companies should also test their infrastructure vigorously and frequently. Security teams can stay one step ahead of fraudsters by conducting penetration tests against employees, searching for holes in organizational practices and implementing technology to uncover security vulnerabilities. By finding and fixing vulnerabilities within their ATMs and surrounding infrastructure quickly, organizations can minimize attackers’ opportunity to exploit them.

From 2017 to 2018, X-Force Red, IBM Security’s team of veteran hackers, saw a 300 percent increase in banks requesting ATM testing. The team is hired by financial organizations globally to hack into their applications, hardware, devices, personnel, ATMs and surrounding infrastructure using the same methods and tools criminals use. Once X-Force Red discovers these weaknesses, the team helps the organization to remediate them before criminals have a chance to compromise its systems.

When it comes specifically to ATM cash-out attacks, X-Force Red can test ATMs and their ecosystem, meaning the people, processes and technologies that connect to those ATMs. The team can also identify vulnerabilities that criminals would exploit in order to steal card data and manipulate the ATM’s network so that larger sums of money can be withdrawn. Finally, and most importantly, X-Force Red can help organizations remediate those vulnerabilities before criminals are able to exploit them.

Learn more about the newly announced X-Force Red ATM Testing Practice

Source: Krebs on Security

More from

CISA hit by hackers, key systems taken offline

3 min read - The Cybersecurity and Infrastructure Security Agency (CISA) — responsible for cybersecurity and infrastructure protection across all levels of the United States government — has been hacked.“About a month ago, CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses,” a CISA spokesperson announced.In late February, CISA had already issued a warning that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. Ivanti Connect Secure is a widely deployed…

Cloud security evolution: Years of progress and challenges

7 min read - Over a decade since its advent, cloud computing continues to enable organizational agility through scalability, efficiency and resilience. As clients shift from early experiments to strategic workloads, persistent security gaps demand urgent attention even as providers expand infrastructure safeguards.The prevalence of cloud-native services has grown exponentially over the past decade, with cloud providers consistently introducing a multitude of new services at an impressive pace. Now, the contemporary cloud environment is not only larger but also more diverse. Unfortunately, that size…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today