August 15, 2018 By Charles Henderson 2 min read


A new ATM fraud scheme has surfaced, and it’s more sophisticated than any other ATM attack we’ve seen.

First reported by Krebs on Security, the fraud scheme, known as an “ATM cash-out,” goes well beyond the typical threat of attackers planting physical skimmers on ATM machines. The criminals have upped their game, compromising ATMs and their surrounding infrastructure virtually — and they are reaping an exponential increase in revenue.

Why This Is Not Your Typical ATM Attack

Until now, criminals have mainly compromised ATMs using physical methods. They might plant skimmers on the front of machines to capture payment card data as customers insert their cards, for example, or install a piece of hardware that manipulates the ATM to spit out money (aka jackpotting). This newly discovered attack is mainly virtual. It is also twofold: Criminals compromise both the front and back ends of the ATM infrastructure.

On the front end, criminals are compromising financial organizations’ people, processes and technologies to collect customer payment card data in bulk and create fraudulent cards. They use various methods, such as socially engineering an employee who manages the ATM network or exploiting an infrastructure vulnerability to plant malware. However they get in, they are using high-efficiency card collection techniques and gathering thousands of customers’ payment card information in one swoop.

On the back end, they’re manipulating components of the ATM network to change the maximum amount of money a customer can withdraw. With an endless amount of cash at their disposal, they could potentially drain a customer’s entire bank account.

The pairing of these attacks — coupled with the fact that they are virtual and much more efficient than previous ones — makes this scheme more dangerous than the typical ATM compromise.

How Can Organizations Protect Themselves Against ATM Fraud?

To protect themselves from this attack, organizations should monitor customer withdrawal limits. It’s not unusual for customers to change their withdrawal limits. However, if they see a few customers a day skyrocket to 500 customers a day changing their limits, that should raise a red flag.

Companies should also test their infrastructure vigorously and frequently. Security teams can stay one step ahead of fraudsters by conducting penetration tests against employees, searching for holes in organizational practices and implementing technology to uncover security vulnerabilities. By finding and fixing vulnerabilities within their ATMs and surrounding infrastructure quickly, organizations can minimize attackers’ opportunity to exploit them.

From 2017 to 2018, X-Force Red, IBM Security’s team of veteran hackers, saw a 300 percent increase in banks requesting ATM testing. The team is hired by financial organizations globally to hack into their applications, hardware, devices, personnel, ATMs and surrounding infrastructure using the same methods and tools criminals use. Once X-Force Red discovers these weaknesses, the team helps the organization to remediate them before criminals have a chance to compromise its systems.

When it comes specifically to ATM cash-out attacks, X-Force Red can test ATMs and their ecosystem, meaning the people, processes and technologies that connect to those ATMs. The team can also identify vulnerabilities that criminals would exploit in order to steal card data and manipulate the ATM’s network so that larger sums of money can be withdrawn. Finally, and most importantly, X-Force Red can help organizations remediate those vulnerabilities before criminals are able to exploit them.

Learn more about the newly announced X-Force Red ATM Testing Practice

Source: Krebs on Security

More from

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Stealthy WailingCrab Malware misuses MQTT Messaging Protocol

14 min read - This article was made possible thanks to the hard work of writer Charlotte Hammond and contributions from Ole Villadsen and Kat Metrick. IBM X-Force researchers have been tracking developments to the WailingCrab malware family, in particular, those relating to its C2 communication mechanisms, which include misusing the Internet-of-Things (IoT) messaging protocol MQTT. WailingCrab, also known as WikiLoader, is a sophisticated, multi-component malware delivered almost exclusively by an initial access broker that X-Force tracks as Hive0133, which overlaps with TA544. WailingCrab…

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

Pentesting vs. Pentesting as a Service: Which is better?

5 min read - In today's quickly evolving cybersecurity landscape, organizations constantly seek the most effective ways to secure their digital assets. Penetration testing (pentesting) has emerged as a leading solution for identifying potential system vulnerabilities while closing security gaps that can lead to an attack. At the same time, a newer entrant into the security arena is Pentesting as a Service (PTaaS). Although PTaaS shares some similarities with pentesting, distinct differences make them two separate solutions. This article will discuss how these methodologies…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today