Trend Micro and GMV – an industry expert on ATM security – presented last week in London, during ATMSec, a conference focused on the topic. Our presentation was on a very interesting and forward-looking topic: “The future of ATM malware”. On other occasions, we had talked about how ATM malware has been evolving over time. This time around, though, we hypothesized how this kind of malware may evolve in the mid-term.
Juan Jesús León and David Sancho created a model of the current ATM malware landscape based on how each of the malware types we know about is able to attack. They then clustered them in two main groups with clearly defined features:
- Malware involved in network attacks tends to be relatively simple.
- Malware with a physical component tends to be more complex and aims to further the criminals’ business plan.
In summary, since ATM attacks coming from the network have more chances of disabling security on the ATM endpoints, the malware or tools used were simple in nature. The reason is that those attacks had already overcome quite a few hurdles in order to get to their final setup, so the actual ATM infection was a mere tool to monetize all the criminals’ previous intrusion efforts: these tools were just a means to tell the ATM to dispense money.
On the other hand, physical intrusion usually requires the machine to be unprotected in order for the attack to be effective. If this is not the case, the malware usually has additional capabilities, like turning off the network or other advanced features. On top of this, the criminals implement measures to prevent stand-alone members of the criminal gang from going rogue and starting to victimize more ATMs on their own. This lack of trust between developers and money mules necessitates more complex malware and additional features besides simply dispensing cash.
- The materialization at some point of a malware creation kit that would allow developers to ‘customize’ malware according to each attack. Such a kit would generate different malware, which could then be resold to other criminal gangs to fit their own individual needs depending on who the target bank might be. This would continue the increasing complexity of physical ATM malware we are currently seeing.
- The appearance of an open-source tool to dispense malware that would-be bank hackers could add to their tool arsenal. Such an open-ended tool would be the final rung in the ladder of a bank’s corporate network intrusion and could be used whenever the hackers have found a way to install malware on the ATMs. Why open source? We would argue that, given the simplicity of the tool, that would be a great way for the criminals to hinder further investigation into the machines. Since the tool would be publicly accessible, there would be no more clues left behind in those very sensitive machines. Truly evil.
These two predictions may or may not come to pass but they do make sense, given the current state of the ATM malware landscape. GMV and Trend Micro have put a lot of thought into these predictions and, given both companies’ shared experience in the field, we believe stakeholders in these projects should take them into account when protecting these environments. Don’t say we didn’t warn you.
- Juan Jesus León Cobos, Director of Products and New Developments at GMV
- David Sancho, Senior Anti-Malware Researcher at Trend Micro
Las opiniones vertidas por el autor son enteramente suyas y no siempre representan la opinión de GMV
The author’s views are entirely his own and may not reflect the views of GMV