General security

ATM Attacks Are Skyrocketing [Updated2018]

Pierluigi Paganini
September 3, 2018 by
Pierluigi Paganini


Security and fraud experts are observing a significant increase in the number of cyber attacks against the ATMs, in particular, skimming and malware-based attacks. The popular investigator Brian Krebs recently published an interesting post that warns about an alarming increase in skimming attacks for both American and European banks.

"Skimming attacks on ATMs increased at an alarming rate last year for both American and European banks and their customers, according to recent stats collected by fraud trackers." wrote Krebs. "The trend appears to be continuing into 2016, with outbreaks of skimming activity visiting a much broader swath of the United States than in years past."

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

The FICO Card Alert Service issued several warnings about a spike in ATM skimming attacks.

On April 8, FICO noted that its fraud-tracking service recorded a 546 percent increase in ATM skimming attacks from 2014 to 2015.

The situation is worrisome; some financial institutions preferred to shut down the ATMs to mitigate the fraudulent activities.

My last post on the topic is dated back October 2014, when I wrote about a dangerous trend that started with the ATM malware Tyupkin that infected at least 50 ATMs, mainly in Eastern Europe.

In May 2013, another ATM Trojan dubbed Padpin appeared in the wild, followed months later by the Ploutus threat.

Unfortunately, the number of ATM attacks is increasing worldwide, as confirmed by the data shared by the European ATM Security Team (EAST), let's see what happened from our last post.

September 2015 –Suceful, the first multi-vendor ATM malware

Security experts at FireEye spotted a new strain of malware dubbed Suceful (Backdoor.ATM.Suceful) that was designed to compromise ATMs, but that presented singular features.

According to the malware researchers at FireEye Labs, Suceful is considerable the first multi-vendor ATM malware, the sample analyzed by the experts was dated back to August, and its analysis led them into believing that it could be the result of ongoing development.

"FireEye Labs discovered a new piece of ATM malware (4BDD67FF852C221112337FECD0681EAC) that we detect as Backdoor.ATM.Suceful (the name comes from a typo made by the malware authors), which target cardholders and is able to retain debit cards on infected ATMs, disable alarms, or read the debit card tracks." states the blog post published by FireEye.

Figure 1- Suceful UI

Like other ATM threats, SUCEFUL interacts with the XFS middleware that represents the interface between the application (the malicious code in this case) and the peripheral devices (e.g., printer, dispenser, card reader, pad).

Figure 2 - XFS middleware

Every vendor has its implementation of the XFS Manager despite they also support the default XFS Manager template. SUCEFUL was designed to read payment card data, and suppressing ATM sensors to avoid detection for both Diebold and NCR ATM families.

The SUCEFUL capabilities observed in attacks against both Diebold and NCR ATMs include:

Reading all the credit/debit card track data

Reading data from the chip of the card

Control of the malware via ATM PIN pad

Retention or ejection of the card on demand: This could be used to steal physical cards

Suppressing ATM sensors to avoid detection

September 2015 – GreenDispenser

A few days after the announcement of the discovery of the Suceful ATM malware, the researchers at Proofpoint spotted another malicious code designed to compromise ATMs; it was dubbed "GreenDispenser." GreenDispenser is a malware that presents many similarities with the Tyupkin malware, but it represents an evolution of the older threat.

The installation of the GreenDispenser requests a physical access to the targeted ATM; then the crooks send commands to the machine directly from the PIN pad and order it to dispense cash.

"GreenDispenser provides an attacker the ability to walk up to an infected ATM and drain its cash vault. When installed, GreenDispenser may display an 'out of service' message on the ATM — but attackers who enter the correct pin codes can then drain the ATM's cash vault and erase GreenDispenser using a deep delete process, leaving little if any trace of how the ATM was robbed." states the experts at Proofpoint.

Also, in this case, the ATM malware implements the XFS, the Extension for Financial Services DLL library(MSXFS.dll), to control the peripherals connected to the ATM, including the ATM's PIN pad and the cash dispenser.

The menu used to control the ATM is protected by a two-factor authentication (2FA) mechanism and the malware is designed to operate only for a limited period.

According to the Proofpoint firm, the first PIN is hard coded meanwhile the second code is obtained by decoding a QR code displayed on the screen. Crooks likely use a mobile app to decode the QR code and obtain the dynamic authentication code.

The GreenDispenser ATM malware attempts to obtain the names of the PIN pad and the cash dispenser by querying specific registry location if this method fails, it tries the default names "Pinpad1" and "CurrencyDispener1."

Once the hacker is authenticated to the ATM, the machine displays a menù that is used by attackers to instruct the machine into dispensing money, the same menu could be used to launch the "uninstall" procedure.

Experts noted that GreenDispenser checks the current date before running because it is designed to operate in 2015 and the month must be before September. The feature has been implemented to deactivate the malware after a specific date, making harder the detection.

November 2015 –ATMs vulnerable during the update process

The security researcher Benjamin Kunz-Mejri, CEO of the Vulnerability Lab, discovered that ATMs at the German savings bank Sparkasse can leak sensitive data during software updates.

Benjamin Kunz-Mejri casually made the worrisome discovery while he was using the ATM. He noticed a strange behavior after the ATM ejected his card and resulted "temporarily not available." The expert tried to interact with the ATM and observed a Windows command prompt showing on ongoing update process; he took a video of the information displayed on the terminal.

The status change was caused by a software update, and the researcher used the term "timing attack" to describe his interaction with the ATM.

The expert highlighted that the ATM keyboard was not disabled during the process, allowing an attacker to execute system commands via the command prompt, the card reader also remained usable during the update.

Figure 3 - ATMs at the German bank

A video recording of the process allowed the expert to analyze the information displayed on the screen that included many sensitive data such as the bank's main system branch usernames, serial numbers, network and firewall configurations, device IDs, ATM settings, and two system passwords.

The ATMs analyzed by the researcher are manufactured by Wincor Nixdorf, one of the most important vendors in the banking industry. The terminals were running Windows 7 and Windows XP operating systems.

The experts warned about a large scale attack coordinated by a criminal ring in conjunction with a planned update. The experts tried to imagine the possible attack scenarios:

The attacker could use the information disclosed during the update process to run a man-in-the-middle (MitM) attack on the targeted bank's local network. This attacker needs physical access to bank network.

The attacker could push a bogus update to reconfigure the ATMs, also in this case he needs physical access to bank network.

The Attacker could conduct fraudulent transactions by forcing the ATM crash and corrupt the logging or debugging mechanism.

The Vulnerability-Lab reported the security issue to Sparkasse's Security and Data Protection team in May; the flaw was confirmed after the vulnerability report was received by the internal Finance Security Center.

The Sparkasse issued a series of updates to fix the security issue; the upgrade process started from a limited number of ATMs in the city of Kassel with the purpose of running further tests before updating all the ATMs used by the financial organization.

It was the first time that a German bank admits the security vulnerability in an ATM and reward the researchers.

November 2016 – "The Russian Job."

According to the security experts at the GroupIB firm, Russian hackers have adopted a new technique dubbed Reverse ATM Attack to steal Millions of dollars from ATMs of financial institutions.

GroupIB estimated that the Reverse ATM Attack allowed crooks in Russia to steal 252 Million Rubles (roughly US$3.8 Million) from at least five different banks.

The theft started in summer 2014 and finished in Q1 2015; the experts provided a detailed description of the Reverse ATM Attack.

The attacker would deposit sums of 5,000, 10,000 and 30,000 Rubles into legitimate bank accounts using ATMs, and immediately withdraw the same amounts of money accompanied by a printed receipt of the payment transaction. At this point, the hackers send the details included on the receipt, including the payment reference number and the amount withdrawn, to a partner who had remote access to the infected POS terminals, and that was located outside of Russia.

The partner would then use the details on the receipt to perform a reversal operation on a POS terminal that would lead them into believing that the withdrawals were canceled, thereby tricking thousands of point-of-sale (POS) terminals in the US and the Czech Republic.

From the perspective of the bank, it would appear the attempt to withdraw cash was failing, a circumstance that for example occurs when the bank account has insufficient funds.

The cash out process was made through a global "money mule" network that will transfer the money to the attacker's bank account.

"That information was sent to hackers who would use the data and their access to thousands of point of sale terminals, primarily based in the US and the Czech Republic, to create "a reversal operation" on a terminal that tricked the bank into believing the withdrawal of funds had been cancelled."  states Forbes. "At the point of sale terminal, this looked as though goods were returned or a payment declined, whilst to the banks it appeared the ATM withdrawal had been canceled. Funds were returned to the account, though the crooks had already taken the cash. The process was repeated until there was no money remaining in the targeted ATM."

As explained by the experts at Group-IB, the criminal gang leveraged weaknesses in the withdrawal, transfer and verification stages of credit card transactions used in Russia and managed to bypass checks recommended by VISA and MasterCard.

The problem is that when the reverse operation targets a single bank, transaction details provided by VISA are not verified by the targeted banks. When ATM Withdrawals were made in one country and canceled/reversed in another, the verification process fails.

VISA brought together the affected banks so they could block reversal operations when funds were withdrawn from an ATM of the bank and reaccredited through a separate terminal.

"But that fix only addressed the issue of withdrawals from ATMs, not transfers from one card to another." continues Forbes.

May 2016 – Skimer, the last ATM threat

Security experts at Kaspersky Lab have recently spotted a new strain of the malware dubbed 'Skimer' (Backdoor.Win32.Skimer). Skimer is an old threat that has been around since 2009; it is used by cyber criminals to steal money and payment card data from ATMs.

The Skimer malware was one of the first threat specifically designed to target ATMs directly.

The researchers have detected 49 variants of the malware, most of them (37) specifically designed to compromise ATMs from a single manufacturer. The threat actors behind the malware have improved the Skimer threat over the time, the last variant that was spotted a few days ago is very hard to analyze.

"Kaspersky Lab has now identified 49 modifications of this malware, with 37 of these modifications targeting ATMs made by just one manufacturer. The most recent version was discovered at the beginning of May 2016."

According to Kaspersky, bad actors used the commercially available packer Themida to pack both the infector and the dropper.

Once the Skimer ATM malware is executed, it drops a file named netmgr.dll on the system. If the machine uses FAT32, the netmgr.dll is dropped in the System32 folder, if it uses NTFS, the file is placed in the NTFS data stream corresponding to an executable named SpiService.exe.

The SpiService.exe is associated with XFS, the Extension for Financial Services DLL library (MSXFS.dll) that is specifically used by ATMs. The library provides a special API for the communication with the ATM's PIN pad and the cash dispenser.

The malicious code adds a new LoadLibrary call to SpiService.exe to allow the loading of the netmgr.dll library into the XFS service after the malware reboots the infected ATM.

The SpiService.exe is a service specific to ATM manufactured by the Diebold companies.

With this mechanism, Skimer gets the access to the XFS and can interact with all the connected peripherals.

Kaspersky noticed that hackers can control the Skimer malware by using two types of cards that are specifically crafted. The authors of the malware use data stored in the Track 2 to discriminate the two kinds of cards, one type for executing commands hard-coded in Track 2, the other to execute one of 21 predefined commands using the PIN pad and the malware interface.

"Once the magic card is inserted, the malware is ready to interact with two different types of cards, each with different functions:"

Card type 1 – request commands through the interface

Card type 2 – execute the command hard coded in the Track2

Below some of the commands accepted by the malware interface:

Show installation details;

Dispense money – 40 notes from the specified cassette;

Start collecting the details of inserted cards;

Print collected card details;


Debug mode;

Update (the updated malware code is embedded on the card).

The experts noticed that Track2 hard coded commands could be easily discovered by security solutions used to protect the ATMs.

"Banks may be able to look proactively for these card numbers inside their processing systems, and detect potentially infected ATMs, money mules, or block attempts to activate the malware." states the post published by Kaspersky.

The researchers also recommend a series of counter measured that includes:

Regular AV scans

Whitelisting technologies

Device management policy

Full disk encryption

Password protected BIOS

Only implements HDD booting

Separate ATM network from any other internal bank networks.

And again …

Hacking an ATM with a Samsung Galaxy 4 Smartphone

A smartphone could be enough to compromise an ATM system and force it to dispense the cash; the attack was described by the popular investigator Brian Krebs that has illustrated an attack scenario based on a Samsung Galaxy 4 phone.

The model of smartphone is not important; the mobile devices are used only to send commands to the ATM remotely once the attacker has physically connected it to the machine.

Poorly protected ATMs result more exposed to this type of attacker; hackers compromise their case to connect the mobile device and establish a connection with the ATM.

Krebs described this kind of hacks like a new family of attacks belonging to "a new class of skimming scams aimed at draining ATM cash deposits".

The "black box" ATM attack presented by the expert relied on a smartphone and a USB-based circuit board.

"At issue is a form of ATM fraud known as a "black box" attack. In a black box assault, the crooks gain physical access to the top of the cash machine. From there, the attackers are able to disconnect the ATM's cash dispenser from the "core" (the computer and brains of the device), and then connect their own computer that can be used to issue commands forcing the dispenser to spit out cash." states Krebs.

Figure 4 - black box (Brian Krebs)

Resuming, the criminal crews isolated the cash dispenser from the ATM PC and connected it a PC they control using the smartphone. Krebs reported that the "black box attacks," have been conducted against ATMs made by the NCR vendor.

"NCR says the crooks then attached a smartphone (a virgin, out-of-the-box Samsung Galaxy 4), which they used as a conduit through which to send commands to the cash dispenser remotely. According to Harrow, the mobile phone was set up to relay commands through a dynamic IP service," said Krebs.

In one case, the attacker used a circuit board with USB connection to hook it to the ATM controller to trick the computer into believing it was still connected to the cash dispenser. Krebs highlighted that anyway the supplementary circuit was unnecessary for the "black box" ATM attack.

"They plugged into the controller a USB-based circuit board that NCR believes was designed to fool the ATM's core into thinking it was still connected to the cash dispenser." states the post.

Of course, there are some variants of the attack, in the past we discussed another attack technique that relies on a malware injected through a CD-ROM inserted the ATM core.

At the time of the publishing of the news, the researchers at NCR were informed only about two black box attacks, for this reason, the company issued a firmware update to improve the encryption for the communication between the cash dispenser and the core system. The update also included a feature that blocks the possibility to roll back the version of the firmware; the downgrade could be exploited by hackers to make the ATM vulnerable again.

"The company also recently shipped a software update for its ATMs that strengthen the encryption used to manage communications between the cash dispenser and the ATM core. More importantly, the update changes the system so that the encryption key exchange between those two components is only done when the dispenser receives a specific authentication sequence."

The experts at NCR confirmed that this kind of attack is very easy to organize and are very cheap.

"All things considered, this is a pretty cheap attack," said Charlie Harrow, solutions manager for global security at NCR. "If you know the right commands to send, it's relatively simple to do. That's why better authentication needs to be there,"

Black box attack, hacking an ATM with Raspberry Pi

A variant of the previous attack relies on a Raspberry Pi that could be hidden inside an ATM enclosure without arousing suspicion of those who are involved in the maintenance of the ATM.

Once the experts have chosen the architecture to use for the "black box" device, they used the ATM interface documentation to understand hot to manage ATM peripheral by using its API.

"Regardless of the vendor, cash machines and payment terminals share the same API for accessing and manipulating various modules and use the Windows platform by the Extensions for Financial Services (XFS). Knowing the API, one may easily gain access to an ATM host and directly manage multiple peripheral devices installed inside the money machine, e.g. a card reader, PIN pad,touchscreendisplay, dispenser unit, etc. Do not forget about ATM OS vulnerabilities — Windows has a lot of those in stock for many years to come." reads ablog post published by the Positive Research Center.

Black box attack – The physical access to the ATM

The experts explained that cyber criminals need to open up the ATM enclosure, in the upper part of the machine are usually located a service area, which hosts connectors to peripherals and network equipment, including GSM/GPRS modems. Usually, this portion of the ATM is easy to access, different from the safe part of the machine that is located at the bottom. This part could be accessed by using "easy-to-make keys and simple materials at hands."

Another crucial factor for a Black Box attack is the time necessary to complete all the operations necessary for the installation of the Raspberry Pi in the ATM; during a presentation held at Black Hat the experts successfully installed the device in just two minutes.

"the Positive Technologies experts timed how long it took them to install the tiny computer inside the ATM service area for use as a sniffer to intercept PIN code and credit card info or as a skimmer that is virtually impossible to detect from the outside. The researchers were able to unlock the ATM enclosure, install, disguise, and bring their computer online in just two minutes." continues the post.

The experts developed their own code to allow Raspberry PI to manage the various peripherals connected to the ATM, then connected the device to a Wi-Fi adapter to access it. The code allows instructing the cash dispenser to empty the cassettes and steal the money.

"The experts demonstrated how to make an ATM dispense several banknotes and, after some code adjustments, give out all the money. By the way, a typical ATM cassette holds two or three thousand banknotes, and there are usually four of those for different denominations inside a regular ATM."

At this point the hackers completed their demonstration of the Black box attack, the ATM has been emptied. The attackers haven't left a trace on the ATM; they were also able to gain control of the camera with the Raspberry Pi.


The experts have no doubt; the ATM will continue to be a privileged instrument for crooks that will improve their malicious code to avoid detection. The other concerning findings are that devices as common and accessible as a smartphone or a raspberry pi could be the only tools necessary to carry out these illicit activities. However, understanding these vulnerabilities can lead security professionals to evolve ahead of their attackers. For more info on the related topic of ATM Penetration testing, click here.

Let me close with the following statement issued by Proofpoint.

"ATM malware continues to evolve, with the addition of stealthier features and the ability to target ATM hardware from multiple vendors," states Proofpoint.


FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.