MILPITAS, Calif.–Experts in ATM malware are reporting increased prevalence of attacks on the machines outside the United States.
Most recently malware in Thailand was used to command 21 ATMs to dispense approximately $350,000 to crooks, according to FireEye. That followed a mid-July heist in Taiwan in which $2.2 million was stolen from multiple ATMs, and there have also been attacks in Mexico and Ukraine.
According to FireEye, most of the failings have been at banks that have not secured their ATMs, most of which still run Microsoft's retired Windows XP operating system.
FireEye said it has learned of the vulnerabilities via a custom system it has developed that quickly classifies malware uploaded to Google's VirusTotal repository by its intentions. VirusTotal indicated that the malicious file, nicknamed "Ripper" by FireEye, had been uploaded from Thailand.
FireEye reported that Ripper is not that different from other kinds of ATM malware the security firm has seen. The goal is to direct machines to dispense cash via what’s frequently known as a "jackpotting" or "cash out" attack. But what is different, according to FireEye, is that the thieves used the ATM like anyone else, inserting a payment card into the slot to obtain the funds.
FireEye said its investigation found the scammers use EMV payment cards that have been encoded to authenticate the card to malware that's already been installed on the ATM.
Once an attacker inserts a special EMV card, the malware grants them access to a range of functions. By entering preset codes into the keypad, they can access a menu of options, including dispensing currency, according to FireEye.
And there is one other twist with the malware: It disables network access to foil real-time anti-fraud detection systems on the bank's side.
FireEye said the malware has been used on ATMs manufactured by NCR and at least two other vendors, although it declined to identify the remaining companies. The malware involves APIs known as XFS, or Extensions for Financial Services, a middleware spec that controls communication with the Windows operating system, according to FireEye.