New ATM Malware Helps Hackers Dispense Cash On Command, Rendering Chip Security Irrelevant

Smashing into a store, chaining the ATM machine to the back of your car and driving off is so 20th century. Authorities are reporting that more cash than ever is being lost to malicious software that’s implanted on ATM machines throughout the world. Now, though, hackers have grown so sophisticated that they’ve figured out how to drain an ATM of all its money and walk away before anyone notices an attack has taken place.

The security firm Proofpoint unveiled new research Thursday announcing the discovery of GreenDispenser, a strain of malware that enables a hacker to trick a machine into spitting out cash simply by entering a special PIN number. An attacker likely needs to physically install the software on an ATM, Proofpoint reported, then control the machine’s internal workings via an app specially designed for this purpose. It targets XFS standard, a Windows-based client server architecture that’s been widely adopted on ATMs throughout the world.

“ATM malware such as GreenDispenser is particularly alarming because it allows cybercriminals to attack financial institutions directly, without the extra steps required to capture credit and debit card information from consumers -- and with correspondingly less traceability,” Kevin Epstein, vice president of Threat Operations for Proofpoint, said in a statement. It wasn’t immediately clear how many ATMs have been infected with GreenDispenser.

Researchers said GreenDispenser, which briefly displays an “Out of Service” message and then self-destructs, wiping away much of the evidence, has been detected primarily in Mexico. But ATM skimming technology doesn’t adhere to international borders, and a wave of recent cybersecurity research indicates that new forms of attacks have recently presented themselves in Mexico, Russia and throughout Europe.

Take SUCEFUL, for example.

Researchers at FireEye disclosed on Sept. 11 that the malware subverted cash machines, forcing them to retain debit cards instead of returning them to the customer. While a customer walks away to ask for help, SUCEFUL-infused ATMs compile debit card data, read data from the chip of the card, suppress ATM sensors to avoid detection and eject only when a special PIN number is inputted, according to FireEye. The process makes it possible for hackers to steal physical cards, not just the information they contain.

Both GreenDispenser and SUCEFUL are thought to still be in development phase.

Last year, Symantec discovered that hackers were using text messages to trick ATMs into dispensing cash, and Kaspersky announced it was working with INTERPOL to identify the suspects behind another scam in Europe.

The European ATM Security Team revealed in April that the number of reported skimming incidents fell 3 percent in 2014 (5,631 from 5,822 in 2013), though total dollar loss jumped from $255 million to $300 million.