Collaborating with Law Enforcement to Tackle the Scourge of ATM Attacks

At Trend Micro, we’ve always been keen to collaborate with law enforcement. While we do our best to protect our customers from the latest threats, it’s only with concerted cross-border police action against the perpetrators of these crimes that we can hope to swing the pendulum back in our favor. One common target of attack over the years has been ATMs: offering hackers a direct route to skim card details and get ahold of free cash.

That’s why we were pleased to have contributed to a new Europol report for law enforcement detailing guidelines on logical ATM attacks. By sharing our expertise in this way, we support the ongoing efforts by both law enforcement and the financial industry to stop ATM abuse.

In the firing line 

The report in question, Guidance and recommendations regarding logical attacks on ATMs, is an update to a landmark 2015 document, coordinated by the European Association for Secure Transactions Expert Group on All Terminal Fraud (EAST EGAF). It represents fantastic vendor-neutral guidance on typical attack methods, how to improve cyber protection of ATM systems, and enhancing incident detection and response.

Steven Wilson, Head of Business at Europol’s European Cybercrime Centre (EC3) said, “This updated and refocused edition of the report draws upon the expertise of an expanded panel of experts from both law enforcement and the private sector. In addition to the key role played by EAST, I would like to extend my thanks to Diebold Nixdorf, GMV, ING, INTERPOL, NCR, TMD Security and Trend Micro for their invaluable work and contributions, without which this report would not be possible.  I continue to look forward to Europol’s engagement and cooperation with all of our partners within private industry and law enforcement in such endeavors, and our continuing fight against threats affecting the payment industry.”

ATMs are a classic example of the dangers of expanding digital infrastructure without engineering cybersecurity in from the start. In many cases, there’s just enough IT and connectivity to expose machines to attackers, but not enough to protect them.

Attacks have been ongoing for over a decade now, although they’ve changed significantly during that time. Back in the day, criminals had to gain physical access to the ATM itself, gluing card skimmers onto the outside, and overlaying fake keypads to harvest PINs. In some cases, they introduced malware via USBs or CDs and/or attached external keyboards to send commands to dispense cash. These so-called “jackpotting” attacks were for many years confined to Asia and Europe, although they’ve recently started appearing in the US.

However, attackers have also adapted their methods to reduce their chances of getting caught. By attacking bank IT networks remotely there’s no danger of leaving fingerprints at the scene of the crime, or of the alarm being raised by passers-by. Instead, attacker use tried-and-true methods: sending malware-laden phishing emails to bank employees that, when downloaded, provide remote access to networks. From there they can pivot to ATM controllers, and then choose which machines to jackpot, while waiting mules collect the cash.

One of the first attacks of this kind used the Ripper ATM malware to steal an estimated 12 million baht ($350,000) from NCR machines in Thailand in July and August 2016.

“ATM attacks can only be effectively eradicated when the financial sector, cybersecurity companies and law enforcement all work in tandem,” said Martin Bally, chief information security officer for Diebold Nixdorf. “Trend Micro is a strong positive force among these collaborations. Their continued work with both the financial industry and law enforcement brings us all closer to protecting the industry from cybercrime.”

Joining forces

At Trend Micro, we’ve been covering ATM threats for years now and in 2017 released a detailed report into new attack types in collaboration with Europol’s European Cybercrime Centre (EC3). We’re proud to continue this relationship, by sharing our knowledge with the authors of the latest EAST EGAF report for law enforcement.

Private cybersecurity companies have a wealth of resources at their disposal that many law enforcement organizations may be unable to match. At Trend Micro our 1200+ team of TrendLabs researchers work round the clock and around the globe to find emerging threats, while our Smart Protection Network identifies over six billion unique new threats each year.

By sharing this insight when requested, we can get some great results. Just consider the recent conviction of two ringleaders of notorious Scan4You CAV service, which came about after our close cooperation with the FBI. Or how about the conviction of a UK man responsible for selling crypting and CAV services, secured after a landmark partnership with the National Crime Agency?

We’re looking forward to many more successes like these in the future as we continue to partner with global law enforcement entities.

Read More HERE