The interest in ATM malware and attacks is persistent and poses a threat to financial institutions and ATM manufacturers alike.

Here Amina Bashir, Associate Product Manager at business risk experts Flashpoint, offers Finance Monthly some insight into the underground market for malware designed for use in ATM cash-out schemes.

As giant boxes of cash, it’s understandable that ATMs are magnets for nefarious activity. Like many other forms of financially motivated crime, malicious activity against ATMs is supported by an underground ecosystem of illicit offerings and resources, as evidenced across Flashpoint’s datasets.

For example, information sourced across illicit online communities, encrypted chat services, and paste sites shows threat-actor mentions of ATMs on a par with mentions of distributed denial-of-service (DDoS) tools and attacks, far exceeding mentions of Remote Access Trojans, crypters, botnets, and ransomware. The interest in ATM malware and attacks is persistent and should be on the radar of financial institutions and ATM manufacturers alike.

Here’s a look at some known threats to ATMs:

Skimmers and Shimmers

Skimmers and shimmers are small, physical devices which are inserted into ATMs to steal payment card data. They are a popular commodity among fraudsters, but some criminals favor a more straightforward form of theft: directly stealing cash from the machine.

ATM Jackpotting

Jackpotting is the manipulation of an ATM so it ejects the cash within. It is often carried out with the help of specialised malware sold on illicit online marketplaces. During the past several years, malware-enabled ATM jackpotting attacks have been reported worldwide, from Europe and the U.S., to Latin America and Southeast Asia.

ATM Malware

ATM malware continues to be popular among threat actors operating across various platforms. Analysts have observed that ATM malware appears to be sold by only a few threat actors, some of whom may be associates. This is in contrast to other types of malware, which are sold by a wide range of vendors.

[ymal]

Inside the ATM Malware Market

WinPot, Cutlet Maker, and Yoda are among the most mentioned ATM malware variants. Due to similarities in posts, it is possible that some of these malware families are being created or sold by associated—if not the same—threat actors. Moreover, Flashpoint analysts have noted that many threat actors who advertise ATM malware also peddle other offerings on the cybercrime underground, including carding services and access to compromised bank accounts.

Uniquely among cyber threats, ATM malware attacks inherently require a physical presence at the targeted site. In fact, since most common and popular ATM malware variants are installed via USB, where attackers must physically open the machine’s exterior panel and connect an external device—attacking an ATM is hardly an inconspicuous endeavour.

And while some forms of ATM malware, such as ATMitch, can be administered without physical access to the machine by leveraging a known exploit against a financial institution’s servers, such an attack still requires the threat actor or a money mule to physically retrieve the stolen cash from the machine. As such, jackpotting crews are known to select their targeted sites carefully; ATMs stationed not at banks, but rather at small businesses, shopping centres, gas stations, and other retail locations are the most desirable targets for jackpotting crews.

ATMs stationed not at banks, but rather at small businesses, shopping centres, gas stations, and other retail locations are the most desirable targets for jackpotting crews.

So, in addition to keeping ATMs updated with the latest security software and patches, one of the best ways for operators to avoid being targeted in a malware attack is to noticeably bolster actual and perceived physical security at ATM sites. For example, an outdoor ATM set back from the sidewalk in a poorly-lit area could be a natural target for jackpotting, but the addition of motion-activated floodlights and conspicuous security cameras monitoring the premises from several angles to avoid blindspots could immediately deter threat actors.

In addition to enhancing visibility and surveillance, changing the lock on an ATM’s exterior panel is another simple way to thwart threat actors sniffing out vulnerable ATMs that use a generic, mass-produced key provided by the manufacturer.

Assessment

Despite being controlled by a relatively small number of threat actors, Flashpoint analysts believe the underground market for ATM malware will continue to flourish, serving a global customer base of threat actors and posing a threat to financial institutions and ATM manufacturers worldwide.

Flashpoint analysts have observed wide variance in the price of ATM malware within illicit marketplaces, from as low as $25 USD up to $5,000 USD depending on the malware being offered, in addition to other factors, such the vendor’s reputation and level of customer support, customisation, and bundled services.

44% of requests were processed after detection of an attack during an early stage, saving the client from potentially severe consequences. These are among the main findings of Kaspersky’s latest Incident Response Analytics Report.

It is often assumed that incident response is only needed in cases when damage from a cyberattack  has already occurred and there is a need for further investigation. However, analysis of multiple incident response cases which Kaspersky security specialists participated in during the 2018 shows that this offering can not only serve as investigative, but also as a tool for catching an attack during an earlier stage to prevent damage.

In 2018, 22% of IR cases were initiated after detection of potential malicious activity in the network, and an additional 22% were initiated after a malicious file was found in the network. Without any other signs of a breach, both cases may suggest that there is an ongoing attack. However, not every corporate security team may be able to tell if automated security tools have already detected and stopped malicious activity, or these were just the beginning of a larger, invisible, malicious operation in the network and external specialists are needed. As a result of incorrect assessement, malicious activity evolves into a serious cyberattack with real consequences. In 2018, 26% of investigated “late” cases were caused by infection with encryption malware, while 11% of attacks resulted in monetary theft.19% of “late” cases were a result of detecting spam from a corporate email account, detection of service unavailability or detection of a successful breach.

“This situation indicates that in many companies there is certainly room for improvement of detection methods and incident response procedures. The earlier an organisation catches an attack, the smaller the consequences will be. But based on our experience, companies often do not pay proper attention to artifacts of serious attacks, and our incident response team often is being called when it is already too late to prevent damage. On the other hand, we see that many companies have learned how to assess signs of a serious cyberattack in their network and we were able to prevent what could have been more sever incidents. We call on other organisations to consider this as a successful case study,” said Ayman Shaaban, security expert at Kaspersky

Additional findings of the report include:

• 81% of organisations that provided data for analysis were found to have indicators of malicious activity in their internal network.
• 34% organisations exhibited signs of an advanced targeted attack.
• 54.2% of financial organisatons were found to be attacked by an advanced persistent threat (APT) group or groups.

To effectively respond to incidents, Kaspersky recommends:

• Make sure the company has a dedicated team (at least employee) responsible for IT security issues in company.
• Implement backup systems for critical assets.
• To respond in a timely manner to a cyberattack, combine in-house IR team as a first-line of respond and contractors to escalate more complex incidents.
• Develop an IR plan with detailed guidance and procedures for different types of cyberattacks.
• Introduce awareness training for employees to educate them on digital hygiene and explain how they can recognise and avoid potentially malicious emails or links.
• Implement patch management procedures to have software updated.
• Regularly conduct security assessment of your IT infrastructure.

The retail banks were responsible for the highest number of reports (486) – almost 60% of the total. This was followed by wholesale financial markets on 115 reports and retail investment firms on 53.

The root causes for the incidents were attributed to third party failure (21% of reports), hardware/software issues (19%) and change management (18%).

The FCA has recently warned of a significant rise in outages and cyber-attacks affecting financial services firms. It has also called on regulated firms to develop greater cyber resilience to prevent attacks and better operational resilience to recover from disruptions.

According to the new data obtained by RSM, there were 93 cyber-attacks reported in 2018. Over half of these were phishing attacks, while 20% were ransomware attacks.

Commenting on the figures, Steve Snaith, a technology risk assurance partner at RSM said: "While the jump in cyber incidents among financial services firms looks alarming, it's likely that this is due in part to firms being more proactive in reporting incidents to the regulator. It also reflects the increased onus on security and data breach reporting following the GDPR and recent FCA requirements.

"However, we suspect that there is still a high level of under-reporting. Failure to immediately report to the FCA a significant attempted fraud against a firm via cyber-attack could expose the firm to sanctions and penalties from the FCA.

"As the FCA has previously pointed out, eliminating the threat of cyber-attacks is all but impossible. While the financial services sector emerged relatively unscathed from recent well-publicised attacks such as NotPetya, the sector should be wary of complacency given the inherent risk of cyber-attacks that it faces.

"The figures also underline the importance of organisations obtaining third party assurance of their partners' cyber controls. Moreover, the continued high proportion of successful phishing attacks highlights the need to continue to drive cyber risk awareness among staff.

"Interestingly, a high proportion of cyber events were linked to change management, highlighting the risk of changes to IT environments not being managed effectively, leading to consequent loss. The requirements for Privacy Impact Assessments as a formal requirement of GDPR/DPA2018 should hopefully drive a greater level of governance in this area.

"Overall, there remain serious vulnerabilities across some financial services businesses when it comes to the effectiveness of their cyber controls. More needs to be done to embed a cyber resilient culture and ensure effective incident reporting processes are in place."

Fig1: The number of cyber incidents reported to the FCA by regulated firms in 2018 broken down by the sector the incident impacted (source FCA):

Fig2: The root causes of cyber incidents reported to the FCA (source FCA):

Fig3: The breakdown of incidents in 2018 categorised as 'Cyber attacks' (source FCA):

Mobile phone security is still a blind spot for some CFOs, CEOs and investors. Business strategies to prevent cyber-attacks often focus on servers, computer systems and the cloud, yet it is smartphones and tablets that are the new end point. Below Peter Matthews, CEO at Metro Communications, discusses six simple ways CFOs can make the most of their own and their employees’ phones, without compromising on security.

Research from Gartner shows that 27% of corporate data traffic will bypass perimeter security by 2021 and flow directly from portable devices to the cloud.

These mobile gadgets may have increased productivity immeasurably, but their escalation has also increased the risk. There is much more valuable data held on mobile phones than most users would credit. Documents, chat messages, videos, voice calls, texts, address book, calendar and location are all data, all valuable, and - to the right criminal – all worth stealing.

The uncomfortable truth is that with 72% of large UK companies experiencing a cyber breach in 2017, all business leaders have to take action to increase their awareness, secure all of their communications and ensure they can quickly recover from any damaging action. The key question is how?

1. Don’t use open WiFi or consumer apps for sensitive business conversations: Whether your staff are working from home, the car, the office or a hotel room in Timbuktu, confidential communications should always take place over secure WiFi. Don’t be tempted by that open network in a local cafe, even if it’s more convenient. It is also worth remembering that consumer apps, such as WhatsApp, encrypt the content of conversations but don’t protect metadata which includes information about your location, the date and time of calls, recipients’ phone numbers and your contacts list. Apps certified by a third party, such as the National Cyber Security Centre, ensure that nobody outside of your organisation can access your metadata.
2. Increase intelligence and awareness: Don’t expect your chief information officer to take sole responsibility for maintaining secure communications. In the words of KPMG, ‘security is not just an IT issue’ - it must be built into behaviour and processes throughout the whole organisation. For example, knowing the provenance of apps, creating verification and authentication processes or encouraging staff to use ‘message burn’ facilities to destroy sensitive text messages after they’ve been read will help create a safe environment for valuable data. A culture of awareness, supported by a policy which includes a clear chain of accountability, may be the closest you can get to a human firewall.
3. Get expert help. Mobile phone hacking is not a cottage industry, it is a global activity. Consider building relationships with information security consultants who know the landscape inside out, have access to leading edge technology and can advise on prevention. Including relevant partners and suppliers in these discussions will help you apply minimum standards to ensure hackers can’t access your data via ‘weak links’, beyond your corporate walls.
4. Control personal devices: According to a UK government survey, companies that allow staff to use their personal phones for work are more likely to experience breaches because they often find it difficult to manage security and impose technical control on personal property. Mobile device management (MDM) platforms can barricade and secure business data and delete sensitive corporate information when a staff member leaves. A recent analysis of the top ten best MDMs by TechRadar is available online.
5. Set up disaster management procedures: If your organisation succumbs to a cyber-attack, using the very platform that has been compromised – for instance, your computer system - to report or manage the situation can make matters worse. In fact, the initial action might well have simply been ‘bait’ to help the hackers gain access to new passwords and security information, and prevent key messages from being delivered. A separate and secure communications channel, where messages and voice calls are kept private, will – in these circumstances - help you to safely repair the damage and carry out essential discussions with your senior team so that your business doesn’t grind to a halt.

The proliferation of mobile devices, wireless internet, insecure apps and the Internet of Things, aided and abetted by cheap hacking tools, means that any approach to cyber security should include an assessment of mobile security to keep pace with emerging threats. For CEOs and CFOs in the UK and beyond, doing nothing is not an option.

Positive Technologies has announced its latest report from its own audits of web application security: Web Application Vulnerabilities in 2017. The results, collated through the security firm’s automated source code analysis through the PT Application Inspector, detected vulnerabilities in every single web application tested in 2017. Among the key findings, 94% of applications had at least one high-severity vulnerability, demonstrating that websites are a critical weakness for organizations.

Breaking down the detected vulnerabilities by severity level, most (65%) were of medium severity, with much of the remainder (27%) consisting of high-severity vulnerabilities.

Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies said: “Web applications practically have a target painted on their back. A large number of unfixed, exploitable vulnerabilities is a windfall for hackers, who can use these flaws to steal sensitive information or access an internal network. Fortunately, most vulnerabilities can be discovered long before an attack ever happens. The key is to analyze application source code.”

Financial services are at greatest risk

As expected by Positive Technologies experts, finance web applications (46% of all tested web applications) were at the greatest risk, with high-severity vulnerabilities found in 100% of tested banking and finance web applications.

In fact, web applications at banks and other financial institutions, as well as governments, draw the most attention from hackers, as confirmed in a series of Positive Technologies reports.

Denial of service is especially threatening for e-commerce web applications, because any downtime means missed business and lost customers. High-profile e-commerce web applications receive large amounts of daily visits, increasing the motivation for attackers to find vulnerabilities to turn against users.

Attacks targeting users are the most dangerous

Positive Technologies assessed the potential impact of every detected web application vulnerability and compiled a list of the most common security threats. The number-one threat is attacks that target web application users. Alarmingly, 87% of banking web applications and all government web applications tested by Positive Technologies were susceptible to attacks against users. Users of government web applications in particular tend to not be security-savvy, which makes them easy victims for attackers.

The most common vulnerability across the board was Cross-Site Scripting (affecting 82% of tested web applications), which allows attackers to perform phishing attacks against web application users or infect their computers with malware.

Other critical vulnerabilities also find their way into government web applications. For example, security assessment of a web application for a Russian local government revealed SQL Injection, a critical vulnerability that could allow attackers to obtain sensitive information from a database.

(Source: Positive Technologies)

Banks and card companies prevented £1,458.6 million in unauthorised financial fraud last year, equivalent to £2 in every £3 of attempted unauthorised fraud being stopped, the latest data from UK Finance shows.

In 2017, fraud losses on payment cards fell 8% year-on-year to £566.0 million. At the same time, card spending increased by 7%, meaning card fraud as a proportion of spending equates to 7.0p for every £100 spent – the lowest level since 2012. In 2016 the figure stood at 8.3p.

For the first time, annual data on losses due to authorised push payment scams (also known as APP or authorised bank transfer scams) has also been collated. A total of £236.0 million was lost through such scams in 2017.

The unauthorised fraud data on payment cards, remote banking and cheques for 2017 shows:

• Combined total losses fell by 5% to £731.8 million.
• Losses due to unauthorised transactions on payment cards fell 8% year-on-year to £566.0 million. The industry helped prevent £984.9 million in attempted unauthorised card fraud.
• Losses due to unauthorised remote banking fraud totalled £156.1 million, a 14% rise on 2016. Banks prevented £261.4 million of unauthorised remote banking fraud, 27% more than last year.
• Cheque fraud losses fell 28% in 2017 to £9.8 million. This is the lowest annual total on record. £212.3 million of attempted unauthorised cheque fraud was prevented.
• There were 1,910,490 reported cases of unauthorised financial fraud, a rise of 3% compared to the year before.

The new authorised push payment scams data, collected for the first time in 2017, shows:

• There were 43,875 reported cases of authorised push payment scams with a total value of £236.0 million. 88% of this total were retail consumers, losing an average of £2,784, and the remainder were businesses who lost on average £24,355 per case.
• Financial providers were able to return £60.8 million (26%) of the authorised push payment scam losses in 2017.

Katy Worobec, Managing Director of Economic Crime at UK Finance, said: “Fraud is an issue that affects the whole of society, and one which everyone must come together to tackle. The finance industry is committed to playing its part – investing in advanced security systems to protect customers, introducing new standards on how banks respond to scam victims, and working with the Joint Fraud Taskforce to deter and disrupt criminals and better trace, freeze and return stolen funds.

“We are also supporting the Payment Systems Regulator on its complex work on authorised push payment scams, providing the secretariat for its new steering group. It’s a challenging timetable, but it is important that we get it right to stop financial crime and for the benefit of customers.”

The finance industry is responding to the ongoing threat of all types of fraud and scams by:

• Helping to prevent customers being duped by criminals by raising awareness of how to stay safe through the Take Five to Stop Fraud campaign, in conjunction with the Home Office.
• Working with government and law enforcement to deter and disrupt criminals and better trace, freeze and return stolen funds, while calling for new powers on information sharing to allow banks to share data to detect and prevent financial crime better.
• Implementing new standards to ensure those who have fallen victim to fraud or scams get the help they need, including around-the-clock availability of fraud teams, to make it easier and better for the customer, and, where possible, improve the likelihood of their funds being recovered. UK Finance will also be the secretariat for the PSR’s new steering group on authorised push payment scams².
• Working with government on making possible legislative changes to account opening procedures to help the industry act more proactively on suspicion of fraud and prevent criminals from accessing financial systems.
• -Rolling out the Banking Protocol – a ground-breaking rapid response scheme through which branch staff can alert police and Trading Standards to suspected frauds taking place – to every police force area in the UK. In 2017, while it was still being introduced across the country, the Protocol prevented £13.3 million of fraud and led to 129 arrests.
• Sponsoring the Dedicated Card and Payment Crime Unit⁵, a specialist police unit which tackles the organised criminal groups responsible for financial fraud and scams. This has led to a combined value in savings and disruptions in criminal activity of close to £30 million in 2017.
• Exploring new ways to track stolen funds moved between multiple bank accounts.

To help everyone stay safe from fraud and scams, Take Five to Stop Fraud urges customers to follow the campaign advice:

• A genuine bank or organisation will never contact you out of the blue to ask for your PIN, full password or to move money to another account. Only give out your personal or financial details to use a service that you have given your consent to, that you trust and that you are expecting to be contacted by.
• Don’t be tricked into giving a fraudster access to your personal or financial details. Never automatically click on a link in an unexpected email or text.
• Always question uninvited approaches in case it’s a scam. Instead, contact the company directly using a known email or phone number.

Tony Blake, Senior Fraud Prevention Officer at the Dedicated Card and Payment Crime Unit, said: “With criminals using social engineering to target people and businesses directly, it’s vital that everyone follows the advice of the Take Five campaign. Always stop and think if you are ever asked for your personal or financial details. Remember, no bank or genuine organisation will ever contact you out of the blue and ask you to transfer money to another account.”

Unauthorised fraud

In an unauthorised fraudulent transaction, the account holder does not provide authorisation for the payment to proceed and the transaction is carried out by a third-party.

Authorised fraud

In an authorised push payment (APP) scam, the account holder themselves authorises the payment to be made to another account. If a customer authorises the payment themselves, current legislation means that they have no legal protection to cover them for losses – which is different for an unauthorised transaction.

Banks will always endeavour to help customers recover money stolen through an authorised push payment scam but customers typically only approach their bank after the payment has been processed, once they realise they have been duped. By this time the criminal has often withdrawn the stolen funds and the customer’s money has gone. Alongside the extensive work already underway through the Joint Fraud Taskforce, UK Finance is also currently working with the Payment Systems Regulator on its proposals to tackle these scams.

Behind the data

Fraud intelligence points towards criminals’ use of social engineering tactics as a key driver of both unauthorised and authorised fraud losses. Social engineering is a method through which criminals manipulate people into divulging personal or financial details, or into transferring money directly to them, for example thorough impersonation scams and deception.

In an impersonation scam, a fraudster contacts a customer by phone, text message or email pretending to represent a trusted organisation, such as a bank, the police, a utility company or a government department. Under this guise, the criminal then convinces their victim into following their demands, sometimes making several separate approaches as part of one scam.

Data breaches also continue to be a major contributor to fraud losses. Criminals use stolen data to commit fraud directly, for example card details are used to make unauthorised purchases online or personal details used to apply for credit cards. Stolen personal and financial information is also used by criminals to target individuals in impersonation and deception scams, and can add apparent authenticity to their approach.

(Source: UK Finance)