Proofpoint discovers new ATM cash draining malware
September 2015 by Proofpoint
Proofpoint researchers are announcing their discovery of a new ATM malware, dubbed GreenDispenser, which provides an attacker with the ability to walk-up to an infected machine and drain its cash.
When installed, GreenDispenser displays an ‘out of service’ message on the ATM — but attackers who enter the correct pin codes can then drain the ATM’s cash and erase the malware using a deep delete process, leaving little trace of how the ATM was robbed.
Proofpoint has witnessed current attacks taking place in Mexico; however, they believe it is only a matter a time before these techniques are abused across the globe.
Would you like a briefing with Proofpoint’s Kevin Epstein (VP of Threat Operations) to hear more about GreenDispenser? Proofpoint has published a blog post around its discovery, which can be found here. Key findings include:
Initial malware installation of GreenDispenser likely requires physical access to the ATM, raising questions of compromised physical security or personnel.
GreenDispenser has the ability to target ATM hardware from multiple vendors using the XFS standard, which is widely adopted by various ATM vendors.
The malware strains Proofpoint inspected were coded to run only if the year was 2015 and the month was earlier than September, suggesting that GreenDispenser was employed in a limited operation and designed to deactivate itself to avoid detection.
Proofpoint suspects that the attacker has an application that can run on a mobile phone in order to carry out the attack, which acts similar to two-factor authentication.
“ATM malware such as GreenDispenser is particularly alarming because it allows cybercriminals to attack financial institutions directly, without the extra steps required to capture credit and debit card information from consumers – and with correspondingly less traceability. In order to stay ahead of attackers, financial entities should re-examine existing legacy security layers and consider deploying modern security measures to thwart these threats.” – Kevin Epstein, vice president of Threat Operations for Proofpoint