Proofpoint say they have discovered a new type of ATM malware dubbed “GreenDispenser”, which allows infected machines to be drained of cash.
When installed, GreenDispenser may display an ‘out of service’ message on the ATM, but
attackers who enter the correct PIN codes can then empty the ATM’s cash vault and erase GreenDispenser using a deep delete process, leaving little if any trace of how the ATM was robbed – according to an article in FSTech.
Proofpoint notes that initial malware installation would likely require physical access to the ATM – raising questions of compromised physical security or personnel. GreenDispenser also had the ability to target ATM hardware from multiple vendors using the XFS standard, said the analysts, with attackers probably using an application that could run on a mobile phone to carry out the attack.
The malware strains that Proofpoint inspected were coded to run only if the year was 2015 and the month was earlier than September, suggesting that GreenDispenser was initially employed in a limited operation and designed to deactivate itself to avoid detection. Investigators picked up attacks taking place in Mexico, but said the techniques used were likely to go global.
“ATM malware such as GreenDispenser is particularly alarming because it allows cyber criminals to attack financial institutions directly, without the extra steps required to capture credit and debit card information from consumers – and with correspondingly less traceability,” explains Kevin Epstein, vice president of threat operations for Proofpoint.
“In order to stay ahead of attackers, financial entities should re-examine existing legacy security layers and consider deploying modern security measures to thwart these threats.”