{"id":15977,"date":"2019-08-02T08:10:17","date_gmt":"2019-08-02T16:10:17","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/08\/02\/news-9721\/"},"modified":"2019-08-02T08:10:17","modified_gmt":"2019-08-02T16:10:17","slug":"news-9721","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/08\/02\/news-9721\/","title":{"rendered":"Everything you need to know about ATM attacks and fraud: part 2"},"content":{"rendered":"<p><strong>Credit to Author: Jovi Umawing| Date: Fri, 02 Aug 2019 15:00:00 +0000<\/strong><\/p>\n<p>This is the second and final installment of our two-part series on automated teller machine (ATM) attacks and fraud.<\/p>\n<p>In <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/blog.malwarebytes.com\/101\/2019\/05\/everything-you-need-to-know-about-atm-attacks-and-fraud-part-1\/\" target=\"_blank\">part 1<\/a>, we identified the reasons why ATMs are vulnerable\u2014from inherent weaknesses of its frame to its software\u2014and delved deep into two of the four kinds of attacks against them: terminal tampering and physical attacks.<\/p>\n<p>Terminal tampering has many types, but it involves either physically manipulating components of the ATM or introducing other devices to it as part of the fraudulent scheme. Physical attacks, on the other hand, cause destruction to the ATM and to the building or surrounding area where the machine is situated.<\/p>\n<p>We have also supplied guidelines for users\u2014before, during, and after\u2014that will help keep them safe when using the ATM.<\/p>\n<p>For part 2, we\u2019re going to focus on the final two types of attacks: logical attacks and the use of <a href=\"https:\/\/blog.malwarebytes.com\/101\/2016\/01\/hacking-your-head-how-cybercriminals-use-social-engineering\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"social engineering (opens in a new tab)\">social engineering<\/a>.<\/p>\n<h3>Logical ATM attacks<\/h3>\n<p>As ATMs are essentially computers, fraudsters can and do use software as part of a coordinated effort to gain access to an ATM&#8217;s computer along with its components or its financial institution&#8217;s (FI&#8217;s) network. They do this, firstly, to obtain cash; secondarily, to retrieve sensitive data from the machine itself and strip or chip cards; and lastly, intercept data they can use to conduct fraudulent transactions.<\/p>\n<p>Enter logical attacks\u2014a term synonymous with <em>jackpotting<\/em> or <em>ATM cash-out attacks<\/em>. Logical attacks involve the exploitation and manipulation of the ATM\u2019s system using malware or another electronic device called a black box. Once cybercriminals gain control of the system, they direct it to essentially spew cash until the safe empties as if it were a slot machine.<\/p>\n<p>The concept of &#8220;jackpotting&#8221; became mainstream after the late renowned security researcher <a rel=\"noreferrer noopener\" href=\"https:\/\/en.wikipedia.org\/wiki\/Barnaby_Jack\" target=\"_blank\">Barnaby Jack<\/a> presented and demoed his research on the subject at the <a rel=\"noreferrer noopener\" href=\"https:\/\/www.blackhat.com\/html\/bh-us-10\/bh-us-10-speaker_bios.html#Jack\" target=\"_blank\">Black Hat security conference in 2010<\/a>. Many expected ATM jackpotting to become a real-world problem since then. And, indeed, it has\u2014in the form of logical attacks.<\/p>\n<p>In order for a logical attack to be successful, access to the ATM is needed. A simple way to do this is to use a tool, such as a drill, to make an opening to the casing so criminals can introduce another piece of hardware (a USB stick, for example) to deliver the payload. Some tools can also be used to pinpoint vulnerable points within the ATM\u2019s frame or casing, such as an endoscope, which is a medical device with a tiny camera that is used to probe inside the human body.<\/p>\n<p>If you think that logical attacks are too complex for the average cybercriminal, think again. For a substantial price, anyone with cash to spare can visit Dark Web forums and purchase ATM malware complete with easy how-to instructions. Because the less competent ATM fraudsters can use malware created and used by the professionals, the distinction between the two blurs.<\/p>\n<h4>Logical attack types<\/h4>\n<p>To date, there are two sub-categories of logical attacks fraudsters can carry out: malware-based attacks and black box attacks.<\/p>\n<p><strong>Malware-based attacks.<\/strong> As the name suggests, this kind of attack can use several different types of malware, including Ploutus, Anunak\/Carbanak, Cutlet Maker, and SUCEFUL, which we&#8217;ll profile below. How they end up on the ATM\u2019s computer or on its network is a matter we should all familiarize ourselves with.<\/p>\n<p><em>Installed at the ATM\u2019s PC:<\/em><\/p>\n<ul>\n<li>Via a USB stick. Criminals load up a USB thumb drive with malware and then insert it into a USB port of the ATM\u2019s computer. The port is either exposed to the public or behind a panel that one can easily remove or punch a hole through. As these ATM frames are not sturdy nor secure enough to counter this type of physical tampering, infecting via USB and external hard drive will always be an effective attack vector. In a 2014 article, SecurityWeek covered <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/www.securityweek.com\/skillful-hackers-drained-atms-using-malware-laden-usb-drives\" target=\"_blank\">an ATM fraud that successfully used a malware-laden USB drive<\/a>.<\/li>\n<li>Via an external hard drive or CD\/DVD drive. The tactic is similar to the USB stick but with an external hard drive or bootable optical disk.<\/li>\n<li>Via infecting the ATM computer\u2019s own hard drive. The fraudsters either disconnect the ATM\u2019s hard drive to replace it with an infected one or they remove the hard drive from its ATM, infect it with a Trojan, and then reinsert it.<\/li>\n<\/ul>\n<p><em>Installed at the ATM\u2019s network:<\/em><\/p>\n<ul>\n<li>Via an insider. Fraudsters can coerce or team up with a bank employee with ill-intent against their employer to let them do the dirty work for them. The insider gets a cut of the cashed-out money.<\/li>\n<li>Via social engineering. Fraudsters can use <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/blog.malwarebytes.com\/glossary\/spear_phishing\/\" target=\"_blank\">spear phishing<\/a> to target certain employees in the bank to get them to open a malicious attachment. Once executed, the malware infects the entire financial institution\u2019s network and its endpoints, which include ATMs. The ATM then becomes a slave machine. Attackers can send instructions directly to the slave machine for it to dispense money and have money mules collect.\n<p>Note that as criminals are already inside the FI\u2019s network, a new opportunity to make money opens its doors: They can now break into sensitive data locations to steal information and\/or proprietary data that they can further abuse or sell in the underground market.<\/li>\n<\/ul>\n<p><em>Installed via <a href=\"https:\/\/blog.malwarebytes.com\/glossary\/man-in-the-middle-mitm\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Man-in-the-Middle (MiTM)<\/a> tactics:<\/em><\/p>\n<ul>\n<li>Via fake updates. Malware could be introduced to ATM systems via a bogus software update, as explained by Benjamin Kunz-Mejri, CEO and founder of Vulnerability Lab after he discovered (by accident) that ATMs in Germany publicly display sensitive system information during their software update process. <a href=\"https:\/\/www.securityweek.com\/serious-flaws-found-atms-german-bank\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">In an interview<\/a>, Kunz-Mejri said that fraudsters could potentially use the information to perform a MiTM attack to get inside the network of a local bank, run malware that was made to look like a legitimate software update, and then control the infected the ATM. <\/li>\n<\/ul>\n<p><strong>Black box attacks.<\/strong> A black box is an electronic device\u2014either another computer, mobile phone, tablet, or even <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/krebsonsecurity.com\/2015\/01\/thieves-jackpot-atms-with-black-box-attack\/\" target=\"_blank\">a modified circuit board linked to a USB wire<\/a>\u2014that issues ATM commands at the fraudster\u2019s bidding. The act of physically disconnecting the cash dispenser from the ATM computer to connect the black box bypasses the need for attackers to use a card or get authorization to confirm transactions. Off-premise retail ATMs are likely targets of this attack.<\/p>\n<p>A black box attack could involve social engineering tactics, like dressing up as an ATM technician, to allay suspicions while the threat actor physically tamper with the ATM. At times, fraudsters use an endoscope, a medical tool used to probe the human body, to locate and disconnect the cash dispenser&#8217;s wire from the ATM computer and connect it to their black box. This device then issues commands to the dispenser to push out money.<\/p>\n<p>As this type of attack does not use malware, a black box attack usually leaves little to no evidence\u2014unless the fraudsters left behind the hardware they used, of course.<\/p>\n<p>Experts have observed that as reports of black box attacks have dropped, malware attacks on ATMs are increasing.<\/p>\n<h4>ATM malware families<\/h4>\n<p>As mentioned in part 1, there are over 20 strains of known ATM malware. We&#8217;ve profiled four of those strains to give readers an overview of the diversity of malware families developed for ATM attacks. We&#8217;ve also included links to external references you can read in case you want to learn more.<\/p>\n<p><strong>Ploutus.<\/strong> This is a malware family of ATM backdoors that was first detected in 2013. Ploutus is specifically designed to force the ATM to dispense cash, not steal card holder information. An earlier variant was introduced to the ATM computer via inserting an infected boot disk into its CD-ROM drive. An external keyboard was also used, as the malware responds to commands executed by pressing certain function keys (the F1 to F12 keys on the keyboard). Newer versions also use mobile phones, are persistent, target the most common ATM operating systems, and can be tweaked to make them vendor-agnostic.<\/p>\n<p>Daniel Regalado, principal security researcher for Zingbox, <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/www.zingbox.com\/blog\/piolin-the-first-atm-malware-jackpotting-atms-in-usa\/\" target=\"_blank\">noted in a blog post<\/a> that a modified Ploutus variant called Piolin was used in the first ATM jackpotting crimes in the North America, and that the actors behind these attacks are not the same actors behind the jackpotting incidents in Latin America. <\/p>\n<p><em>References on Ploutus:<\/em><\/p>\n<ul>\n<li><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/www.symantec.com\/connect\/blogs\/criminals-hit-atm-jackpot\" target=\"_blank\">Criminals hit the ATM jackpot<\/a> (Source: Symantec)<\/li>\n<li><a href=\"https:\/\/www.fireeye.com\/blog\/threat-research\/2017\/01\/new_ploutus_variant.html\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">New variant of Ploutus ATM malware observed in the wild in Latin America<\/a> (Source: FireEye)<\/li>\n<\/ul>\n<p><strong>Anunak\/Carbanak.<\/strong> This advanced persistent malware was first encountered in the wild affecting Ukrainian and Russian banks. It\u2019s a backdoor based on Carberp, a known information-stealing Trojan. Carbanak, however, was designed to siphon off data, perform espionage, and remotely control systems.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter is-resized\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"39083\" data-permalink=\"https:\/\/blog.malwarebytes.com\/101\/2019\/08\/atm-attacks-and-fraud-part-2\/attachment\/carbanak-admin-panel-kaspersky\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/carbanak-admin-panel-kaspersky.png\" data-orig-size=\"1041,570\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"carbanak-admin-panel-kaspersky\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/carbanak-admin-panel-kaspersky-300x164.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/carbanak-admin-panel-kaspersky-600x329.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/carbanak-admin-panel-kaspersky.png\" alt=\"\" class=\"wp-image-39083\" width=\"521\" height=\"285\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/carbanak-admin-panel-kaspersky.png 1041w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/carbanak-admin-panel-kaspersky-300x164.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/carbanak-admin-panel-kaspersky-600x329.png 600w\" sizes=\"auto, (max-width: 521px) 100vw, 521px\" \/><figcaption>The Anunak\/Carbanak admin panel (Courtesy of Kaspersky)<\/figcaption><\/figure>\n<\/div>\n<p>It arrives on financial institution networks as attachment to a spear phishing email. Once in the network, it looks for endpoints of interest, such as those belonging to administrators and bank clerks. As the APT actors behind Carbanak campaigns don\u2019t have prior knowledge of how their target\u2019s system works, they surreptitiously video record how the admin or clerk uses it. Knowledge gained can be used to move money out of the bank and into criminal accounts.<\/p>\n<p><em>References on Anunak\/Carbanak:<\/em><\/p>\n<ul>\n<li><a href=\"https:\/\/www.group-ib.com\/resources\/threat-research\/Anunak_APT_against_financial_institutions.pdf\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Anunak: APT against financial institutions<\/a> [PDF] (Source: Group-IB and For-IT)<\/li>\n<li><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/securelist.com\/the-great-bank-robbery-the-carbanak-apt\/68732\/\" target=\"_blank\">The great bank robbery: the Carbanak APT<\/a> (Source: Kaspersky)<\/li>\n<\/ul>\n<p><strong>Cutlet Maker.<\/strong> This is one of several ATM malware families being sold in underground hacking forums. It is actually a kit comprised of (1) the malware file itself, which is named Cutlet Maker; (2) c0decalc, which is a password-generating tool that criminals use to unlock Cutlet Maker; and (3) Stimulator, another benign tool designed to display information about the target ATM\u2019s cash cassettes, such as the type of currency, the value of the notes, and the number of notes for each cassette.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter is-resized\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"39086\" data-permalink=\"https:\/\/blog.malwarebytes.com\/101\/2019\/08\/atm-attacks-and-fraud-part-2\/attachment\/cutler-maker-ui-forbes-2\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/cutler-maker-ui-forbes-1.png\" data-orig-size=\"588,429\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"cutler-maker-ui-forbes\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/cutler-maker-ui-forbes-1-300x219.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/cutler-maker-ui-forbes-1.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/cutler-maker-ui-forbes-1.png\" alt=\"\" class=\"wp-image-39086\" width=\"441\" height=\"322\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/cutler-maker-ui-forbes-1.png 588w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/cutler-maker-ui-forbes-1-300x219.png 300w\" sizes=\"auto, (max-width: 441px) 100vw, 441px\" \/><figcaption>Cutlet Maker\u2019s interface (Courtesy of Forbes)<\/figcaption><\/figure>\n<\/div>\n<p><em>References on Cutlet Maker:<\/em><\/p>\n<ul>\n<li><a href=\"https:\/\/securelist.com\/atm-malware-is-being-sold-on-darknet-market\/81871\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">ATM malware sold is being sold on Darknet market<\/a> (Source: Securelist)<\/li>\n<\/ul>\n<p><strong>SUCEFUL.<\/strong> Hailed as the first multi-vendor ATM malware, SUCEFUL was designed to capture bank cards in the infected ATM\u2019s card slot, read the card\u2019s magnetic strip and\/or chip data, and disable ATM sensors to prevent immediate detection.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter is-resized\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"39087\" data-permalink=\"https:\/\/blog.malwarebytes.com\/101\/2019\/08\/atm-attacks-and-fraud-part-2\/attachment\/suceful-testing-interface-fireeye-2\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/suceful-testing-interface-fireeye-1.png\" data-orig-size=\"1009,388\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"suceful-testing-interface-fireeye\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/suceful-testing-interface-fireeye-1-300x115.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/suceful-testing-interface-fireeye-1-600x231.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/suceful-testing-interface-fireeye-1.png\" alt=\"\" class=\"wp-image-39087\" width=\"505\" height=\"194\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/suceful-testing-interface-fireeye-1.png 1009w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/suceful-testing-interface-fireeye-1-300x115.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/suceful-testing-interface-fireeye-1-600x231.png 600w\" sizes=\"auto, (max-width: 505px) 100vw, 505px\" \/><figcaption>The malware\u2019s name is derived from a typo\u2014supposed to be \u2018successful\u2019\u2014by its creator, as you can see from this testing interface (Courtesy of FireEye)<\/figcaption><\/figure>\n<\/div>\n<p><em>References on SUCEFUL:<\/em><\/p>\n<ul>\n<li><a href=\"https:\/\/www.fireeye.com\/blog\/threat-research\/2015\/09\/suceful_next_genera.html\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">SUCEFUL: next generation ATM malware<\/a> (Source: FireEye)<\/li>\n<\/ul>\n<hr class=\"wp-block-separator is-style-wide\"\/>\n<h3>Social engineering<\/h3>\n<p>Directly targeting ATMs by compromising their weak points, whether they\u2019re found on the surface or on the inside, isn\u2019t the only effective way for fraudsters to score easy cash. They can also take advantage of the people using the ATMs. Here are the <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/social-engineering-cybercrime\/2018\/08\/social-engineering-attacks-what-makes-you-susceptible\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"ways users can be social engineered (opens in a new tab)\">ways users can be social engineered<\/a> into handing over hard-earned money to criminals, often without knowing.<\/p>\n<p><em>Defrauding the elderly.<\/em><strong> <\/strong>This has become <a href=\"https:\/\/www.atmmarketplace.com\/articles\/atm-fraud-the-evolution-of-an-epidemic\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">a trend in Japan<\/a>. Fraudsters posing as relatives in need of emergency money or government officials collecting fees target elderly victims. They then \u201chelp\u201d them by providing instructions on how to transfer money via the ATM.<\/p>\n<p><em>Assistance fraud.<\/em> Someone somewhere at some point in the past may have been approached by a kindly stranger in the same ATM queue, offering a helping hand. Scammers uses this tactic so they can memorize their target\u2019s card number and PIN, which they then use to initiate unlawful money transactions.<\/p>\n<p>The likely targets for this attack are also the elderly, as well as confused new users who are likely first-time ATM card owners.<\/p>\n<p><em>Shoulder surfing.<\/em> This is the act of being watched by someone while you punch in your PIN using the ATM\u2019s keypad. Stolen PIN codes are particularly handy for a shoulder surfer, especially if their target absent-mindedly leaves the area after retrieving their cash but hasn&#8217;t fully completed the session. Some ATM users walk away before they can even answer the machine when it asks if they have another transaction. And before the prompt disappears, the fraudster enters the stolen PIN to continue the session.<\/p>\n<p><em>Eavesdropping.<\/em> Like the previous point, the goal of eavesdropping is to steal the target\u2019s PIN code. This is done by listening and memorizing the tones the ATM keys make when someone punches in their PIN during a transaction session.<\/p>\n<p><em>Distraction fraud.<\/em> This tactic swept through Britain a couple years ago. And the scenario goes like this: An unknowing ATM user gets distracted by the sound of dropping coins behind him\/her while taking out money. He or she turns around to help the person who dropped the coins, not knowing that someone else is already either stealing the cash the ATM just spewed out or swapping a fake card to his real one. The ATM user looks back at the terminal, content that everything looked normal, then goes on their way. The person they helped, on the other hand, is either given the stolen card to or tells their accomplice the stolen card\u2019s PIN, which he\/she memorized when their target punched it in and before deliberately dropping the coins.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter is-resized\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"39092\" data-permalink=\"https:\/\/blog.malwarebytes.com\/101\/2019\/08\/atm-attacks-and-fraud-part-2\/attachment\/distraction-barclays-campaign\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/distraction-barclays-campaign.jpg\" data-orig-size=\"634,360\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;u00a9 Barclays&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"distraction-barclays-campaign\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/distraction-barclays-campaign-300x170.jpg\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/distraction-barclays-campaign-600x341.jpg\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/distraction-barclays-campaign.jpg\" alt=\"\" class=\"wp-image-39092\" width=\"476\" height=\"270\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/distraction-barclays-campaign.jpg 634w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/distraction-barclays-campaign-300x170.jpg 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/distraction-barclays-campaign-600x341.jpg 600w\" sizes=\"auto, (max-width: 476px) 100vw, 476px\" \/><figcaption>A still taken from Barclay\u2019s public awareness campaign video on distraction fraud (Courtesy of This is Money) <\/figcaption><\/figure>\n<\/div>\n<h3>Continued vigilance for ATM users and manufacturers<\/h3>\n<p>Malware campaigns, black box attacks, and social engineering are problems that are actively being addressing by both ATM manufacturers and their financial institutions. However, that doesn\u2019t mean that ATM users should let their guards down.<\/p>\n<p>Keep in mind the social engineering tactics we outlined above when using an ATM, and don&#8217;t forget to keep a lookout for something &#8220;off&#8221; with the machine you&#8217;re interacting with. While it&#8217;s quite unlikely a user could tell if an information-stealer had compromised her ATM (until she saw the discrepancies in her transaction records later), there are some malware types that can physically capture cards. <\/p>\n<p>If this happens, do not leave the ATM premises. Instead, record every detail in relation to what happened, such as the time it was captured, the ATM branch you use, and which transactions you made prior to realizing the card would not eject. Take pictures of the surroundings, the ATM itself, and attempt to stealthily snap any people potentially lingering about. Finally, call your bank and\/or card issuer to report the incident and request card termination.<\/p>\n<p>We would also like to point you back to <a rel=\"noreferrer noopener\" aria-label=\"part 1 of this series (opens in a new tab)\" href=\"https:\/\/blog.malwarebytes.com\/101\/2019\/05\/everything-you-need-to-know-about-atm-attacks-and-fraud-part-1\/\" target=\"_blank\">part 1 of this series<\/a> again, where we included a useful guideline for reference on what to look out for before dropping by an ATM outlet.<\/p>\n<p>As always, stay safe!<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/101\/2019\/08\/atm-attacks-and-fraud-part-2\/\">Everything you need to know about ATM attacks and fraud: part 2<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/101\/2019\/08\/atm-attacks-and-fraud-part-2\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Jovi Umawing| Date: Fri, 02 Aug 2019 15:00:00 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/101\/2019\/08\/atm-attacks-and-fraud-part-2\/' title='Everything you need to know about ATM attacks and fraud: part 2'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/shutterstock_1368951989.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>In part two of this two-part series on ATM attacks and fraud, we outline the final two ATM attack types\u2014logical and social engineering\u2014and provide info on how they are conducted, the different malware families used in these attacks, and how to protect against them.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/101\/\" rel=\"category tag\">101<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/alice\/\" rel=\"tag\">ALICE<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/anunak\/\" rel=\"tag\">anunak<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/assistance-fraud\/\" rel=\"tag\">assistance fraud<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/atm-attacks\/\" rel=\"tag\">atm attacks<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/atm-cash-out-attacks\/\" rel=\"tag\">atm cash-out attacks<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/atm-fraud\/\" rel=\"tag\">atm fraud<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/atm-malware\/\" rel=\"tag\">atm malware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/barnaby-jack\/\" rel=\"tag\">barnaby jack<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/black-box-attacks\/\" rel=\"tag\">black box attacks<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/blog-series\/\" rel=\"tag\">blog series<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/c0decalc\/\" rel=\"tag\">c0decalc<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/carbanak\/\" rel=\"tag\">carbanak<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/cutlet-maker\/\" rel=\"tag\">cutlet maker<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/daniel-regalado\/\" rel=\"tag\">daniel regalado<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/defrauding-the-elderly\/\" rel=\"tag\">defrauding the elderly<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/distraction-fraud\/\" rel=\"tag\">distraction fraud<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/eavesdropping\/\" rel=\"tag\">eavesdropping<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/extensions-for-financial-services\/\" rel=\"tag\">extensions for financial services<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/greendispenser\/\" rel=\"tag\">greendispenser<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/jackpotting\/\" rel=\"tag\">jackpotting<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/logical-attacks\/\" rel=\"tag\">logical attacks<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/malware-based-attack\/\" rel=\"tag\">malware-based attack<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/padpin\/\" rel=\"tag\">padpin<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/ploutus\/\" rel=\"tag\">ploutus<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/sdelete\/\" rel=\"tag\">sdelete<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/secure-delete\/\" rel=\"tag\">secure delete<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/shoulder-surfing\/\" rel=\"tag\">shoulder surfing<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/social-engineering-attacks\/\" rel=\"tag\">social engineering attacks<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/stimulator\/\" rel=\"tag\">stimulator<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/suceful\/\" rel=\"tag\">suceful<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/tyupkin\/\" rel=\"tag\">tyupkin<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/xfs-middleware\/\" rel=\"tag\">xfs middleware<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/101\/2019\/08\/atm-attacks-and-fraud-part-2\/' title='Everything you need to know about ATM attacks and fraud: part 2'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/101\/2019\/08\/atm-attacks-and-fraud-part-2\/\">Everything you need to know about ATM attacks and fraud: part 2<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[10519,19849,11543,22539,21903,22540,10669,22541,17349,22542,21850,22543,11544,22544,17325,22545,22546,12874,22547,22548,17481,22549,22550,22551,22552,22553,22554,22555,19116,22556,22557,22558,22559],"class_list":["post-15977","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-10519","tag-alice","tag-anunak","tag-assistance-fraud","tag-atm-attacks","tag-atm-cash-out-attacks","tag-atm-fraud","tag-atm-malware","tag-barnaby-jack","tag-black-box-attacks","tag-blog-series","tag-c0decalc","tag-carbanak","tag-cutlet-maker","tag-daniel-regalado","tag-defrauding-the-elderly","tag-distraction-fraud","tag-eavesdropping","tag-extensions-for-financial-services","tag-greendispenser","tag-jackpotting","tag-logical-attacks","tag-malware-based-attack","tag-padpin","tag-ploutus","tag-sdelete","tag-secure-delete","tag-shoulder-surfing","tag-social-engineering-attacks","tag-stimulator","tag-suceful","tag-tyupkin","tag-xfs-middleware"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15977","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=15977"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15977\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=15977"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=15977"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=15977"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}