JUST WHEN YOU THOUGHT it was safe to go back to the cash machine, a new piece of malware, dubbed GreenDispenser, has been discovered that allows attackers to walk up to an infected ATM and suck it dry of every last peso.
We say peso, as so far the attacks have centred on Mexico, but security analysts Proofpoint, which discovered the flaw, believe it could easily be implemented anywhere in the world.
What is particularly nasty about GreenDispenser is that it uses a deep delete process to leave little or no trace of exactly what happened - just entering a predefined PIN number embedded in the malicious code spits everything out and wipes the machine.
Kevin Epstein, vice president of threat operations for Proofpoint, said, “ATM malware such as GreenDispenser is particularly alarming because it allows cyber criminals to attack financial institutions directly, without the extra steps required to capture credit and debit card information from consumers – and with correspondingly less traceability.
"In order to stay ahead of attackers, financial entities should re-examine existing legacy security layers and consider deploying modern security measures to thwart these threats.”
Given that cash machines generally have no access to the web, attackers must have had physical access to the ATMs at some point in order to infect them, which suggests an 'inside job'.
GreenDispenser targets the CEN Extended Financial Services (XFS) middleware for Windows-based cash machines. Many ATMs still use Windows XP Embedded, which has continued support from Microsoft until 2019, but this seems to have skirted around it.
GreenDispenser also has a 'self-destruct' mechanism which means that it will only work until a certain date, after which time it disappears, just in case something goes wrong.
For added security, a two-factor authentication with a mobile phone (let's face it, probably Android) is almost certainly used.
This is not the first attack of its type. Way back in 2014, Kaspersky uncovered Tyypkin, a similar scheme that gives access to thieves, specifically on Sunday and Monday nights. Presumably because there's nowt on telly.
Of course, the other way to break into a cash machine is to just read the instructions. µ
No Roger the Racist Robot
It's not who I am wearing underneath, but what I do on IFTTT defines me
But there's no indication that data was used for nefarious purposes
But firm maintains that it received no selective treatment