Last week threat researchers from the Trend Micro Forward-Looking Threat Research Team (FTR) discovered a new family of ATM malware called Alice. Unlike other ATM malware families, Alice’s main focus is to empty the safe of ATMs. Alice does not steal information, it only enables its users with physical access to machines to steal as much money available from the ATM.

The cyber security company said ATM attacks are nothing new; cyber-criminal gangs have been attacking ATMs since the 1990s, however the scope and scale of these attacks are a growing challenge. Attacks on financial payment systems are constantly evolving, from attacking interbank transfer systems such as SWIFT to the tried and true attacks on ATMs like the ones we have seen recently in Thailand, Taiwan and the UK.

Today there are well over 3 million ATMs around the world, with a new one added approximately every five minutes. Even with the growth of alternative payment systems ATM, usage is here to stay.

According to Retail Banking Research (RBR), the U.S. currently has 432,000 ATMs, with around 110,000 bank branches where these ATMs delivered 5.6 billion cash withdrawals totaling $691 billion, up 4 percent from $666 billion in the previous year. Financial institutions continue to innovate to provide additional services and reduce costs of brick and mortar branches, however this could come at a greater cost by making them bigger targets for criminals. For the better part of a decade, the largest threat to ATMs have been skimming operations where track (account) data and PINs were captured via homemade in-line skimmers with either fake pad overlays or even hidden cameras. Only in the last few years have we seen the accelerated development and usage of ATM malware, which enables additional opportunities for cyber criminals to compromise ATMs globally.

ATM malware has been around since 2007.  Over the past nine years Trend Micro claims it tracked and analyzed eight unique families, and the bulk of those families were discovered in the last 3 years. This type of increase in malware development usually coincides with a similar increase in attacks. Recent ATM attacks in Russia, Spain and the United Kingdom are even more ominous whereas early reports show these ATMs were attacked remotely. Although Alice looks to be written for money mules who have physical access to machines, Trend Micro researchers do show that Alice could be used via RDP, however there are no evidence yet of remote usage.

This newly discovered Alice ATM malware family was first discovered by Trend Micro in November 2016 as a result of an ongoing joint research project and partnership on ATM malware with Europol EC3.

Click this link for more information on Alice.

Leave a Reply