News Stay informed about the latest enterprise technology news and product updates.

Diebold ATMs in Russia targeted with malware

Company issued a security update after criminals attacked its Windows-based ATMs in Russia and installed malware.

Diebold Inc. issued a security update for its Windows-based ATMs after criminals attacked a number of them in Russia and installed malware designed to steal sensitive data.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

North Canton, Ohio-based Diebold alerted customers about the break-ins and the security update in January. The attacks, which were isolated to Russia, involved physical access to ATMs and were not a network-level security compromise, the company said in its notice. The suspects in the case have been apprehended, according to Diebold.

Diebold spokeswoman DeAnn Zackeroff said the physical attacks on the machines were very low-tech but that the malware installation indicated that the attackers were highly sophisticated.

She said a number of machines in Russia were attacked, but that Diebold moved quickly to alert its customers and issue the software update.

In a letter to customers, Scott Angelo, Diebold vice president and chief security officer, said the software update is a precautionary measure. "Diebold believes this update will help prevent the attack that was targeted in Russia from occurring at Diebold ATMs in other regions in the future," he said.

In its alert, Diebold noted the risk to the ATMs was "significantly increased" if the Windows administrative password has been compromised, the hardened version of Windows provided by Diebold isn't used, or if the Sygate/Symantec firewall provided with Diebold Agilis software has been disabled or isn't configured properly. The company advised its customers of security best practices, including changing the default Windows password on its Windows-based ATMs, and making periodic changes to the administrative password.

Vanja Svajcer, a principal virus researcher at UK-based antivirus supplier Sophos Plc., this week discovered the malware that targeted the Diebold ATMs.

In an interview, Graham Cluley, senior technology consultant at Sophos, said the malware appeared to be the first targeting ATMs.

"Obviously, fraudsters have tried to connect devices to ATMs before," he said. "Normally they attach them on the outside of the machine, so there's something for the public to see, but if they install malware onto the machine, there's nothing for the human eye to see."

While Sophos researchers can't test the malware on an ATM, Cluley said it appears that the malware tried to copy an ATM user's card and PIN numbers and then waited until a member of the criminal gang inserted a specially crafted card into the machine. The software would recognize the card and print out the stolen card and PIN numbers onto the paper ATM receipt.

SearchSecurity radio:

The incident isn't reason for people to panic about using cash machines, Cluley said.

"We only have reports of this occurring in Russia. The hackers needed physical access to the device to install the software," he said.

Plus, the attackers needed inside knowledge of the ATMs, he added. "When we looked at the malware, it was communicating with the ATM machine and sending instructions. They wouldn't have known what instructions to send unless they had inside information about the way the ATM worked," he said.

Still, as more cybercrime is financially driven, the temptation for criminal gangs to hire insiders to help them in these schemes could increase, he said.

"This latest offense against Diebold's ATMs is another example of the growing level of sophistication and aggression involving ATM-related crime," Angelo wrote in the letter to customers. "Security is one of Diebold's absolute priorities and our engineers are working constantly to address emerging ATM security threats."

Dig Deeper on Debit and credit card fraud prevention

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.