Security researchers have detected a new type of ATM malware in Mexico that enables hackers to take complete control of a cash machine and make it dispense money on command.
Security firm Proofpoint reports that it has detected instances of a new malware called GreenDispenser that, once installed on an ATM machine, will display a fake error message that reads: "We regret this ATM is temporary out of service."
Only the hacker can bypass this error, and the malware unusually requires two-factor authentication. The hacker must first enter a pin code that has been hard-coded into the malware, and then use a smartphone to scan a QR code that appears on the ATM screen.
Scanning the code gives the hacker a second, dynamically generated pin code that unlocks an interaction menu in the cash machine, giving the hacker complete control over the cash dispenser.
And even better, the malware even includes a menu option to securely delete the malware off the ATM once it has been drained of all cash, so that forensic investigators will not be able to easily retrieve it.
The rise of ATM malware
In October 2013, a backdoor malware named Plotus was discovered in Mexico, being used to infect cash machines by inserting a new boot disk into the ATM's CD-ROM drive.
Once infected, hackers could then use the pin keypad or an external keyboard to issue special commands making the ATM dispense cash, and a second updated version of the malware that was released in March 2014 added the ability to send an SMS text message to the cash machine in order to get it to dispense money.
While Plotus has not been used outside Latin America, the second version was programmed in English, showing the attackers probably meant to hack ATMs in other countries with it.
Meanwhile, in October 2014 Kaspersky Lab researchers discovered a malware called Tyupin or Padpin being used to infect over 50 cash machines in Eastern Europe that was only active during specific hours at night and required a key based on a random seed every time the hacker wanted to access the money in the machine.
Finally, in September this year, security firm FireEye also discovered a new type of malware called Suceful in Russia that locks customers' debit or credit cards inside the ATM and only releases them on command to the hackers.
First Mexico, then the world
The malware has so far only been detected in Mexico, but financial institutions should take action now, the researchers warn, as other malware has originated in the country and spread across the world.
"While current attacks have been limited to certain geographical regions such as Mexico, it is only a matter a time before these techniques are abused across the globe. We believe we are seeing the dawn of a new criminal industry targeting ATMs, with only more to come," Proofpoint researcher Thoufique Haq wrote in a blog post.
"In order to stay ahead of attackers, financial entities should re-examine existing legacy security layers and consider deploying modern security measures to thwart these threats."