A look at the 2020–2022 ATM/PoS malware landscape

During the pandemic, lockdowns forced people to stay at home and do their shopping online, which was mirrored in point-of-sale (PoS) and ATM malware activity, as certain regions saw malicious transactions drop significantly. Now, as we predicted in last year’s forecast, many are returning to their usual ways of life, visiting stores and withdrawing cash, and the threat of PoS/ATM malware is also making a comeback: the cybercriminals are already implementing new ways to steal from banks and organizations, and the number of attacks is on the rise, too.

By cracking an ATM or PoS terminal, attackers can obtain tens of thousands of dollars overnight. The risk is the highest with older ATM models, as these are difficult to repair or replace and seldom use security software to avoid further degrading their already-subpar performance.

PoS terminals are attacked just as often: few people give a thought to the fact that these machines need protection, as they hold the key to the bank accounts of hundreds of customers. These devices can be found in almost every store, restaurant, or other type of establishment, but they can be even easier for fraudsters to access. The reason is the same as with attacks on ATM machines: due to the large number of PoS terminals, most owners take too long to update their equipment, using obsolete operating systems running old (and vulnerable) software, to preserve the compatibility with legacy hardware and software.

Perpetrators continue to spread already-existing, widely used malware to attack PoS terminals and ATMs. As a result, both the threat of these attacks and the number of incidents are growing.

Methodology

We observed the threat landscape of ATM/PoS malware attacks and how it changed in 2020-2022. Specifically, we looked at the number of affected ATMs and PoS terminals, geography of attacks and threat families used by cybercriminals to target victims. For these purposes, we analyzed threat statistics from Kaspersky Security Network (KSN), a system for processing anonymized cyberthreat-related data shared voluntarily by Kaspersky users, for the period between January 2020 and August 2022.

Key findings

• In the first eight months of 2022, the number of unique devices affected by ATM/PoS malware grew by 19% as compared to the same period in 2020, and by nearly 4% compared to 2021.
• Recovering from the 2020 slump, the number of attacks continued to grow steadily, and we expect cybercrime activity to increase further.
• HydraPOS and AbaddonPOS proved to be the most active families. The TOP-5 also included Ploutus, RawPOS, and Prilex.

ATM/PoS malware attacks: how COVID-19 affected the landscape, and what comes next

In 2020, the number of attacks significantly decreased in comparison to 2019 (see ATM/PoS malware report for 2017–2019). Specifically, the number of affected systems dropped to less than 5,000 in 2020 from more than 8,000 in 2019.

Number of unique devices affected by ATM/PoS malware in 2018–2021 (download)

There are several factors behind this. In Latin America, one of the most “restless” regions in terms of ATM/POS malware activity, many devices were turned off during the lockdowns and official restrictions. Apart from that, the number of cash machines around the world tends to decrease: for example, the total number of ATMs in the UK has been falling every year since 2015; in Saudi Arabia, the number of operating machines dropped by 10% in 2021. Consequently, attackers faced a shrinking market.

The trend could also be linked to consumers spending less during the COVID-19 outbreak in 2020. According to Central Bank of Ireland statistics, there were fewer purchases with cards and fewer cash withdrawals.

Successful vaccination programs and the lifting of COVID restrictions have allowed consumers to go back to their familiar lifestyles, and normal spending patterns are coming back. In 2021, the number of devices affected by ATM/PoS malware went up by 39% year on year.

In the first eight months of 2022, the number of unique devices hit by ATM/PoS malware grew by 19% as compared to the same period in 2020, and by nearly 4% compared to 2021. With these tendencies in mind, we expect further growth in ATM/PoS transactions and an associated increase in attacker activity.

Number of unique devices affected by ATM/PoS malware in the first halves of 2020–2022 (download)

Who should prick up their ears: the most “restless” regions in 2020–2022

Russia was a leader in 2017-2021 (see also our previous report). This country maintains a relatively outdated fleet of ATMs, making it a “piece of cake” for perpetrators to hack and a consistent target throughout the period in question. The older equipment is vulnerable to most malware families and has a relatively low level of cybersecurity. Many Windows versions used in the ATMs have long reached their end of support but still remain in service. Brazil, a consistent member of the TOP in 2017-2022, has a similar situation: its ATM fleet is rather old, too. In addition to this, the attackers in the region have been busy creating new variants of existing malware.

Zimbabwe debuted in the TOP-5 in 2021 and stayed among leaders in 2022. The country has strong economic ties with China, which invests and exports manpower to many places in Africa. This plays a key role in Zimbabwe’s economic growth: Chinese investors are opening a lot of new businesses, such as hotels and other types of establishments previously uncommon to Africa. This improvement in infrastructure is generating cash flows, turning the region into an attractive target for cybercriminals.

TOP 10 countries by number of unique devices affected by ATM/PoS malware in 2020—2022

2020

2021

2022

The most active malware families in 2022

HydraPoS and AbaddonPoS account for roughly 71% of all ATM/PoS malware detections^[1], with 36% and 35% respectively. The TOP-5 also includes Ploutus (3%), RawPoS, and Prilex (2% per each), whereas the remaining 61 families and modifications we reviewed account for less than 2% per each.

The TOP-5 families are primarily PoS malware, except from Ploutus, which is more widespread than ATM malware, as it preys on payment terminals. These systems are used in many shops, restaurants and other retail outlets, where the cybersecurity level is typically low, and therefore, are more accessible to attackers than cash machines, which are usually bank property and in many cases have solid security systems, not to mention restricted physical access.

HydraPoS
HydraPoS has not been seen releasing new versions recently, yet it holds a strong leading position in our rankings of malware families. This is a PoS malware tool originating in Brazil and notorious for cloning credit cards. HydraPOS combines several pieces of malware, with hundreds of different builds and versions, and a handful of legitimate third-party tools. In 2019, we reported on new features that had been added to the main module with the purpose of improving persistence and making HydraPOS stealthier.
HydraPOS has been spotted in attacks that employed social engineering techniques. Cybercriminals presented themselves as an employee of a credit card company on the phone, asking employees to access a website and install “an update”, which would trigger an infection giving the criminals access to the company’s systems.

AbaddonPoS
The AbaddonPoS family was discovered in 2015, when researchers spotted a download during a Vawtrak infection. AbaddonPoS, sometimes detected by our products as Trojan-Spy.Win32.POSCardStealer, is a generic, widespread type of PoS malware with features such as anti-analysis, code obfuscation, persistence, location of credit card data, and a custom protocol for exfiltrating data.

Ploutus
In 2021, a new version of Ploutus was found in the wild. Ploutus is one of the most advanced ATM malware families we have seen in the last few years. Discovered for the first time in Mexico back in 2013, the malware keeps evolving via new versions and has been seen targeting enterprises, such as ATM manufacturers, in Brazil among other places.
The malware is used to modify legitimate software and execute privilege escalation to control the ATM and obtain administrative permissions, allowing criminals to jackpot cash machines on demand.

RawPoS
Originally discovered by Visa, the RawPoS family has been in use at least since 2008. Initially targeting the hospitality sector, the malware comes in many modifications and is capable of extracting the full magnetic stripe data from volatile memory.

Prilex
Prilex was recently reported to be sold as malware-as-a-service (MaaS). Active since 2014, it hails from Brazil and has a global reach these days. In 2022, the group upgraded its attack methods to circumvent authorization policies, and still continue to abuse processes related to PoS software and card transactions.

Conclusions and recommendations

Life today is hard to imagine without easy access to automated cash withdrawal services. Embedded systems used in ATMs and PoS terminals are there to help us with that. The more money this market accumulates, the more attractive it becomes for intruders. Despite the drop during the pandemic, attackers have stepped up their activities again in the last two years: attacks and detections are on the rise, as new variants from well-known malware families are appearing. New cybercrime business models like malware-as-a-service are emerging to lower the skill bar for wannabe attackers.

Businesses need to be smarter than ever to keep their systems and data safe. To stay on top of the latest ATM/PoS threats, Kaspersky recommends implementing the following measures:

• Use a multi-layered solution, offering an optimal selection of protective layers to provide the best security possible for devices with different levels of processing power and implementation scenarios.
• Implement self-protection techniques in PoS modules, such as the protection available in our Kaspersky SDK, which aims to prevent malicious code from tampering with transactions managed by those modules.
• Protect older systems with up-to-date security that is optimized to provide the full range of usable features on both older versions of Windows and the latest releases. This keeps businesses confident they will both have full support for the older families in the foreseeable future and retain the opportunity to upgrade when needed.
• Install a security solution, such as Kaspersky Embedded Systems Security, that protects devices from various attack vectors. If the device has extremely low system specifications, the Kaspersky solution would still keep it protected with the Default Deny scenario.
• For financial institutions targeted by the kind of fraud discussed in this report, Kaspersky recommends the Threat Attribution Engine to help IR teams with finding and detecting Prilex files in environments under attack.
• Provide your team with access to the latest threat intelligence (TI) resources. The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky over the past twenty years. To help businesses enable effective defenses in these turbulent times, Kaspersky has announced free access to independent, continuously updated, and globally sourced information on ongoing cyberattacks and threats. Request access online.

^[1] A detection is an instance of an application being blocked when suspicious activity is detected.