New bank malware "rolls back" ATM transactions

By : Owen Wild

April 21, 2016 01:00 PM

Security experts are warning of a new breed of “remarkably clever” bank malware that lets criminals take over key transaction systems in order to make ATM transactions look like they never happened.


According to Kaspersky Labs, the Metel malware emerged in Russia and there are concerns it’s part of a wider trend that is seeing criminals adopt the tactics of advanced, persistent threats to steal money from banks. The security experts found the malware in more than 30 banks but has taken steps to clean it up.


Metel’s latest ploy sees it gain control of machines with access to money transactions from the cell center to support computers, allowing the criminals to “roll back” ATM transactions.


“The rollback capability ensures that the balance on debit cards remains the same regardless of the number of ATM transactions undertaken,” explains Kaspersky Labs in a post.


The thieves simply go around Russian cities at night, emptying ATM machines at various banks. The approach means they can repeatedly use the same debit cards. “In the space of just one night, they manage to cash out.”


The investigation revealed that the initial infection is achieved through tailor-made spear-phishing emails with malicious attachments. “Once inside the network, the cybercriminals use legitimate and pentesting tools to move laterally, hijacking the local domain controller and eventually locating and gaining control over computers used by the bank’s employees responsible for payment card processing,” the post continues.


Sergey Golovanov from Kaspersky Labs says: "Attacks on financial institutions uncovered in 2015 indicate a worrying trend of cyber criminals aggressively embracing APT-style attacks … we see more of them shifting from attacking users to attacking banks directly. Their logic is simple: that’s where the money is."


Combining latest malware tactics with a simple ATM scam is a big threat as, once the cash is gone, it is not recoverable. Jackpotting like this is a worry, but sophisticated fraud detection systems may help snuff out transactions. So far, it seems there have not been any attacks outside Russia, but investigators suspect that the infection is much more widespread, and banks around the world are advised to proactively check for infection.


ATM deployers need to ensure that they maintain best in class solutions to mitigate against these forms of potential attacks. NCR has recently published an updated Configuration and Best Practices Guide that provides more details on our recommendations for defenses and ways to reduce your risk from these and other forms of attacks.


Owen Wild

Security Marketing Director

Other articles by this author

Owen Wild is responsible for marketing strategies for the NCR Security Solutions within NCR’s Financial Solution Portfolio. Over the past 15 years, Owen has held several sales and marketing positions with leading travel and tech cos.