Skip to content ↓ | Skip to navigation ↓

Banks have another security headache on their hands, as ATM-infecting malware is becoming increasingly sophisticated in its attempt to help criminals audaciously empty out cash machines on the high street on demand, without having to have previously stolen the payment cards of legitimate customers.

Dubbed GreenDispenser by researchers at Proofpoint, the new malware targeting ATMs allows thieves to extract large amounts of money from cash machines, while using sneaky techniques to avoid detection.

Here’s how GreenDispenser works.

Firstly, the ATM needs to be infected by the GreenDispenser malware. This would most likely require the attackers to have unrestricted physical access to the device, or assistance from bank employees.

Earlier this month, security blogger Brian Krebs wrote a series of articles about what he claimed was an organised crime gang, bribing ATM technicians into meddling with the cash machines in and around Cancun, Mexico.

But once the malware is in place on the ATM, an “out of service” message is displayed – preventing any law-abiding members of the public from withdrawing any money which might lessen the haul for the hackers.

ATM out of service

So, how does a criminal extract cash from an “out of service” ATM? Well, all they need to do is enter a hardcoded authorisation PIN code to give them special access to the system.

Remarkably, possibly to prevent others from abusing the PIN code if it is shared indiscreetly (there’s no honour amongst thieves it seems), the malware includes a two-factor authentication feature to verify that the person entering the PIN code is who they claim to be. That’s better security than any legitimate bank customer gets when they use an ATM!

With the initial hardcoded PIN entered, the ATM thief is presented with a scannable QR code, that can be scanned with a smartphone app. This then generates a second PIN, which will unlock an ATM menu screen, revealing options to dispense or even securely erase the malware from the ATM in a bid to prevent analysis by security researchers.


Malware infecting ATMs is, sadly, nothing new and this blog has reported numerous times in the past on gangs who have stolen millions of dollars after installing malware that helps them scoop up card details of ATM users or even empty cash out of bank’s cash machines right there on the high street.

The researchers at Proofpoint say that GreenDispenser is thought to have been found in “certain geographic regions such as Mexico”, but the fear is that if it continues to prove fruitful for the criminals new versions of the malware could be used against banks worldwide. It certainly wouldn’t be a surprise – Tyupkin, another strain of ATM malware that GreenDispenser appears to be related to, has been seen in several countries around the world.

Tim Erlin, Tripwire’s director of IT security and risk strategy, told the press earlier this month after the discovery of a further sample of malware that it pays to be cautious before sticking your payment card in a hole in the wall:

“Embedded systems, like ATMs and point-of-sale devices, present unique challenges for information security, and unique opportunities for attackers. We’re fast approaching a situation where consumers need to have a healthy scepticism for security of the devices into which they stick their cards.”

He’s right, of course. But malware like GreenDispenser isn’t interested in bank customers’ credit card details – because it steals directly from the banks. And while attacks like this continue to succeed, you have to suspect that more and more criminals will waltz around the middle-man, and go directly to where the money is.

Bank security teams need to keep on top of the latest tricks used by ATM-infecting malware, and look long and hard at their security to ensure that no-one inside their organisation could be giving ATM hackers a helping hand.

Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Title image courtesy of ShutterStock