The 2020-2022 ATM/PoS Malware Landscape

A hook pulls a credit card across a computer keyboard.
Picture: weerapat1003/Adobe Inventory

A brand new report from Kaspersky sheds mild on the 2020-2022 ATM and Level of Sale (PoS) malware panorama.

The COVID-19 impact

Lockdowns throughout the globe through the pandemic have severely decreased ATM and PoS malware exercise, since individuals stayed at house with no different chance than shopping for what they wanted on-line as a substitute of bodily going to outlets.

In 2020, the variety of assaults on ATM/PoS dropped considerably compared to 2019, from roughly 8,000 assaults to 4,800 (Determine A).

Determine A

Number of devices affected by ATM/PoS malware from 2018 to 2021.
Picture: Kaspersky. Variety of units affected by ATM/PoS malware from 2018 to 2021.

Whereas the lockdowns noticed a number of units being turned totally off, one more reason explaining this drop is the worldwide variety of money machines tending to lower, as defined by the researchers.

In 2021, a 39% improve of the assaults was noticed, displaying that the COVID-19 restrictions had been dropped down, permitting prospects to return to their normal shopper habits.

SEE: Cellular machine safety coverage (TechRepublic Premium)

Most focused areas for ATM/PoS malware assaults in 2020-2022

From 2017 to 2021, Russia has all the time been probably the most impacted nation. Outdated fleets of ATMs made it pretty straightforward for attackers to realize entry and steal cash from these units, because the outdated gear was susceptible to most malware households and usually had a low degree of cybersecurity, based on Kaspersky. Brazil has been in the identical scenario, with an outdated ATM fleet, but as well as Brazil has quite a few cybercriminals creating new POS malware there.

Zimbabwe appeared within the high 5 in 2021, and continues to be there in 2022. A cause for this, as defined by Kaspersky, is that Chinese language buyers are opening new companies in that nation, producing financial progress and changing into enticing for cybercriminals.

See also  Optimism vs. burnout: ADP analysis finds staff are equally hopeful and wired

Most important varieties of malware exercise

Two malware households stand out in Kaspersky’s evaluation: HydraPoS and AbaddonPoS (Determine B).

Determine B

Most prevalent PoS/ATM malware families.
Picture: Kaspersky. Most prevalent PoS/ATM malware households.


HydraPoS nonetheless holds its chief place, though no new model has been launched lately. This malware originates from Brazil and is infamous for cloning bank cards. HydraPoS combines a number of items of malware binded with a handful of official third-party instruments.

To have HydraPoS being put in on units, cybercriminals make use of social engineering. They name corporations on the telephone and fake to be staff from a bank card firm. As soon as belief is established, they ask the sufferer to entry a web site and set up an replace, which actually launches the an infection, offering entry to the fraudsters.


AbaddonPoS has been lively since 2015 and is a generic PoS malware that tries to cover its actions by way of anti-analysis mechanisms, code obfuscation and a customized protocol for exfiltrating knowledge from the victims to the cybercriminals.


Ploutus is without doubt one of the most superior ATM malware. It first appeared in 2013 but it retains evolving by way of new variations and targets organizations reminiscent of ATM producers, particularly in Brazil. The malware allows the attacker to change the official software program operating on ATMs and execute privilege escalation to get management of the ATMs, permitting the cybercriminals to bodily money out from ATMs on demand.

See also  Add a Year-to-Date Running Total in Microsoft Power BI


RawPoS is without doubt one of the oldest PoS malware within the scene. It has been in use since 2008, and permits the extraction of full magnetic stripe knowledge from risky reminiscence.


Prilex is a Brazilian risk actor who switched from ATM-focused malware to PoS malware in 2016. Previous to this transfer, the group has been answerable for one of many largest ATM assaults in Brazil, stealing cash from greater than 1,000 machines whereas additionally cloning 28,000 bank cards that have been utilized in these ATMs. The Prilex PoS malware advanced into a really superior and complicated malware able to modifying communications with the PIN pad and bypass EMV (Europay Mastercard Visa) validations. The cybercriminals behind that malware adopted the malware-as-a-service enterprise mannequin, promoting it for about $3,500 on underground cybercriminal marketplaces.

SEE: Password breach: Why popular culture and passwords don’t combine (free PDF) (TechRepublic)

Unsuspecting victims

It appears corporations utilizing PoS units usually blindly belief the software program on it, and are typically unaware of the opportunity of having malware on it that may steal all the data that may be stolen by cybercriminals. A part of that belief is official: the cost card business makes use of a number of security standards imposing end-to-end encryption of delicate cost knowledge, amongst different safety measures, making it more durable for cybercriminals. But if an attacker manages to execute code on these units, he nonetheless could entry the delicate knowledge, which is barely decrypted in reminiscence and by no means on different storages.

See also  Forrester sees AWS under pressure in 2023 cloud computing predictions

Social engineering additionally appears to work fairly properly to contaminate PoS units with malware, as staff usually don’t have a lot data of all of the procedures to deal with these units and may do something a “skilled” would ask them to do.

How one can shield from this risk?

Prospects clearly can’t do a lot about this risk, so all safety measures have to be deployed by the PoS units maintainers and the ATM producers.

For starters, older techniques have to be up to date and patched, particularly these operating outdated variations of Microsoft Home windows. Additionally, embedded safety software program must be deployed, to guard from numerous assault vectors and to detect threats.

Though the communications are encrypted on these units, it is likely to be a good suggestion to deploy community detection/protection options, which could detect uncommon quantities of information being transferred, or sudden communications to totally different IP addresses.

White-listing of purposes can be deployed on units, to solely permit chosen software program to run, making it more durable for attackers to run their malware or code on these units.

Disclosure: I work for Pattern Micro, however the views expressed on this article are mine.