In 2020, the number of attacks on ATMs and PoS terminals significantly decreased due to the pandemic. Now, with old spending patterns back, threat actors’ activity is on the up again.

HydraPoS and AbaddonPoS are the most widespread malware families in 2022, accounting for roughly 71% of all detections. For ATMs the most active malware is Ploutus, accounting for 3% of all detections in the first eight months of 2022.

These and other findings are part of a new ATM/PoS malware report issued by Kaspersky.

Cybercriminals attack embedded systems used in ATMs and point-of-sale (PoS) terminals to steal cash, credit card credentials and personal data, and penetrate systems to gain control over all devices within a network, and attackers can obtain thousands of dollars overnight. Many Windows versions used in ATMs reached the end of their support long ago and may be an easy target, while PoS terminals are used by many businesses with a low cybersecurity maturity level.

When the pandemic hit, the number of attacks decreased sharply compared to the previous year – from roughly 8 000 in 2019 to 5 000 in 2020. According to the experts’ assessment, this occurred for several reasons – including a reduction in the total number of ATMs across the world, their shutdown during pandemic restrictions, as well as people’s spending shrinking overall. As a consequence, attackers saw their market contract in terms of the number of their targets.

Today the restrictions have softened greatly, old spending patterns are back, and therefore threat actors’ activity is gathering pace. In 2021, the number of devices encountered with ATM/PoS malware was up by 39% compared to the previous year. In the first eight months of 2022, the number grew by 19% compared to the same period of 2020, and by nearly 4% compared to 2021. In total, 4 173 devices were attacked in January-August of 2022.

Given this trend, experts expect the number of attacks on ATM/PoS devices to increase further in the fourth quarter of 2022.

HydraPoS and AbaddonPoS account for roughly 71% of all ATM/PoS malware detections in 2020-2022, with 36% and 35%, respectively.

The leader of the rating, HydraPoS, originates from Brazil and is known for cloning credit cards. According to Kaspersky Threat Intelligence Portal reports, this family was used in attacks involving social engineering.

“There are different techniques. They depend on who is conducting the attack and which family is used. Attackers make phone calls or even come to victims’ offices. They impersonate an employee of a bank or credit card company and try to convince the victim to install malware as if it were a system update”, comments Fabio Assolini, head of research centre: Latin America at Kaspersky.

The top five also includes Ploutus (3%) – the malware family used for modifying legitimate software and privilege escalation to control ATMs and obtain administrative privileges that allow criminals to jackpot ATMs on demand. RawPoS (the malware able to extract the full magnetic stripe data from volatile memory) and Prilex (the malware abusing processes related to PoS software and credit and debit card transactions), account for 2% per each. The other 61 analysed families and modifications account for less than 2% per each.

“PoS malware is more widespread than ATM malware because it gives fairly easy access to money. If ATMs are usually protected well enough, the owners of cafes, restaurants, and shops often don’t even think about the cybersecurity of their payment terminals. This makes them a target for attackers. Moreover, new criminal business models like malware-as-a-service emerge to lower the skills bar for would-be threat actors,” says Assolini.