Skip navigation
An extreme closeup of an ATM shows a label that says Remove Cash and a stack of twenties emerging.
Industry News

Online Banking Security Threatened by Qbot Botnet; ATMs Targeted by New Malware

Recent research by Proofpoint reveals information on a botnet named Qbot that has reportedly infected 500,000 systems, sniffing the account credentials and other data for nearly 800k online banking transactions located in both Europe and the U.S.

They bought lists of administrator logins from the underground stolen data market, and cross-referenced them to determine which were viable. They uploaded malware to WordPress sites (easier targets due to their open-source nature) in order to infect site visitors.

Proofpoint reports that they even took advantage of some WP sites that distributed newsletters in order to dispense malware via email. They also used Windows XP to their advantage, with more than half of their targets were running the OS.

As we (and many others) discussed back in April of this year, the mass majority of devices and computers that are running the OS would be vulnerable to these very kinds of attacks, due to the fact that Windows stopped patch and update support for the OS. While some may have transitioned to Windows 8, there’s still obviously a lot of businesses that haven’t made the move yet, which can understandably take a lot of resources and time.

Additionally, the attackers used the compromised computers to set up a tunneling network based on SOCKS5 with a module called SocksFabric. As a paid service, the attackers offered this as a way for other attackers to build their own private cloud for encrypted communication and stolen data transfer. The network also allowed attackers to use compromised endpoints as a way into targeted organizations.

New Type of ATM Malware in Eastern Europe

While this botnet seeks to steal banking credentials, another type of malware is targeting ATMs directly to steal cash. Kaspersky Lab’s Global Research and Analysis Team has analyzed the malware, named Backdoor.MSIL.Tyupkin, or Tyupkin, that has spread through Eastern Europe, and may have made its way to the U.S.

Although it’s not a remote attack, criminals can effectively withdraw cash without the use of stolen physical cards or numbers. They first need access to the physical ATM in order to insert a bootable CD that downloads the malware onto the machine, then reboots to give them control. The malware only accepts commands on certain days, and requires a one-time use key to operate. Criminals can withdraw 40 banknotes (bills) at a time.

The ATMs hit by this malware originate from a major ATM manufacturer that runs on Microsoft Windows 32-bit. Find out more on According to the NCR Corporation, the largest ATM supplier in the U.S., over 95 percent of the world’s ATMs are running on XP, as a report by Visa states in Windows XP’s End of Life: Understanding the Risks and Impact to Point-of-Sale and Automated Teller Machines (PDF).

The report also states:

Merchants and ATM deployers choosing to continue to run XP after support ends will still have functioning computers, POS systems and ATMs, but according to Microsoft, will be five times more vulnerable to security risks such as viruses and malware.

Upgrading to newer OS versions, or, at least, those that are still supported with updated security patches, may be the first step for banking businesses that are concerned about recent attacks.

Specifically, Windows XP Professional for Embedded Systems ended support on April 8, 2014. However, for ATMs that run on other versions of Windows XP Embedded, they will still be supported through early 2016, and others, through 2019. Those include:

  • Windows XP Embedded Service Pack 3 (SP3) - Jan. 12, 2016
  • Windows Embedded for Point of Service SP3 - April 12, 2016
  • Windows Embedded Standard 2009 - Jan. 8, 2019
  • Windows Embedded POSReady 2009 - April 9, 2019

Find out more in What Windows XP End of Life Means for PCI DSS & Device Security.

But in the case of the Qbot, uploading malware to the compromised sites was only possible with the use of administrator credentials, which can easily give attackers full remote access if they’re the only tool of defense. Strengthening your access controls can only help to keep attackers out at the first point of entry - adding two-factor authentication may have been enough to stop the botnet from doing damage to U.S. and European banks.

For more on online banking and financial organization security, check out:
The Current State of Online and Mobile Banking Security
Bank Security Breach Leads to A Hacker's Roadmap
U.S. Gov Recommends 2FA for POS Remote Access Security
POS Remote Access Software: Vulnerable Without 2FA Default Passwords: Breaching ATMs, Highway Signs & POS Devices
Target Breach: Vendor Password Exploit
POS Malware: A PCI Nightmare