Unlike other ATM malware families, Alice’s main focus is to empty the safe of ATMs. Alice does not steal information, it only enables its users with physical access to machines to steal as much money as is available in the ATM.

ATM attacks are nothing new; cyber criminal gangs have been attacking ATMs since the 1990s, however the scope and scale of these attacks are a growing challenge. Attacks on financial payment systems are constantly evolving, from attacking interbank transfer systems such as SWIFT to the tried and true attacks on ATMs like the ones we have seen recently in Thailand, Taiwan and the UK.

Today there are well over 3 million ATMs around the world, with a new one added approximately every five minutes. Even with the growth of alternative payment systems ATM, usage is here to stay. According to Retail Banking Research (RBR), the U.S. currently has 432,000 ATMs, with around 110,000 bank branches where these ATMs delivered 5.6 billion cash withdrawals totaling $691 billion, up 4 percent from $666 billion in the previous year. Financial institutions continue to innovate to provide additional services and reduce costs of brick and mortar branches, however this could come at a greater cost by making them bigger targets for criminals. After all, as famous bank robber Willie Sutton allegedly said on why he robs banks, “Because that’s where the money is.” For the better part of a decade, the largest threat to ATMs have been skimming operations where track (account) data and PINs were captured via homemade in-line skimmers with either fake pad overlays or even hidden cameras. Only in the last few years have we seen the accelerated development and usage of ATM malware, which enables additional opportunities for cyber criminals to compromise ATMs globally.

ATM malware has been around since 2007. Over the past nine years we have tracked and analyzed eight unique families, and the bulk of those families were discovered in the last 3 years. This type of increase in malware development usually coincides with a similar increase in attacks. Recent ATM attacks in Russia, Spain and the United Kingdom are even more ominous whereas early reports show these ATMs were attacked remotely. Although Alice looks to be written for money mules who have physical access to machines, our researchers do show that Alice could be used via RDP, however we have no evidence yet of remote usage.

This newly discovered Alice ATM malware family was first discovered by Trend Micro in November 2016 as a result of an ongoing joint research project and partnership on ATM malware with Europol EC3. This incredibly valuable research highlights the power of private-public partnership. Only by working together can we collectively begin to lower the global risk posed by these attacks.