A man uses an ICICI automated teller machine (ATM) in New Delhi, India, March 5, 2016.REUTERS/Adnan Abidi

As many as 29 lakh debit cards came under malware attack in India last year through ATMs that were connected to a switch provided by Hitachi Payment Services, according to the country's finance ministry.

Commercial banks operating in India have reported that 2.9 million debit cards were used at various ATMs that were connected to the Hitachi switch which was subjected to malware attack, Santosh Kumar Gangwar, the minister of state for finance, revealed in a report submitted to the parliament on Friday.

However, he also said that the number of compromised debits cards as reported to the Reserve Bank of India (RBI) was only 3,291.

"RBI has informed that Hitachi Payment Services (HPS) appointed SISA Infosec for PCI forensic investigation. The final report suggested that the ATM infrastructure of HPS was breached and the data between May 21 and July 11, 2016 were compromised, but not the POS (point of sale) infrastructure," Press Trust of India quoted Gangwar as saying.

Meanwhile, the RBI is said to have advised banks to take adequate measures to improve customer awareness with regard to cyber security, including educating customers on the downside risk and consequences of sharing their login credentials with others.

According to Gangwar, the central bank set up a Cyber Security and IT Examination cell within its Department of Banking Supervision in 2015, and had also issued a comprehensive circular in June last year covering best practices to better defend against cybercrimes.

Despite all the efforts by authorities worldwide, cybercriminals continue to deploy malicious software to steal money from ATMs. With over 432,000 ATMs installed worldwide, the risk is growing even further.

Here're five ATM malware families that enable crooks to launch both physical and remotely coordinated attacks on cash machines:


First discovered in 2009, Skimer is believed to be the first malware to target ATMs. Once successfully installed, it infects the core of an ATM, giving cybercriminals full control over the machines to withdraw all the funds or collect confidential data from cards used in the infected machines, including customers' bank account numbers and PIN codes.

According to Russia's Kaspersky Lab, 49 modifications of the Skimer malware have been identified so far. The most recent version was discovered in May last year.

Here's a video of Kaspersky Lab illustrating the Skimer malware in action.


Believed to be created in August 2015, Suceful is equipped with some shocking features that are not found in any other ATM malware. It targets cardholders, and can save debit card details on infected ATMs, disable alarms, and even read the debit card tracks.

Attackers can use Suceful to read data from a card's chip, and even steal physical cards by commanding the machine to retain the card.


First discovered in 2013, Ploutus malware requires the attackers to have physical access to the ATM to connect a keyboard to it. The malware can also allow money mules to withdraw cash using SMS messages.

In January, a new variant of the Ploutus ATM malware was identified. Dubbed Ploutus-D, the new variant targets ATMs running on Windows 10, Windows 8, Windows 7 and XP. It has a different interface and features a "Launcher" that can identify and terminate security monitoring processes.


Believed to have been around since 2014, Alice enables criminals with physical access to the ATM to make the machine spit out cash. The crooks first get access to one of the ATM's USB or CD-ROM slots to install the malware. After that they connected a keyboard to interact with the ATM's software.

Unlike other malware families, Alice targets the ATM's cash dispenser module. Since it doesn't connect to other ATM-specific hardware, criminals cannot issue any commands via the PIN pad.


During a forensics investigation into cyberattacks targeting ATMs in Eastern Europe, Kaspersky Lab discovered a piece of malware that was in use to help attackers drain the ATM cash cassettes. Although the malware, identified as Tyupkin, was active on over 50 ATMs at banking institutions in Eastern Europe, subsequent research revealed that it spread to other countries, including the US, India and China.

Tyupkin, which comes to life only at a specific time at night, has evolved over time. Its latest variant is capable of implementing anti debug and anti emulation techniques.