'ATM-Zombie' malware stealing Israeli bank customers' money

Criminals have used the malware to steal a collective hundreds of thousands of shekels from dozens of people just in the last quarter of 2015.

February 29, 2016 20:10
1 minute read.

Shekel money bills. (photo credit: REUTERS)


Dear Reader,
As you can imagine, more people are reading The Jerusalem Post than ever before. Nevertheless, traditional business models are no longer sustainable and high-quality publications, like ours, are being forced to look for new ways to keep going. Unlike many other news organizations, we have not put up a paywall. We want to keep our journalism open and accessible and be able to keep providing you with news and analyses from the frontlines of Israel, the Middle East and the Jewish World.

As one of our loyal readers, we ask you to be our partner.

For a symbolic $5 a month you will receive access to the following:

  • A user uxperience almost completely free of ads
  • Access to our Premium Section and our monthly magazine to learn Hebrew, Ivrit
  • Content from the award-winning Jerusalem Repor
  • A brand new ePaper featuring the daily newspaper as it appears in print in Israel

Help us grow and continue telling Israel’s story to the world.

Thank you,

Ronit Hasin-Hochman, CEO, Jerusalem Post Group
Yaakov Katz, Editor-in-Chief


A piece of malware dubbed the ATM-Zombie has been stealing cash from customers at Israeli banks, according to cybersecurity firm Kaspersky Lab.

Criminals have used the malware to steal collective hundreds of thousands of shekels from dozens of people just in the last quarter of 2015, Kaspersky said, though it commended customer vigilance and quick reactions from banks for stopping the attack’s spread in relatively early stages.

Be the first to know - Join our Facebook page.

Kaspersky investigator Ido Naor found that the users accidentally downloaded the malware through “spear fishing,” targeted emails that entice users to click a link that downloads the program.

Once downloaded, the malware inserted itself between people’s Internet browsers and the bank.

“If the victim has decided to connect his bank account, the characteristics in the browser will redirect the victim to the attacker’s server, which looks exactly as the bank’s server,” the report explained.

It would then steal their information, take over the account and transfer the money outside the country.

“In this case the attacker chose to take advantage of a legitimate feature that allows a money transfer via text message. The message is sent after filling out a form on the site, which contains the details of the recipient, his ID, the telephone number to which the transfer authorization is sent in a form of user code, amount, withdrawal date and other details. All that is needed now is to withdraw the money from the ATM,” the report explained.

An accomplice, which Kaspersky called a zombie because he was working under the control of the original attacker outside the country, would take the cash from the ATM and transfer it to the main attacker via other means.

“It is important to note that financial institutions in Israel are known for their high abilities to defeat hostile activity, and they are backed up by cutting edge technological products,” Noar said. “However, in this case the criminals succeeded by targeting the end customer instead of the banks themselves. They took advantage of the weakest link. Luckily, the high capabilities of the defense systems of the banks also helped to stop the attack in its early stages.”

Related Content

Workers strike outside of the Teva building in Jerusalem, December 2017
December 18, 2017
Workers make explosive threats as massive Teva layoff strikes continue