Trustwave investigators said malware used in several ATM breaches in Eastern Europe allows attackers to take over the machines and dump cash from them.
Trustwave, a Chicago-based provider of information security and payment card industry compliance services and products, uncovered the malware while investigating ATM breaches in Russia and Ukraine over the past few months. About 20 ATMs were infected with sophisticated malware that allowed attackers to not only steal track data and PINs but cash, said Nicholas Percoco, vice president and head of Trustwave's SpiderLabs security team.
The breaches appear to be inside jobs since an attacker needs physical access to the ATM in order to install and execute the malware, according to Trustwave. Percoco said an attacker could be someone who gets a copy of the keys to the ATM, opens the machine and loads the malware onto the system.
Attackers can then use a card at the infected machine that looks like an ATM card but with track data that triggers the malware, which has a built-in user interface, he said. "You insert this modified ATM card, remove it and up comes an interface screen that asks you what you want to do," Percoco said.
Depending on the number of functions available on the controller card, a criminal could view the number of transactions on the machine or print harvested card data onto the ATM's receipt printer. A multi-function card could allow the attacker to dispense cash from the machine, which could be up to $600,000 on large ATMs, Percoco said. That gives attackers a potentially bigger haul than stealing card track data and PINs, which limits them to the amount of money of money in a person's account, he said.
"With this, they can walk up with a bag and let the machine empty into it," he said.
The compromised ATMs ran Microsoft's Windows XP, but Trustwave can't disclose the ATM software the malware targets, Percoco said. He said researchers believe the malware is related to the malware used in attacks on Diebold ATMs in Russia earlier this year, but said it targets multiple vendors, is much more advanced and continues to evolve and spread. Trustwave collected multiple versions of the malware.
"Attackers are constantly developing it," Percoco said.
The malware's sophistication and evolving nature raises concern that it could spread outside of Eastern Europe and to the U.S., according to Trustwave. The company believes attackers will add functionality that will allow it to propagate via the ATM network and recommends that all financial institutions analyze their ATM environment for it.
Percoco said U.S. banks should make sure all ATMs are hardened and institute best practices, such as not using default passwords. They also should know who has access to the machines; some banks hire ATM servicing companies that may have temporary staff.
"What we've seen in talking to some banks in the U.S. is that many don't have a handle on the security of the ATMs themselves," he said. "They always assume because they're locked down that they're not very vulnerable, but once you have a key to unlock the systems, in many cases the security posture is low."