ATM malware used in Russia lets attackers control machines

By Marcia Savage, Features Editor, Information Security magazine 03 Jun 2009 | SearchFinancialSecurity.com

Security technology news and tips for financial services pros Digg This!     StumbleUpon     Del.icio.us

Trustwave investigators said malware used in several ATM breaches in Eastern Europe allows attackers to take over the machines and dump cash from them.

SearchFinancialSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Trustwave, a Chicago-based provider of information security and payment card industry compliance services and products, uncovered the malware while investigating ATM breaches in Russia and Ukraine over the past few months. About 20 ATMs were infected with sophisticated malware that allowed attackers to not only steal track data and PINs but cash, said Nicholas Percoco, vice president and head of Trustwave's SpiderLabs security team.

The breaches appear to be inside jobs since an attacker needs physical access to the ATM in order to install and execute the malware, according to Trustwave. Percoco said an attacker could be someone who gets a copy of the keys to the ATM, opens the machine and loads the malware onto the system.

ATM fraud: Diebold ATMs in Russia targeted with malware: Company issued a security update after criminals attacked its Windows-based ATMs in Russia and installed malware. FBI investigates coordinated ATM scam: Computer hacking ring uses payment card data stolen from RBS WorldPay in ATM scam. Lessons learned: The Citibank ATM breach: Learn what went wrong with the Citibank ATM breach and how your financial organization can protect itself from the same danger.

Attackers can then use a card at the infected machine that looks like an ATM card but with track data that triggers the malware, which has a built-in user interface, he said. "You insert this modified ATM card, remove it and up comes an interface screen that asks you what you want to do," Percoco said.

Depending on the number of functions available on the controller card, a criminal could view the number of transactions on the machine or print harvested card data onto the ATM's receipt printer. A multi-function card could allow the attacker to dispense cash from the machine, which could be up to $600,000 on large ATMs, Percoco said. That gives attackers a potentially bigger haul than stealing card track data and PINs, which limits them to the amount of money of money in a person's account, he said.

"With this, they can walk up with a bag and let the machine empty into it," he said.

The compromised ATMs ran Microsoft's Windows XP, but Trustwave can't disclose the ATM software the malware targets, Percoco said. He said researchers believe the malware is related to the malware used in attacks on Diebold ATMs in Russia earlier this year, but said it targets multiple vendors, is much more advanced and continues to evolve and spread. Trustwave collected multiple versions of the malware.

"Attackers are constantly developing it," Percoco said.

SearchSecurity radio:

The malware's sophistication and evolving nature raises concern that it could spread outside of Eastern Europe and to the U.S., according to Trustwave. The company believes attackers will add functionality that will allow it to propagate via the ATM network and recommends that all financial institutions analyze their ATM environment for it.

Percoco said U.S. banks should make sure all ATMs are hardened and institute best practices, such as not using default passwords. They also should know who has access to the machines; some banks hire ATM servicing companies that may have temporary staff.

"What we've seen in talking to some banks in the U.S. is that many don't have a handle on the security of the ATMs themselves," he said. "They always assume because they're locked down that they're not very vulnerable, but once you have a key to unlock the systems, in many cases the security posture is low."

Tags: Data breaches and prevention strategies,  Emerging security threats and attacks,  Debit and credit card fraud prevention,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data breaches and prevention strategies Bank computer technician indicated in identity theft scheme Survey: Consumers don't trust banks to keep their data secure ChoicePoint settles with FTC over second data security breach Data breach lawsuit puts spotlight on bank's security measures Google ordered to deactivate Gmail account after bank email error Threat of insider fraud growing with bad economy Data breach protection: Implementing vendor breach safeguards Zeus Trojan hitting banking customers hard TJX settles with banks for $525,000 RBS WorldPay agrees to market VeriFone end-to-end encryption Emerging security threats and attacks FDIC warns of rise in "money mule" schemes FDIC warns of bogus emails Bank Trojan used against German accounts evades antifraud systems Wyoming bank sues Google after bank employee email mishap California man sentenced in online brokerage scam Zeus Trojan hitting banking customers hard FDIC: Educate business customers about the need for security How to combat the insider threat ACH fraud on the rise, experts say Download presentations from Financial Information Security Decisions 2009 Debit and credit card fraud prevention Bank Trojan used against German accounts evades antifraud systems California man sentenced in online brokerage scam Identity Theft Assistance Center marks five years of helping victims Fighting fraud: Understanding technology and threats Defendants in banking fraud scheme accused of exploiting regulation Credit union launches online banking suite with strong authentication Winning the war: Personal information protection When security outweighs common sense Diebold ATMs in Russia targeted with malware Visa says no new breach

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Governance, Risk and Compliance  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary