By Kim Zetter June 4, 2009 , Wired Magazine
Security researchers have found malware planted on ATMs in Eastern Europe that captures PINs and magnetic stripe data from the machine’s memory and instructs the machines to spit out cash, eliminating the need for primitive skimming devices and advancing the tradecraft of card thieves to a new level.
“This malware is unlike any we have ever had experience with,” said Nick Percoco in a statement. Percoco is vice president and head of Trustwave’s SpiderLabs Incident Response Team, based in Chicago, which was called in to investigate the matter this last spring.
The malware was found on 20 machines in Russia and Ukraine that were all running Microsoft’s Windows XP operating system. At least one machine was infected as early as July 2007 and researchers said they’ve seen advanced versions of the malware that indicates the attackers have been perfecting it since then.
The attack requires an insider, such as an ATM technician or anyone else with a key to the machine, to place the malware on the ATM. Once that’s done, attackers can insert a control card into the machine’s card reader to trigger the malware and give them control of the machine through a custom interface and the ATM’s keypad.
The malware captures account numbers and PINs from the machine’s transaction application and then delivers it to the thief on a receipt printed from the machine in an encrypted format or to a storage device inserted in the card reader. A thief can also instruct the machine to eject whatever cash is inside the machine. A fully loaded ATM can hold up to $600,000.
Trustwave issued an alert that provides technical details (.pdf) about how the malware works.
The malware was placed on ATMs made by various unspecified vendors. Trustwave spokeswoman, Michelle Genser wouldn’t say how many banks were involved or which ones. She also wouldn’t say how much loot the thieves captured from the machines.
The researchers found signs that the malware was moving to machines in the U.S. and elsewhere, but wouldn’t discuss the nature of those signs. (See update below.)
“They usually start in one country as a testbed and once they realize it’s executable in other countries, it spreads quickly,” she said.
UPDATE: I was finally able to speak with Nicholas Percoco, the head of SpiderLabs, and it turns out the malware has a couple of interesting features.
In order to command the machine to dispense cash, a thief has to pull up a special menu the coder put into the malware. But the menu is protected by a challenge-response feature, suggesting the coder might be leasing access to that function to elite customers who pay a premium for it. Emptying an ATM of cash, of course, will expose the malware more quickly than simply stealing card numbers. So this feature has probably been used sparingly.
With regard to the PINs that are stolen, generally an ATM encrypts the PIN at the keypad as the user types it in. So all the malware would get is a PIN block, and the crooks would then have to find a way to decrypt the PIN block. But Percoco says some older models of ATMs made before 2004 when the card industry imposed security standards on PIN entry devices, encrypt the PIN after it’s sent from the keypad to the ATM system software, so the malware would capture these in the clear. There are also even older PIN pads that will reverse the encryption of a PIN block. So a malware writer could write code to instruct the system to send a PIN block back to the PIN pad to be decrypted, where it would then steal the data in the clear.
The card and PIN data that the malware prints out onto an ATM receipt is encrypted by the malware, not the ATM, with a key that only the coder or his associates know, so that a mule who is sent to the machine with a trigger card to collect the data can’t read it.
Cyber Crook Pleads Guilty to Looting Citibank Accounts With Hacked ATM Codes
Three Plead Guilty in $2 Million Citibank ATM Caper
Israeli Hacker ‘The Analyzer’ Indicted in New York
"The Analyzer" Released on Bail; Mom Says FBI Out to Get Her Son
"The Analyzer" in U.S. Provisional Custody in Canada
Israeli Hacker Known as "The Analyzer" Suspected of Hacking Again …
ATM-Owner Cardtronics Issues Non-Denial Denial in Citibank Breach
Stakeouts, Lucky Breaks Snare Six More in Citibank ATM Heist
Citibank Replaces Some ATM Cards After Online PIN Heist — Update
Citibank Hack Blamed for Alleged ATM Crime Spree
Three Plead Guilty in $2 Million Citibank ATM Caper
Israeli Hacker ‘The Analyzer’ Indicted in New York
"The Analyzer" Released on Bail; Mom Says FBI Out to Get Her Son
"The Analyzer" in U.S. Provisional Custody in Canada
Israeli Hacker Known as "The Analyzer" Suspected of Hacking Again …
ATM-Owner Cardtronics Issues Non-Denial Denial in Citibank Breach
Stakeouts, Lucky Breaks Snare Six More in Citibank ATM Heist
Citibank Replaces Some ATM Cards After Online PIN Heist — Update
Citibank Hack Blamed for Alleged ATM Crime Spree
Funny, how the malware was found in machines in Russia and the Ukraine? I thought the people of those countries were poor, no money to have to put in the bank.
ReplyDelete
ReplyDeleteI am Rita from Manchester United Kingdom, I am using this means to reach out to every one out there that among all the Testimony on net most of them are bunch of lies and scams. I tried getting my Ex back Madison Lacy, some kind of freaks out here they asked for Items fee i paid and continue to pay but nothing happened.One Saturday morning I was less busy form work I went on line till i got to read about a Testimony on net like we all do here and saw The great Dr. Abu Buster how he has helped so many people and saw his qualities and also more Testimonies about him, Today Dr Abu Buster has helped me gotten back my Ex Madison Lacy and also cure me from a lungs cancer and also he can do so many things like Cure of Hepatitis A,B,C, HIV/AIDS Spell, Getting your Ex back Spell, Money Spell,Lottery Spell,Good luck Spell e.t.c I can never stop Testifying of this great man Dr Abu Buster his email is: Abuspellhome@hotmail.com because I never trusted any one on net but with him there is a end to all my problems now I am living Happily with my Ex who just gave me a male Child Kelvin" Dr Abu you are the Best among the rest, viewers out there contact Dr Abu today and that will be the end of your problem.If possible I would have bring him down to United Kingdom.All thanks to you Papa.
Abuspellhome@hotmail.com
Contact him and remain blessed..