Malware has been found on ATMs in Eastern Europe and elsewhere that allows criminals to steal account data and PINs and even empty the machine of its cash, a computer forensics expert said.
About 20 ATMs have been compromised in that manner, mostly in Russia and Ukraine, but there are "early indications" of compromised ATMs in the U.S., said Nicholas Percoco, vice president and head of SpiderLabs at Trustwave, which provides data security and payment card compliance services.
Nicholas Percoco heads up Trustwave's SpiderLabs, the forensics team that discovered the malware on the ATMs.
(Credit: Trustwave)Percoco said he could not elaborate further on where the compromised ATMs were located and how they were used.
Someone had to manually install the malware on the machines, so it's likely that an insider is responsible; either an employee at the bank, the ATM vendor, a company that services the machines or someone close to an insider, Percoco said in a telephone interview late on Wednesday.
The machines, all running Windows XP, had an executable on them that was masquerading as a legitimate Windows protected storage service, he said. The malware looks at all the data being processed by the ATM and records account information that is stored on the magnetic stripes on cards inserted into the machine and encrypted PIN blocks that are generated when someone types in their personal identification number, he said.
Although the PINs are encrypted, criminals could potentially intercept the encryption keys exchanged with the bank and use them to decrypt the PINs, he added.
Once the malware has been hidden on the ATM for a period of time, the criminal can return to the machine and use a special "trigger" card to control the ATM and print out the stolen data directly from the machine or instruct the ATMS to dispense all the cash it has, according to Percoco. ATMs can hold as much as $600,000 at a time, he said.
"There is evidence that (trigger) cards were used," he said, adding that he could not comment on the number of accounts affected or amount of money stolen. The malware was first installed on at least one of the machines in July 2007, he said.
This is not the first time malware has been discovered on ATMs, Percoco said. "But this is probably the most sophisticated malware found on an ATM," he said. "In all the versions we've looked at (the criminals) are enhancing the application as they go. They must be getting feature requests from someone."
The latest version of the malware code found on some of the machines includes a function for writing the stolen data onto a card with a memory chip on it, which are commonly used in Europe, he said. However, that function does not appear to work, he added.
Although the malware was installed on the ATMs manually, it's possible that future attacks would involve the propagation of the malware through the ATM network, he said.
Consumers should avoid using any ATM that does not "look right," Percoco said, for instance, if the screen has a different interface or strange commands.
Also, criminals use "skimmers" over the slot where the card is inserted that steal the data that way and can record PINs with a hidden video camera positioned nearby.
Updated March 23, 5:03 a.m. PDT with a link to the new Cybercrime Intelligence Report.
Online scammers are making a lucrative business out of redirecting visitors from legitimate Web sites to sites that try install rogue antivirus software, according to a report due to be released by security firm Finjan on Monday.
Finjan's Malicious Code Research Center came across a traffic management server in Ukraine used by underground online scammers to keep track of how many redirects their rogue antivirus sites get from legitimate sites that have been compromised.
Typically, rogue antivirus software displays a message saying that the PC is infected and offering antivirus software for sale. In a successful attack, the scammers end up with the victim's credit card information and don't bother to install any legitimate software.
Members of the "affiliate network" who compromise legitimate Web sites get 9.6 cents for each successful re-direct, Finjan said in its latest Cybercrime Intelligence Report. There were 1.8 million unique users redirected to the rogue antivirus software during 16 consecutive days Finjan was monitoring the network, or about $10,800 for each day, the researchers calculated.
Finjan also discovered that between 7 percent and 12 percent of people end up installing the rogue antivirus software and 1.79 percent of them paid $50 for it.
Finjan researchers said they weren't certain how the legitimate Web sites were compromised. Once the sites were compromised, the scammers made heavy use of search engine optimization techniques to get those sites ranked high in search results by dynamically generating search keywords with typos and popular terms that people might use, Finjan said.
Lured by the high ranking on search engines, visitors end up on the compromised sites and are immediately redirected to pages that try to install rogue antivirus software on their computers.
- prev
- 1
- next
