eastlondonseagull
Well-known member
This is bloody scary. Clever buggers these criminals...
Cash machines hacked to spew out card details - tech - 17 June 2009 - New Scientist
"SKULDUGGERY," says Andrew Henwood, "is a very good word to describe what this extremely advanced, cleverly written malware gets up to. We've never seen anything like it."
What he has discovered is a devious piece of criminal coding that has been quietly at work in a clutch of cash machines at banks in Russia and Ukraine. It allows a gang member to walk up to an ATM, insert a "trigger" card, and use the machine's receipt printer to produce a list of all the debit card numbers used that day, including their start and expiry dates - and their PINs. Everything needed, in fact, to clone those cards and start emptying bank accounts. In some cases, the malicious software even allows the criminal to eject the machine's banknote storage cassette into the street.
The software is the latest move in a security arms race after banks and consumers got wise to the fitting of fake fascias onto ATMs. These fascias have been criminals' main way of using ATMs to get the details they need to clone cards. They contain a camera to spy on PINs being entered on the keypad, and a card reader to skim data from the card's magnetic stripe. It's big business: across Europe, losses due to such fraud grew by 11 per cent to €484 million in 2008, according to the European ATM Security Team (EAST), funded by the European Union and based in Edinburgh, UK (see graph).
Banks responded by investing in anti-skimming technology - which can detect a fake fascia overlay and disable the ATM. So crooks are developing new tricks, which are being uncovered by Henwood and his colleagues at SpiderLabs, a computer forensics research centre in London.
Part of Trustwave, a computer security firm based in Chicago and London, SpiderLabs was hired by a banking group from eastern Europe, after the group discovered heightened levels of card cloning and strange ATM behaviour across its branches in Russia and Ukraine.
After months poring over the Windows-based software in the bank's ATMs, Henwood and his team were astonished. They found a 50-kilobyte piece of malware disguised as a legitimate Windows program called lsass.exe. In a PC, this helps the Microsoft operating system cache session data - so users don't have to re-enter their passwords every time they get a new email, for example.
This is a clever choice of camouflage, says SpiderLabs' forensics manager Stephen Venter: to an IT staffer, lsass.exe doesn't look out of place in a Windows system, so routine checks wouldn't necessarily pick it up. Yet it has no useful function in an ATM.
Once installed, the malware implements a "card data harvesting" routine, SpiderLabs said in an alert to banks issued at the end of May. When a customer inserts their card, the malware records to hard disc its account number, start date, expiry date and three-digit security code, as well as the PIN entered.
"That PIN data gets encrypted when it is transmitted through to the bank," explains Henwood, "but inside the machine it's in the clear. So this little bugger just sits there stealing all the card data."
Inside the ATM the PIN is unencrypted. So this little bugger just sits there stealing all the card data
Equally ingenious is how the crooks harvest their stolen data - by using the ATM's receipt printer. Inserting a trigger card into the machine's slot causes the malware to launch a small window on the screen, with a variety of options. The first is to print out a list of all recently used cards. The data on the printout is encrypted, so crime bosses could enlist low-level accomplices to visit ATMs to retrieve the printouts, safe in the knowledge that they cannot use the data to clone cards themselves.
Another option on the menu even lets criminals with extended "access privileges" eject the cash cassette, although this only works with older, front-loading ATMs.
The hardest bit for the criminals is installing the malware in the first place, as it requires physical access to the machine. That most likely means an inside job within a bank, or using bribes or threats to encourage shop staff to provide access to a standalone ATM in a shop or mall.
News of the card-data harvester has shocked banks and security analysts. "My reaction to this was: how the hell did they get that software in there?" says Lachlan Gunn, head of EAST. "It must involve insiders." Colin Whittaker, head of security at the UK's Association for Payment Clearing Services (APACs), agrees: "The levels they have gone to to corrupt ATM engineers and install this software is just incredible."
SpiderLabs' analysts studied lsass.exe malware on 20 ATMs. They found multiple variants, and warn that it is almost certainly programmed to evolve further. One big concern is that it will become network capable - able to spread from machine to machine over the closed networks used by banks.
The discovery of the malware is likely to force banks to change their approach to ATM security. Past efforts have focused on developing "high-end security engineering" to authenticate customers' identities, says Whittaker. "We haven't perhaps given the ATMs' physical infrastructure much attention."
The malware is hidden in various Windows utilities, so it is unlikely to be caught by virus checkers. But banks will almost certainly introduce strong audit trails for the staff and engineers who have physical access to the guts of ATMs, for example, and block any USB connections to the ATM computers, so external pen drives cannot be connected to upload malware.
They need to move fast; SpiderLabs expects the technology to spread from eastern Europe to the US and Asia. European countries using chip-and-PIN cards will initially be immune because these ATMs encrypt PINs as they are typed, but it probably won't take hackers long to get around this too.
Cash machines hacked to spew out card details - tech - 17 June 2009 - New Scientist
"SKULDUGGERY," says Andrew Henwood, "is a very good word to describe what this extremely advanced, cleverly written malware gets up to. We've never seen anything like it."
What he has discovered is a devious piece of criminal coding that has been quietly at work in a clutch of cash machines at banks in Russia and Ukraine. It allows a gang member to walk up to an ATM, insert a "trigger" card, and use the machine's receipt printer to produce a list of all the debit card numbers used that day, including their start and expiry dates - and their PINs. Everything needed, in fact, to clone those cards and start emptying bank accounts. In some cases, the malicious software even allows the criminal to eject the machine's banknote storage cassette into the street.
The software is the latest move in a security arms race after banks and consumers got wise to the fitting of fake fascias onto ATMs. These fascias have been criminals' main way of using ATMs to get the details they need to clone cards. They contain a camera to spy on PINs being entered on the keypad, and a card reader to skim data from the card's magnetic stripe. It's big business: across Europe, losses due to such fraud grew by 11 per cent to €484 million in 2008, according to the European ATM Security Team (EAST), funded by the European Union and based in Edinburgh, UK (see graph).
Banks responded by investing in anti-skimming technology - which can detect a fake fascia overlay and disable the ATM. So crooks are developing new tricks, which are being uncovered by Henwood and his colleagues at SpiderLabs, a computer forensics research centre in London.
Part of Trustwave, a computer security firm based in Chicago and London, SpiderLabs was hired by a banking group from eastern Europe, after the group discovered heightened levels of card cloning and strange ATM behaviour across its branches in Russia and Ukraine.
After months poring over the Windows-based software in the bank's ATMs, Henwood and his team were astonished. They found a 50-kilobyte piece of malware disguised as a legitimate Windows program called lsass.exe. In a PC, this helps the Microsoft operating system cache session data - so users don't have to re-enter their passwords every time they get a new email, for example.
This is a clever choice of camouflage, says SpiderLabs' forensics manager Stephen Venter: to an IT staffer, lsass.exe doesn't look out of place in a Windows system, so routine checks wouldn't necessarily pick it up. Yet it has no useful function in an ATM.
Once installed, the malware implements a "card data harvesting" routine, SpiderLabs said in an alert to banks issued at the end of May. When a customer inserts their card, the malware records to hard disc its account number, start date, expiry date and three-digit security code, as well as the PIN entered.
"That PIN data gets encrypted when it is transmitted through to the bank," explains Henwood, "but inside the machine it's in the clear. So this little bugger just sits there stealing all the card data."
Inside the ATM the PIN is unencrypted. So this little bugger just sits there stealing all the card data
Equally ingenious is how the crooks harvest their stolen data - by using the ATM's receipt printer. Inserting a trigger card into the machine's slot causes the malware to launch a small window on the screen, with a variety of options. The first is to print out a list of all recently used cards. The data on the printout is encrypted, so crime bosses could enlist low-level accomplices to visit ATMs to retrieve the printouts, safe in the knowledge that they cannot use the data to clone cards themselves.
Another option on the menu even lets criminals with extended "access privileges" eject the cash cassette, although this only works with older, front-loading ATMs.
The hardest bit for the criminals is installing the malware in the first place, as it requires physical access to the machine. That most likely means an inside job within a bank, or using bribes or threats to encourage shop staff to provide access to a standalone ATM in a shop or mall.
News of the card-data harvester has shocked banks and security analysts. "My reaction to this was: how the hell did they get that software in there?" says Lachlan Gunn, head of EAST. "It must involve insiders." Colin Whittaker, head of security at the UK's Association for Payment Clearing Services (APACs), agrees: "The levels they have gone to to corrupt ATM engineers and install this software is just incredible."
SpiderLabs' analysts studied lsass.exe malware on 20 ATMs. They found multiple variants, and warn that it is almost certainly programmed to evolve further. One big concern is that it will become network capable - able to spread from machine to machine over the closed networks used by banks.
The discovery of the malware is likely to force banks to change their approach to ATM security. Past efforts have focused on developing "high-end security engineering" to authenticate customers' identities, says Whittaker. "We haven't perhaps given the ATMs' physical infrastructure much attention."
The malware is hidden in various Windows utilities, so it is unlikely to be caught by virus checkers. But banks will almost certainly introduce strong audit trails for the staff and engineers who have physical access to the guts of ATMs, for example, and block any USB connections to the ATM computers, so external pen drives cannot be connected to upload malware.
They need to move fast; SpiderLabs expects the technology to spread from eastern Europe to the US and Asia. European countries using chip-and-PIN cards will initially be immune because these ATMs encrypt PINs as they are typed, but it probably won't take hackers long to get around this too.