June 4, 2009 10:26 AM PDT
Malware has been found on ATMs in Eastern Europe and elsewhere that allows criminals to steal account data and PINs and even empty the machine of its cash, a computer forensics expert said.
About 20 ATMs have been compromised in that manner, mostly in Russia and the Ukraine, but there are “early indications” of compromised ATMs in the U.S., said Nicholas Percoco, vice president and head of SpiderLabs at Trustwave, which provides data security and payment card compliance services.
Percoco said he could not elaborate further on where the compromised ATMs were located and how they were used.
Someone had to manually install the malware on the machines, so it’s likely that an insider is responsible; either an employee at the bank, the ATM vendor, a company that services the machines or someone close to an insider, Percoco said in a telephone interview late on Wednesday.
The machines, all running Windows XP, had an executable on them that was masquerading as a legitimate Windows protected storage service, he said. The malware looks at all the data being processed by the ATM and records account information that is stored on the magnetic stripes on cards inserted into the machine and encrypted PIN blocks that are generated when someone types in their personal identification number, he said.
Although the PINs are encrypted, criminals could potentially intercept the encryption keys exchanged with the bank and use them to decrypt the PINs, he added.
Once the malware has been hidden on the ATM for a period of time, the criminal can return to the machine and use a special “trigger” card to control the ATM and print out the stolen data directly from the machine or instruct the ATMS to dispense all the cash it has, according to Percoco. ATMs can hold as much as $600,000 at a time, he said.
“There is evidence that (trigger) cards were used,” he said, adding that he could not comment on the number of accounts affected or amount of money stolen. The malware was first installed on at least one of the machines in July 2007, he said.
This is not the first time malware has been discovered on ATMs, Percoco said. “But this is probably the most sophisticated malware found on an ATM,” he said. “In all the versions we’ve looked at (the criminals) are enhancing the application as they go. They must be getting feature requests from someone.”
The latest version of the malware code found on some of the machines includes a function for writing the stolen data onto a card with a memory chip on it, which are commonly used in Europe, he said. However, that function does not appear to work, he added.
Although the malware was installed on the ATMs manually, it’s possible that future attacks would involve the propagation of the malware through the ATM network, he said.
Consumers should avoid using any ATM that does not “look right,” Percoco said, for instance, if the screen has a different interface or strange commands.
Also, criminals use “skimmers” over the slot where the card is inserted that steal the data that way and can record PINs with a hidden video camera positioned nearby.