"What he has discovered is a devious piece of criminal coding that has been quietly at work in a clutch of cash machines at banks in Russia and Ukraine. It allows a gang member to walk up to an ATM, insert a "trigger" card, and use the machine's receipt printer to produce a list of all the debit card numbers used that day, including their start and expiry dates - and their PINs. Everything needed, in fact, to clone those cards and start emptying bank accounts. In some cases, the malicious software even allows the criminal to eject the machine's banknote storage cassette into the street." (Paul Marks, NewScientist, June 17, 2009)That's just incredible. What makes this even more crazy-sounding is that it's not like you can walk up to an ATM and insert a USB key, or point to some shady URL... this has to be an inside job. Criminals are getting to the people who engineer and/or services Automated Teller Machines [ATMs] and having them insert these little "digital skimmer" trojans.
"Equally ingenious is how the crooks harvest their stolen data - by using the ATM's receipt printer. Inserting a trigger card into the machine's slot causes the malware to launch a small window on the screen, with a variety of options. The first is to print out a list of all recently used cards. The data on the printout is encrypted, so crime bosses could enlist low-level accomplices to visit ATMs to retrieve the printouts, safe in the knowledge that they cannot use the data to clone cards themselves." (Paul Marks, NewScientist, June 17, 2009)Crooks have really thought of everything. I know I've agrued for a long while that targeted malware is reaching a point in the evolutionary cycle where "anti-malware" programs as we know them may as well not even be installed. It's crazy to think that these pieces of software are so optimized, so well-hidden, and so well constructed that they can not only hide inside a system undetected - but they can also modify themselves (as this article suggest) in order to further evade detection! What's next... I'm almost afraid to ask!
Here's the real meat of the problem... this isn't a traditional hack job, in the pure sense - it's social engineering (maybe some extortion too) throwin into the mix. This reeks of the crime syndicate methods of old...and new. Getting software onto a computer remotely is one thing; but being brazen enough to get it onto a machine by manually putting it there... that's an entirely new level of commitment. Of course, the amount of money these criminals are able to skim probably justifies this. Think of the organizational heirarchy that has to be in place (or has long been in place, as I suggested previously) to execute these types of attacks.
So now you have an inside job, run by someone with access to incredibly sophisticated programming talents, deep pockets and henchmen who are willing to do the dirty work. Well, if this doesn't immediately scream organized crime to you - you've got to open your ears. We've had more than ample evidence over the last several years that organized crime is more and more interested in computer crime - and this takes it to levels previously unseen. I think, quite honestly, security is now at least 2-3 steps back behind the "bad guys"... sounds like there is quite a problem brewing.
"The hardest bit for the criminals is installing the malware in the first place, as it requires physical access to the machine. That most likely means an inside job within a bank, or using bribes or threats to encourage shop staff to provide access to a standalone ATM in a shop or mall.
News of the card-data harvester has shocked banks and security analysts. "My reaction to this was: how the hell did they get that software in there?" says Lachlan Gunn, head of EAST. "It must involve insiders." Colin Whittaker, head of security at the UK's Association for Payment Clearing Services (APACs), agrees: "The levels they have gone to to corrupt ATM engineers and install this software is just incredible." "
** Huge thanks to Gunter Ollmann for pointing me to this, the original TrustWave report, on Twitter. Gotta love that social medium! Notice the "file creation/install date: July 2007"... wow.
More as this develops...