Friday, June 19, 2009

ATMs Hacked by Brilliant Trojan Malware

As if we needed another reason to dislike the Microsoft Windows OS... then this happens. Windows-based ATMs in Russia and the Ukraine are apparently being trojaned, quite cleverly may I add, to become silent theives!
"What he has discovered is a devious piece of criminal coding that has been quietly at work in a clutch of cash machines at banks in Russia and Ukraine. It allows a gang member to walk up to an ATM, insert a "trigger" card, and use the machine's receipt printer to produce a list of all the debit card numbers used that day, including their start and expiry dates - and their PINs. Everything needed, in fact, to clone those cards and start emptying bank accounts. In some cases, the malicious software even allows the criminal to eject the machine's banknote storage cassette into the street." (Paul Marks, NewScientist, June 17, 2009)
That's just incredible. What makes this even more crazy-sounding is that it's not like you can walk up to an ATM and insert a USB key, or point to some shady URL... this has to be an inside job. Criminals are getting to the people who engineer and/or services Automated Teller Machines [ATMs] and having them insert these little "digital skimmer" trojans.
"Equally ingenious is how the crooks harvest their stolen data - by using the ATM's receipt printer. Inserting a trigger card into the machine's slot causes the malware to launch a small window on the screen, with a variety of options. The first is to print out a list of all recently used cards. The data on the printout is encrypted, so crime bosses could enlist low-level accomplices to visit ATMs to retrieve the printouts, safe in the knowledge that they cannot use the data to clone cards themselves." (Paul Marks, NewScientist, June 17, 2009)
Crooks have really thought of everything. I know I've agrued for a long while that targeted malware is reaching a point in the evolutionary cycle where "anti-malware" programs as we know them may as well not even be installed. It's crazy to think that these pieces of software are so optimized, so well-hidden, and so well constructed that they can not only hide inside a system undetected - but they can also modify themselves (as this article suggest) in order to further evade detection! What's next... I'm almost afraid to ask!

Here's the real meat of the problem... this isn't a traditional hack job, in the pure sense - it's social engineering (maybe some extortion too) throwin into the mix. This reeks of the crime syndicate methods of old...and new. Getting software onto a computer remotely is one thing; but being brazen enough to get it onto a machine by manually putting it there... that's an entirely new level of commitment. Of course, the amount of money these criminals are able to skim probably justifies this. Think of the organizational heirarchy that has to be in place (or has long been in place, as I suggested previously) to execute these types of attacks.

"The hardest bit for the criminals is installing the malware in the first place, as it requires physical access to the machine. That most likely means an inside job within a bank, or using bribes or threats to encourage shop staff to provide access to a standalone ATM in a shop or mall.

News of the card-data harvester has shocked banks and security analysts. "My reaction to this was: how the hell did they get that software in there?" says Lachlan Gunn, head of EAST. "It must involve insiders." Colin Whittaker, head of security at the UK's Association for Payment Clearing Services (APACs), agrees: "The levels they have gone to to corrupt ATM engineers and install this software is just incredible." "

So now you have an inside job, run by someone with access to incredibly sophisticated programming talents, deep pockets and henchmen who are willing to do the dirty work. Well, if this doesn't immediately scream organized crime to you - you've got to open your ears. We've had more than ample evidence over the last several years that organized crime is more and more interested in computer crime - and this takes it to levels previously unseen. I think, quite honestly, security is now at least 2-3 steps back behind the "bad guys"... sounds like there is quite a problem brewing.

** Huge thanks to Gunter Ollmann for pointing me to this, the original TrustWave report, on Twitter. Gotta love that social medium! Notice the "file creation/install date: July 2007"... wow.

More as this develops...


your friend who wishes to remain anonymous said...

As your post points out, the OS is irrelevant, whether Windows, a proprietary OS, or Linux matters not. Whenever someone has physical access to the machines and the OS/software stack, all bets are off.

Zonky said...

It does make you where in the chain of 'trust' this has broken down.

Are banks buying (closed source) ATM software, which they can lightly customise the gui?

If they do get the source, are they building from source, rather than accepting a binary?

Are the developing it all in house?

Or is it all done in house

I just can't really see how this could happen with a development cycle.... without high levels of corruption within the banks internal team/initial developer.

Unless, someone had physical access to the ATM after the software was written....

Rafal Los said...

@Zonky - That's the crux. It is strongly hinted that the ATMs were accessed *after* they were released for production-readiness and the malware loaded at that point. Of course, as you point out this does raise a question of physical control, and insider access/corruption. That's my only guess, and why I am linking it to organized crime... who else would have the means, funds, and determination to complete such a thorough "corruption" of an otherwise [supposedly] air-tight system!?

I say "supposedly" partly laughing because we all know ATMs were compromised before (as when SQL Slammer took out most of the ATMs in the US).

Anonymous said...

This is not Microsoft's fault. This is an inside job, and it is the fault of the organization(s) involved. An operating system is not responsible for the criminal actions of people in situations like this. It is up to the organization(s) involved to recruit good employees, train them, and implement a management system to safeguard its assets/operations.


Rafal Los said...

@Anonymous - I don't disagree it's not Microsoft's fault, per se... but it is just another pile-on to an already perceived insecure platform.