
鈥淪KULDUGGERY,鈥 says Andrew Henwood, 鈥渋s a very good word to describe what this extremely advanced, cleverly written malware gets up to. We鈥檝e never seen anything like it.鈥
What he has discovered is a devious piece of criminal coding that has been quietly at work in a clutch of cash machines at banks in Russia and Ukraine. It allows a gang member to walk up to an ATM, insert a 鈥渢rigger鈥 card, and use the machine鈥檚 receipt printer to produce a list of all the debit card numbers used that day, including their start and expiry dates 鈥 and their PINs. Everything needed, in fact, to clone those cards and start emptying bank accounts. In some cases, the malicious software even allows the criminal to eject the machine鈥檚 banknote storage cassette into the street.
The software is the latest move in a security arms race after banks and consumers got wise to the fitting of fake fascias onto ATMs. These fascias have been criminals鈥 main way of using ATMs to get the details they need to clone cards. They contain a camera to spy on PINs being entered on the keypad, and a card reader to skim data from the card鈥檚 magnetic stripe. It鈥檚 big business: across Europe, losses due to such to 鈧484 million in 2008, according to the , funded by the European Union and based in Edinburgh, UK (see graph).
Advertisement
Banks responded by investing in anti-skimming technology 鈥 which can detect a fake fascia overlay and disable the ATM. So crooks are developing new tricks, which are being uncovered by Henwood and his colleagues at SpiderLabs, a computer forensics research centre in London.
Part of Trustwave, a computer security firm based in Chicago and London, SpiderLabs was hired by a banking group from eastern Europe, after the group discovered heightened levels of card cloning and strange ATM behaviour across its branches in Russia and Ukraine.
After months poring over the Windows-based software in the bank鈥檚 ATMs, Henwood and his team were astonished. They found a 50-kilobyte piece of malware disguised as a legitimate Windows program called lsass.exe. In a PC, this helps the Microsoft operating system cache session data 鈥 so users don鈥檛 have to re-enter their passwords every time they get a new email, for example.
This is a clever choice of camouflage, says SpiderLabs鈥 forensics manager Stephen Venter: to an IT staffer, lsass.exe doesn鈥檛 look out of place in a Windows system, so routine checks wouldn鈥檛 necessarily pick it up. Yet it has no useful function in an ATM.
Once installed, the malware implements a 鈥渃ard data harvesting鈥 routine, SpiderLabs said in an issued at the end of May. When a customer inserts their card, the malware records to hard disc its account number, start date, expiry date and three-digit security code, as well as the PIN entered.
鈥淭hat PIN data gets encrypted when it is transmitted through to the bank,鈥 explains Henwood, 鈥渂ut inside the machine it鈥檚 in the clear. So this little bugger just sits there stealing all the card data.鈥
鈥淚nside the ATM the PIN is unencrypted. So this little bugger just sits there stealing all the card data鈥
Equally ingenious is how the crooks harvest their stolen data 鈥 by using the ATM鈥檚 receipt printer. Inserting a trigger card into the machine鈥檚 slot causes the malware to launch a small window on the screen, with a variety of options. The first is to print out a list of all recently used cards. The data on the printout is encrypted, so crime bosses could enlist low-level accomplices to visit ATMs to retrieve the printouts, safe in the knowledge that they cannot use the data to clone cards themselves.
Another option on the menu even lets criminals with extended 鈥渁ccess privileges鈥 eject the cash cassette, although this only works with older, front-loading ATMs.
The hardest bit for the criminals is installing the malware in the first place, as it requires physical access to the machine. That most likely means an inside job within a bank, or using bribes or threats to encourage shop staff to provide access to a standalone ATM in a shop or mall.
News of the card-data harvester has shocked banks and security analysts. 鈥淢y reaction to this was: how the hell did they get that software in there?鈥 says Lachlan Gunn, head of EAST. 鈥淚t must involve insiders.鈥 Colin Whittaker, head of security at the UK鈥檚 Association for Payment Clearing Services (APACs), agrees: 鈥淭he levels they have gone to to corrupt ATM engineers and install this software is just incredible.鈥
SpiderLabs鈥 analysts studied lsass.exe malware on 20 ATMs. They found multiple variants, and warn that it is almost certainly programmed to evolve further. One big concern is that it will become network capable 鈥 able to spread from machine to machine over the closed networks used by banks.
The discovery of the malware is likely to force banks to change their approach to ATM security. Past efforts have focused on developing 鈥渉igh-end security engineering鈥 to authenticate customers鈥 identities, says Whittaker. 鈥淲e haven鈥檛 perhaps given the ATMs鈥 physical infrastructure much attention.鈥
The malware is hidden in various Windows utilities, so it is unlikely to be caught by virus checkers. But banks will almost certainly introduce strong audit trails for the staff and engineers who have physical access to the guts of ATMs, for example, and block any USB connections to the ATM computers, so external pen drives cannot be connected to upload malware.
They need to move fast; SpiderLabs expects the technology to spread from eastern Europe to the US and Asia. European countries using chip-and-PIN cards will initially be immune because these ATMs encrypt PINs as they are typed, but it probably won鈥檛 take hackers long to get around this too.