March 18th, 2009
Diebold ATMs infected with credit card skimming malware
Theory comes into practice. Yesterday, Sophos Principal Virus Research Vanja Svacjer posted an analysis of Troj/Skimer-A, a malware affecting Windows-based Diebold cash machines and capable of intercepting credit card details and their associated PINs.
The malware is exclusively coded to target Russian, Ukranian and American currency transactions, with isolated incidents confirmed by Diebold in January, 2009. What’s particularly interesting about the ATM-based malware, is that it requires an insider access to the machine compared to the mainstream external attack in the form of using an ATM skimming device.
Here are more details on how the malware operates:
“The main executable is a dropper with the drop object stored in one of the PE resources, as often is the case with Trojan droppers. The code stops and modifies the Protected storage service to launch the dropped file lsass.exe from the Windows folder, not the original one in Windows System folder and attempts to replace some files belonging to the software used by ATMs.
The main Trojan executable contains the code to handle the magnetic card reader using undocumented Diebold Agilis 91x functions, inject code to ATM’s processes, parse transactions in Ukrainian, Russian and US currencies and use printer, probably for printing the stolen data. I am also fairly sure that some of the instructions to the keyboard for typing PIN numbers are connected with hooks to log the captured PINs.”
Given the potential of infiltrating the assembly line and shipping the machines malware pre-infected, next to tampering with public machines through social engineering, ATM based malware isn’t going mainstream just yet. How come? Better “alternatives” from a scammer’s perspective.
In October, 2008, Zero Day provided an exclusive overview of what may easily be the future of ATM skimming (External ATM skimmers with built-in SMS notification for secure extraction of stolen data) which ultimately solves two of the ATM skimmer’s biggest problems - securely recovering the obtained data without the risk of getting caught when coming back to obtain the device, and the lack of trust between the scammers orchestrating the attack and the involved insiders who can potentially scam them — according to Sophos, Troj/Skimer-A is capable of encrypting the intercepted financial data, a practice aimed to ensure that the insiders that infected the ATM machine wouldn’t scam the rest of the people participating.
Capable of sending 1,856 SMS messages, namely 1,856 transactions without recharging, this $8,500 device empowers scammers with both, anonymity and flexibility allowing them to build an infrastructure of tampered ATMs across the globe. Of course, their approach isn’t perfect since financial institutions across the globe are considering adapting to the threat by jamming cell phone communications around ATM machines. Last month, South Korea’s National Police Agency indicated a similar intention following Japan’s ban on cell phones around ATMs.
Whether the insider access prerequisite drives scammers away from the malware infecting approach, external ATM skimming attacks are definitely here to stay.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
