New ATM ripoff scheme on its way
Cash machines hacked to spew out card details
by Paul Marks for newscientist.com
"SKULDUGGERY," says Andrew Henwood, "is a very good word to describe what this extremely advanced, cleverly written malware gets up to. We've never seen anything like it."
What he has discovered is a devious piece of criminal coding that has been quietly at work in a clutch of cash machines at banks in Russia and Ukraine. It allows a gang member to walk up to an ATM, insert a "trigger" card, and use the machine's receipt printer to produce a list of all the debit card numbers used that day, including their start and expiry dates - and their PINs.
SpiderLabs ... found a 50-kilobyte piece of malware disguised as a legitimate Windows program called lsass.exe. In a PC, this helps the Microsoft operating system cache session data - so users don't have to re-enter their passwords every time they get a new email, for example.
The hardest bit for the criminals is installing the malware in the first place, as it requires physical access to the machine. That most likely means an inside job within a bank, or using bribes or threats to encourage shop staff to provide access to a standalone ATM in a shop or mall.
One big concern is that it will become network capable - able to spread from machine to machine over the closed networks used by banks.
SpiderLabs expects the technology to spread from eastern Europe to the US and Asia. European countries using chip-and-PIN cards will initially be immune because these ATMs encrypt PINs as they are typed, but it probably won't take hackers long to get around this too.