First published: 30th June 2009
Security researchers at SpiderLabs, a computer forensics research centre in London and a part of Trustwave, a computer security firm, have uncovered a 50-kilobyte piece of malware disguised as a legitimate Windows program called lsass.exe in Russian and Ukrainian ATM machines. The malware recognises when a “trigger” card is inserted, and uses the machine’s receipt printer to produce a list of all the debit card numbers used that day, including their start and expiry dates – and their PINs. In some cases, it may allow the machine’s banknote storage cassette to be ejected.
SpiderLabs was asked to investigate when a banking group from eastern Europe noted a rise in levels of card cloning and strange ATM behaviour across its branches.
Installing the software would require physical access to inside the ATM. Along with the fact that the printed list of card details is encrypted, it points to the existence of a highly-organised gang, including bank staff, programmers, and low-level, untrusted members who visit the machines.
SpiderLabs found multiple variants and speculated that new variants might be worms: able to utilise the trusted, encrypted bank network to spread from machine to machine. SpiderLabs also said that it had evidence the scheme was being distributed to other parts of the world, but would not reveal what that evidence was.