The shimmer is a skimming device for EMV cards, is a RaspBerry-Pi-powered device that could be installed outside of the ATM without access to the internals of the cash machine.

The shimmer sits between the card chip and the card reader in the ATM, it is able to record the data on the chip, including the PIN, when the ATM reads it. In this phase, once captured the data, the device transmits it to the attackers. In the second half of the attack, fraudsters use a smartphone to received the stolen card data and recreate the victim’s card in an ATM to instructing the machine to eject cash.

The data is remotely sent to another device, which researchers have dubbed “La-Cara.”

Equipment used for the hack (Source www.securityweek.com)

La-Cara that could be assembled with $2,000 components is placed on an ATM machine, is emulates the presence of the EMV card inserted into the card slot. The data stolen by the shimmer are remotely sent to the La-Cara device which instruct the ATM to withdraw money from the card.

“The modifications on the ATM are on the outside,” Tod Beardsley, a security research manager for Rapid7, told the BBC. 

“I don’t have to open it up. It’s really just a card that is capable of impersonating a chip. It’s not cloning.”

“It’s really just a card that is capable of impersonating a chip,” Beardsley added. “It’s not cloning.”

The device is easy to install, crooks can mount it quickly outside of the ATM without access to the internals of the cash machine.

Watch out, data used in the EMV to enable transactions are dynamic, this means that crooks can use them only for a very short period of time (e.g. up to one minute). This means that fraudsters have to complete the operations is a short time.

Researchers from Rapid 7, have already reported the details about the hack to banks and major ATM manufacturers.

Pierluigi Paganini

(Security Affairs –  EMV cards, hacking)

The post How to withdraw up to $50,000 in cash from an ATM by using data stolen from EMV cards appeared first on Security Affairs.

Secret Service warns of Periscope Skimming probes, it the first time that law enforcement discovered attacks against ATMs conducted with these devices.

The US Secret Service is warning banks and ATM vendors about a new ATM skimmer technology, the so-called ‘periscope skimming.’ The device is composed of a skimming probe that crooks connect to the ATM’s internal circuit board in order to steal card data.

The popular cyber security expert Brian Krebs published the images of the periscope skimming, the photos show the wires protruding from the periscope.

Authorities believe the samples of periscope skimming probes recently discovered are just prototypes, in fact, they lack hidden cameras or other methods of capturing bank customer’s PINs at the ATMs.

Krebs sustains that the incidence of such skimming scams will not decrease as more banks begin adopting chip-based payment cards. Most banks and financial institutions will continue to rely on the magnetic stripe to use the new generation of cards. It is likely that banks will continue to use the magnetic stripe at the ATM to check the correct insertion of the card in the slot of the cash machine.

“The principal reason for this is to ensure that customers are putting the card into the slot correctly, as embossed letters and numbers running across odd spots in the card reader can take their toll on the machines over time. As long as the cardholder’s data remains stored on a chip card’s magnetic stripe, thieves will continue building and placing these types of skimmers.” explained Krebs.

How to avoid such kind of attacks?

Users have to avoid using ATMs that may be easier to access from the top-hat, try to use cash machine installed in the wall at a bank and do not use ATMs located in not  protected places.

Pierluigi Paganini

(Security Affairs –  periscope skimming, ATM)

The post Periscope Skimming, a new ATM threat spotted in the US appeared first on Security Affairs.

A number of Indian banks are adopting extraordinary measures fearing a security breach that could have exposed as many as 3.25 million debit cards.

A number of Indian banks are adopting extraordinary measures fearing a security breach that could have exposed as many as 3.25 million debit cards (0.5 percent of the nearly 700 million debit cards issued by banks in India).

“A slew of banks in India are replacing or asking their customers to change security codes of as many as 3.25 million debit cards due to fears that the card data may have been stolen in one of the country’s largest-ever cyber security incidents.” reported the Reuters.

In September, several banks’ customers reported to Visa, Mastercard, and RuPay (National Payments Corp of India (NPCI)) fraudulent activities involving their debit cards. According to the chief of NPCI, the fraudulent transactions spotted by the clients were prevalently observed in China and the United States.

A.P. Hota, NPCI Chief Executive, explained that one of the payment switch provider’s systems might have been compromised. Giving a close look at the numbers behind this security breach that involved some 90 ATMs, 2.65 million are on Visa and MasterCard platforms.

Both Visa and Mastercard issued a statement to confirm that their networks had not been hacked and confirmed their support to the ongoing investigation.

The switches are crucial components of the back-end network of a bank and are involved in ordinary ATM operations.

The card network providers already reported the issue to the affected banks that decided as a preventive measure to replace customers’ cards.

“Necessary corrective actions already have been taken and hence there is no reason for bank customers to panic.” said Hota downgrading the problem.

According to the Reuters, the NPCI did not disclose the name of the payment switch provider who was compromised, however, banking industry sources revealed that the financial institution is the Hitachi Ltd subsidiary Hitachi Payment Services, which manages ATM network processing for Yes Bank Ltd.

Yes Bank issued a statement to confirm it is reviewing the security, but its experts haven’t found any anomaly.

The State Bank of India promptly blocked debit cards of some customers after and now it was replacing those cards to prevent fraudulent activities.

The Reuters provided further details about a possible impact on the Indian bank customers:

“Complaints of fraudulent cash withdrawals affected a total 641 customers of 19 banks, and the money involved was 13 million rupees ($194,612), according to NPCI.” reported the Reuters.

“ICICI Bank (ICBK.NS), HDFC Bank (HDBK.NS) and Axis Bank (AXBK.NS) – the top three private sector lenders – confirmed in separate statements some of their customers’ card accounts had been possibly breached after use at outside ATMs. The banks said they had advised the clients to change their PINs.”

“Standard Chartered’s (STAN.L) Indian unit has also begun to re-issue debit cards for some customers”

Pierluigi Paganini

(Security Affairs – Indian banks, security breach)

The post Indian Banks fear a security breach that affected up to 3.25 million cards appeared first on Security Affairs.

Criminal gangs like the Cobalt gang are now focusing their efforts on the banks to steal cash directly from the ATMs with jackpotting attacks.

Security experts are assisting a change of tactics for the criminal organizations who target the ATMs and online banking credentials. Crooks are now focusing their efforts on the banks in the attempt to steal cash directly from the ATMs.

In the last months, cyber criminals targeted ATM machines in Taiwan and Thailand, in both cases, crooks used a malware to infect the machine and have instructed them on spitting out cash on demand. The principal ATM manufacturers, Diebold Nixdorf and NCR Corp., confirmed to be aware of the ATM attacks and had already been working with their customers to mitigate the threat.

“We have been working actively with customers, including those who have been impacted, as well as developing proactive security solutions and strategies to help prevent and minimize the impact of these attacks,” said Owen Wild, NCR’s global marketing director for enterprise fraud and security.

This technique is known as ATM jackpotting, the FBI has warned U.S. banks of the potential attacks.

The FBI confirmed in a bulletin earlier this month that it is “monitoring emerging reports indicating that well-resourced and organized malicious cyber actors have intentions to target the U.S. financial sector.”

According to law enforcement, the malware used in the attack could be a product of the Buhtrap ATM gang, which stole 1.8 Billion rubles ($28 Million) from Russian banks between August 2015 and January 2016.

According to Group-IB, crooks have been targeting ATMs for at least five years, but the recent wave of attacks mostly targeted small numbers of ATMs because criminals have to physical access to the machines.

“To perform a logical attack, hackers access a bank’s local network, which is further used to gain total control over ATMs in their system. Cash machines are then remotely triggered to dispense money, allowing criminals to steal large amounts with relative ease. With full control over ATMs, criminals can choose the exact attack time to loot newly  filled ATMs.” states the report from Group-IB. “This results in millions of dollars lost, as in the case of the First Bank. That said, such attacks do not require developing expensive advanced software – a significant amount of tools used by the hackers is widely available from public sources, as will be further covered later in this report. ”

Group-IB attributed the attacks against the ATMs across Europe to a single criminal group, dubbed Cobalt.

The group launched spear phishing attacks with a malicious attachment in order to infect systems in the target banks. The emails purport to come from the European Central Bank, the ATM maker Wincor Nixdorf, or other banks.

“Criminals send emails with attachments containing exploits and password-protected archives with executable files. In the attacks, phishing emails were sent from virtual servers, which had installed an anonymous mailing script “yaPosylalka v.2.0” (another name of the service is “alexusMailer v2.0”) developed by Russian-speaking cyber-criminals.” continues Group-IB.

The criminal gang use Cobalt Strike, a legitimate program designed to perform penetration testing and the Mimikatz tool to compromise domain and local accounts.

The researchers from Group-IB believe that Cobalt gang is linked to Buhtrap,

“Group-IB specialists believe that just after the arrest of the Buhtrap group in May their botnet was sold to other criminals who are continuing its use to steal money from corporate accounts. That said, according to our analysis of Cobalt attacks on ATMs of Russian and European banks, the methods used by criminals to deliver phishing emails and obtain control over a domain controller are identical to those used by the Buhtrap group. Purportedly, at least a part of the Buhtrap group became Cobalt members, or more likely Buhtrap core members shifted their focus to attacks on ATMs. ” explains Group-IB.

I suggest the reading of the Group-IB report on the Cobalt gang, it is full of details that are very useful to prevent such kind of attacks.

Pierluigi Paganini

(Security Affairs – Cobalt gang, jackpotting attacks)

The post Crooks steal millions from European ATMs with jackpotting attacks appeared first on Security Affairs.

Alice ATM malware is a new threat targeting ATMs discovered by researchers at Trend Micro  as part of a joint research project with Europol EC3.

Security experts from Trend Micro have discovered a strain of ATM malware, dubbed Alice, that was designed to target the safes of the self-serve machines.

The malware is very essential, it doesn’t implement data stealing capabilities and cannot be controlled via the numeric keypad of the ATM.

Researchers spotted for the first time the Alice ATM malware in November 2016 as part of a joint research project on ATM malware with Europol EC3, but they speculate is has been around since 2014.

When Alice was spotted for the first time, researchers thought if was a new variant of the known ATM malware Padpin .Further investigation led to the discovery of a new a new family called Alice.

“Trend Micro has discovered a new family of ATM malware called Alice, which is the most stripped down ATM malware family we have ever encountered.” states the analysis published by Trend Micro.”Unlike other ATM malware families, Alice cannot be controlled via the numeric pad of ATMs; neither does it have information stealing features. It is meant solely to empty the safe of ATMs.”

According to the researcher, crooks need to physically access the ATM in order to empty its dispenser, a circumstance that suggests Alice has been designed for money mules.

“The existence of a PIN code prior to money dispensing suggests that Alice is used only for in-person attacks. Neither does Alice have an elaborate install or uninstall mechanism – it works by merely running the executable in the appropriate environment,” the researchers say.

The Alice ATM malware can also be used via Remote Desktop Protocol (RDP), but researchers haven’t found evidence of such use.

When Alice is executed, it creates in the root directory an empty 5 MB+ sized file called xfs_supp.sys and an error logfile called TRCERR.LOG. The first file is filled with zeros and doesn’t contain data, the second file (TRCERR.LOG) is an error log file used by the Alice malware. The log file traces any XFS API calls and related messages/errors. This file remains on the machine even when the malware is removed, likely for future troubleshooting or simply because the vxers forgot to remove it.

The researchers noticed that the malware only connects to the CurrencyDispenser1 peripheral and doesn’t include the code to use the PIN pad, likely it was designed to allow crooks with a physical access to the ATM to infect it via USB or CD-ROM.

“It only connects to the CurrencyDispenser1 peripheral and it never attempts to use the machine’s PIN pad. The logical conclusion is that the criminals behind Alice need to physically open the ATM and infect the machine via USB or CD-ROM, then connect a keyboard to the machine’s mainboard and operate the malware through it.” continues the analysis.

The Alice ATM malware was packed with a commercial, off-the-shelf packer/obfuscator called VMProtect. The malware implements a number of features to avoid the analysis of the researchers, it prevents the execution in environments that are not ATM and debuggers.

Alice supports the following three commands each issued via specific PINs:

• Drop a file for uninstallation.
• Exit the program run the uninstallation/cleanup routine.
• Open the “operator panel,” to see the amount of cash available into the ATM.

In the attack scenario, the money mule enter the ID of the cassette ID for the ATM to dispense the money in it. The dispense command is sent to the CurrencyDispenser1 peripheral via the WFSExecute API.

ATMs typically have a 40-banknote dispensing limit, this means that crooks need to repeat the operation multiple times to dispense all the stored cash in the cassette.

Alice has no persistence method, crooks manually replace the Windows Task Manager (taskmgr.exe) with Alice, any command that would invoke the Task Manager would instead invoke Alice.

The report also includes the Indicators of Compromise, below the SHA256 hashes of the malware:

• 04F25013EB088D5E8A6E55BDB005C464123E6605897BD80AC245CE7CA12A7A70
• B8063F1323A4AE8846163CC6E84A3B8A80463B25B9FF35D70A1C497509D48539

Pierluigi Paganini

(Security Affairs – Alice ATM malware, cybercrime)

The post New Alice ATM Malware, a lightweight and efficient threat appeared first on Security Affairs.

Security experts from FireEye have spotted a new variant of the infamous Ploutus ATM malware that infected systems in Latin America.

Ploutus is one of the sophisticated ATM malware that was first discovered in Mexico back in 2013. The threat allows crooks to steal cash from ATMs using either an external keyboard attached to the machine or by sending it SMS messages.

Experts at FireEye Labs have recently discovered a new version of the Ploutus ATM malware, dubbed Ploutus-D, that works the KAL’s Kalignite multivendor ATM platform.

The experts observed the Ploutus-D in attacks against ATM of the vendor Diebold, but the most worrisome aspect of the story is that minor changes to the malware code could allow Ploutus-D to target a wide range of ATM vendors in 80 countries.

Below the improved introduced in the Ploutus-D

• It uses the Kalignite multivendor ATM Platform.
• It could run on ATMs running the Windows 10, Windows 8, Windows 7 and XP operating systems.
• It is configured to control Diebold ATMs.
• It has a different GUI interface.
• It comes with a Launcher that attempts to identify and kill security monitoring processes to avoid detection.
• It uses a stronger .NET obfuscator called Reactor.

While similarities between Ploutus and Ploutus-D are:

• The main purpose is to empty the ATM without requiring an ATM card.
• The attacker must interact with the malware using an external keyboard attached to the ATM.
• An activation code is generated by the attacker, which expires after 24 hours.
• Both were created in .NET.
• Can run as Windows Service or standalone application

The technical analysis revealed that developers improved obfuscation of the code by switching from .NET Confuser to Reactor.

The malware will add itself to the “Userinit” registry key to gain persistence, the key is located at:

\HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

The attacker must interact with the Launcher by connecting a keyboard to the ATM USB or PS/2 port as illustrated in the following picture.

“Once the Launcher has been installed in the ATM, it will perform keyboard hooking in order to read the instructions from the attackers via the external keyboard. A combination of “F” keys will be used to request the action to execute” states the analysis.

The Launcher dropped legitimate files into the system, such as the KAL ATM, along with Ploutus-D. This action makes sure that all the software and versions needed to properly run the malware are present in the same folder to avoid any dependency issues.

The Ploutus-D could allow crooks to steal thousands of dollars in minutes reducing the risk to be caught while stealing the money under the CCTV.

“Once deployed to an ATM, Ploutus-D makes it possible for a money mule to obtain thousands of dollars in minutes.” states the analysis published by FireEye. “A money mule must have a master key to open the top portion of the ATM (or be able to pick it), a physical keyboard to connect to the machine, and an activation code (provided by the boss in charge of the operation) in order to dispense money from the ATM. While there are some risks of the money mule being caught by cameras, the speed in which the operation is carried out minimizes the mule’s risk.”

In order to install the malware attackers likely have access to the targeted ATM software. The experts also speculate the crooks can buy physical ATMs from authorized resellers, which come preloaded with vendor software, or in the worst scenario they could steal the ATMs directly from the bank.

The analysis includes the main differences with previous versions and Indicators of Compromise (IOC) to use for the identification of the threat.

Pierluigi Paganini

(Security Affairs – Ploutus-D, ATM hacking)

The post Ploutus-D, a new variant of Ploutus ATM malware spotted in the wild appeared first on Security Affairs.

Five members of an international cybercrime gang have been arrested as a result of an investigation coordinated by the Europol.

A joint operation conducted by the Europol and the Asian law enforcement allowed to arrest five members of an international organised cybercrime gang focused on cyber attacks on ATMs, three of them have been convicted.

It has been estimated that the group caused to the banks around EUR 3 million losses.

One arrest has been made by the Romanian National Police, three arrests by the Taiwanese Criminal Investigation Bureau and one arrest by the Belarusian Central Office of the Investigative Committee.

The crime organization recruited members online, most of them were citizens of more than one country a strategic choice because allowed the gang to have support in different countries facilitating the travels of the components of the gang.

Crooks were launching spear-phishing attacks aiming to distribute a malware to compromise the internal networks of the banks and gain control over the network of ATMs.

According to the Europol official announcement, the modus operandi employed was very complex and involved:

• spear-phishing emails with attachments containing malicious programmes,
• penetration of the banks’ internal networks,
• compromising and controlling the network of ATMs,
• special computer programmes which deleted most of the traces of the criminal activity, etc.

Cyber criminals were also able to use the software to delete almost all traces of the criminal activity.

Members of the organised crime gang were recruited online, with most members being citizens of more than one country, something which helped them travel across the globe.

The Europol had a pivot role for the success of the international law enforcement operation.

“The majority of cybercrimes have an international dimension, taking into account the origins of suspects and places where crimes are committed. Only through a coordinated approach at the global level between law enforcement agencies can we successfully track down the criminal networks behind such large-scale frauds and bring them to justice,” says Steve Wilson, Head of Europol’s European Cybercrime Centre (EC3).

Pierluigi Paganini

(Security Affairs – Europol, cybercrime)

The post Europol coordinated operation against international cybercrime ring appeared first on Security Affairs.

According to Kaspersky Lab, crooks have robbed at least 8 ATMs in Russia and stole $800,000 in just one night using a Fileless malware dubbed ATMitch.

According to experts at Kaspersky, hackers have robbed at least 8 ATMs in Russia and stole $800,000 in just one night.

The cyber heist caught the attention of security experts that analyzing the CCTV footage have noticed a man walking up to the ATM and collecting cash apparently without interacting with the machine.

Security teams at the affected banks haven’t found any evidence of the presence of a malware or any sign of an intrusion. Just one of the targeted banks reported having discovered two files containing malware logs on the ATM.

The experts have discovered the following strings in the log files:

• “Take the Money Bitch!”
• “Dispense Success.”

In February, malware at Kaspersky Labs reported that crooks hit over 140 enterprises, including banks, telecoms, and government organizations in 40 countries. The cybercriminals leveraged a ‘Fileless malware.’

Malicious code is directly injected into the memory of the infected machine and the malware executes in the system’s RAM.

“A good example of the implementation of such techniques is Duqu2. After dropping on the hard drive and starting its malicious MSI package it removes the package from the hard drive with file renaming and leaves part of itself in the memory with a payload. That’s why memory forensics is critical to the analysis of malware and its functions. Another important part of an attack are the tunnels that are going to be installed in the network by attackers.” reads the analysis published by Kaspersky.

The attack was first spotted by a bank’s security team that discovered a copy of the Meterpreter code, an in-memory component of the Metasploit framework, in a physical memory of a Microsoft domain controller (DC).

The experts at Kaspersky Lab tracked the threats as MEM:Trojan.Win32.Cometer and MEM:Trojan.Win32.Metasploit. The malware leverage PowerShell scripts within the Windows registry to load the Meterpreter code directly into memory, similar techniques leveraging on the PowerShell were already adopted by other malware in the wild.
Malware researchers believe that hackers that targeted the banks carried out the attacks with a Fileless malware.

During the recent Kaspersky Security Analyst Summit held in St. Maarten, security researchers Sergey Golovanov and Igor Soumenkov provided further details about their investigation on the ATM hacks against two Russian banks.

Experts have tracked the malware as ATMitch, it was first spotted in Russia and Kazakhstan, the malicious code is remotely installed and executed on ATMs via its remote administration module.

“The malware, which we have dubbed ATMitch, is fairly straightforward. Once remotely installed and executed via Remote Desktop Connection (RDP) access to the ATM from within the bank, the malware looks for the “command.txt” file that should be located in the same directory as the malware and created by the attacker.” reads the analysis from Kaspersky.

The attackers connect the ATM via SSH tunnel, install the malicious code and use it to instruct the ATM to dispense cash.

Since Fileless malware leverages the existing legitimate tools on a machine to remotely send the command to dispense the money, an operation that is very quick, just a few seconds are enough to empty the ATM without leaving traces.

“The malware uses the standard XFS library to control the ATM. It should be noted that it works on every ATM that supports the XFS library (which is the vast majority).” states Kaspersky.

The post ATMitch – Crooks stole $800,000 from 8 ATMs in Russia using Fileless Malware appeared first on Security Affairs.

The number of cyber attacks against ATM involving so-called ‘insert skimmers’ is increasing. Bran Krebs wrote about recent attacks using infrared devices.

The number of cyber attacks against ATM involving so-called ‘insert skimmers’ is increasing. Insert Skimmers are wafer-thin fraud devices designed to fit invisibly inside the ATM card slot.

Insert Skimmers are able to capture card data and store it on an embedded flash memory.

The popular cyber security expert Brian Krebs reported in some cases the use of insert skimmers that are able to transmit stolen card data wirelessly via infrared.

The infrared is a short-range communication technology, every day we use it when we change TV program with a television remote control.

Krebs cited a case that has happened a few weeks ago in the Oklahoma City metropolitan area where at least four banks were victims of ATM attacks involving insert skimmers.

The KFOR news channel quoted a local police detective saying “the skimmer contains an antenna which transmits your card information to a tiny camera hidden somewhere outside the ATM.”

An insert skimmer retrieved from a compromised cash machine in Oklahoma City. Image: KrebsOnSecurity.com.

Krebs confirmed that financial industry sources tell him that preliminary analysis of the insert skimmers used in the ATM attacks confirms they were equipped with technology to transmit stolen card data wirelessly to the hidden camera using infrared.

The insert skimmers used to compromise cash machines in Oklahoma City were equipped with the hidden that was used to record time-stamped videos of ATM users entering their PINs and to receive card data recorded and transmitted by the insert skimmer.

This design helps crooks in reducing maintenance activities for the skimmers, for example when they need to substitute the internal battery, they could leave the device in the ATM slot and swap out the hidden camera.

The skimmers are optimized to preserve battery, according to Krebs the insert skimmer also uses an embedded battery that is turned on only when someone inserts a card into the ATM slot.

The post Crooks used Infrared insert skimmers in a recent wave of ATM attacks appeared first on Security Affairs.

Experts at the US firm IOActive have discovered a critical physical and authentication bypass vulnerability in the Diebold Opteva ATM.

The researchers have found two vulnerabilities in the Diebold Opteva ATM machines with the AFD platform that could be chained to allow an unauthorized user to vend notes from the device.

“IOActive has discovered two vulnerabilities in Opteva ATMs with the AFD platform that, when combined, may allow an unauthorized user to vend notes from the device.” reads the advisory.

The Diebold Opteva line of ATMs with the AFD platform is composed of an upper cabinet for the operating system and a lower cabinet for the safe, each part requests its own authentication requirements.

Chaining the vulnerabilities allows the attacker to bypass both authentication mechanisms and take the control of the Diebold Opteva ATM.

In the attack scenario presented IOActive, the researchers physical accessed to the internal computer by inserting a metal rod through a speaker hole on the front of the ATM, lifting a metal locking bar and gaining access to the upper cabinet of the Diebold Opteva ATM that contains the computer. Once accessed to the computer, the researchers removed the USB connection from the Windows host and gained a direct line of communication to the AFD controller for the safe.

At this point, the hackers triggered the second flaw to get to the money.

The experts made a reverse engineering of the AFD’s protocol and firmware, they were able to gain access to the content of the safe without authenticating.

“Using the USB that connects the AFD to the computer in the upper cabinet, the team was able to initiate two-way communication. This would normally require a shared encryption key and a device identifier; however, the team was able to complete the authentication protocol unencrypted and set up communications without properly authenticating. This allowed the team to act as an authenticated user and gain access to the contents of the safe.” continues the analysis. “The protocol does not require any device specific knowledge to carry out the attack. This would imply that an attacker with access to one device could reverse engineer enough of the controller protocol to effectively bypass authentication and vend notes from any other device that uses an AFD as long as the vulnerability remains unpatched.”

IOActive reported the issue to Diebold in February 2016, only one year later, in May 2017 Diebold responds, “[your]..system is very old (2008/2009 vintage) and is unpatched;”

IOActive asked if retesting a recent supported version would be possible, but without receiving a reply.

Finally, on July 26, 2017, IOActive opted for the public disclosure.

Unfortunately, it is still unclear whether the ATMs have been patched, nor whether any newer firmware versions are still vulnerable.

Pierluigi Paganini

(Security Affairs –  (Diebold Opteva ATM, hacking)

The post Experts found critical flaws in Diebold Opteva ATM that allow to vend notes from the machine appeared first on Security Affairs.

In the same period, FICO reported an increase in the number of ATMs and point-of-sale devices (+21%) in the US.

One year ago, FICO reported a 30 percent increase in compromised devices for 2016, compared to 2015, and a 70 percent rise in cards compromised for that period. These figures are related to payment card fraud occurring at physical devices, not online card fraud.

FICO’s Card Alert Service monitors hundreds of thousands of ATMs and card readers in the US it confirms the rate of fraud pattern changes has accelerated in the last 24 months.

FICO helps financial institutions in identifying fraud patterns and trends and take necessary actions to halt card fraud.

“The rate of fraud pattern changes has accelerated in the last 24 months, requiring us to continuously adapt our predictive analytics to stay on top of this criminal behavior,” said TJ Horan, vice president and heads of FICO’s fraud solutions. “We have introduced new AI technology into our FICO Falcon Fraud Manager platform, which protects most of the payment cards in the U.S.”

Below the list of recommendations provided by FICO:

• If an ATM looks odd, or your card doesn’t enter the machine smoothly, consider going somewhere else for your cash.
• Never approach an ATM if anyone is lingering nearby. Never engage in conversations with others around an ATM. Remain in your automobile until other ATM users have left the ATM.
• If your plastic card is captured inside of an ATM, call your card issuer immediately to report it. Sometimes you may think that your card was captured by the ATM when in reality it was later retrieved by a criminal who staged its capture. Either way, you will need to arrange for a replacement card as soon as possible.
• Ask your card issuer for a new card number if you suspect that your payment card may have been compromised at a merchant, restaurant or ATM. It’s important to change both your card number and your PIN whenever you experience a potential theft of your personal information.
• Check your card transactions frequently, using online banking and your monthly statement.
• Ask your card provider if they offer account alert technology that will deliver SMS text communications or emails to you in the event that fraudulent activity is suspected on your payment card.
• Update your address and cell phone information for every card you have, so that you can be reached if there is ever a critical situation that requires your immediate attention.

Pierluigi Paganini

(Security Affairs – FICO, card compromised)

The post FICO reports a 39 Percent Rise in Debit Cards Compromised in US appeared first on Security Affairs.

Cyber criminals are targeting ATM machines through the banks’ networks, the operations involve squads of money mules for the cashout.

The Europe’s policing agency warns of a rise of cyber attacks against ATM machines. Criminal organizations are targeting ATM machines through the banks’ networks, the operations involve squads of money mules for the cashout.

“The malware being used has evolved significantly and the scope and scale of the attacks have grown proportionately,” said Steven Wilson, head of Europol’s EC3 cyber crime centre.

In the past, attacks against ATM machines mainly involved physical skimmers devices or malware inoculated through USB sticks or CDs in jackpotting attacks, but the current trend consists of targeting bank networks.

“The criminals have realized that not only can ATMs be physically attacked, but it is also very possible for these machines to be accessed through the network.
Once cybercriminals manage to install malware and get hold of the network, they can go ahead and steal cash from the machines.” states the report published by the Europol.
“Cybercriminals who compromise networks have the same end goal as those who carry out attacks via physical access: to dispense cash. However, instead of manually installing malware on ATMs through USB or CD, the criminals would not need to go to the machines anymore. They have standby money mules that would pick up the cash and go.”

Crooks use to target bank’s employees with spear phishing messages using malware that once executed allows attackers to compromise targeted networks.

Once inside the bank networks, the hackers gain control of the ATMs and instruct them to dispense the money in presence of the money mules.

“They have standby money mules that would pick up the cash and go.
It could be that these are regular criminal groups that already had access to the bank’s network and eventually realized that they could hop onto the ATM network.” continues the report.

“Europol warned that incidents of ATM targeting is likely to rise in the future.”

The Europol suggest the adoption of new measures to protect ATM networks.

“In the past, banks might have thought that network segregation was enough to keep their ATM networks safe from cyber crooks. This is no longer the case. Law enforcement agencies should be well-informed that criminals have ATMs firmly in their crosshairs, and financial organizations need to take more steps to secure their ATM installations by deploying more security layers.” continues the report.

In addition to a public report, Europol also provided a private report providing details to the financial institutions to improve the security of their ATM networks.

Pierluigi Paganini

(Security Affairs – ATM, Cybercrime)

The post Europol report – Cyber attacks against ATM networks on the rise appeared first on Security Affairs.

Security researchers from Kaspersky Lab have discovered a new strain of ATM malware dubbed ATMii that could be used to empty an ATM.

Security researchers from Kaspersky Lab have discovered a new strain of ATM malware dubbed ATMii. The ATMii malware was discovered in April this year, it implements an injector module (exe.exe) and the module to be injected (dll.dll). Crooks can use ATMii to drain available cash from targeted machines.

Cyber criminals need a direct access to a target ATM, either physically or over the network, to install the malicious code.

The injector is unprotected command line application that was written in Visual C language with a fake compilation timestamp dated back to four years ago.

The malicious code works for a Windows XP and later that are the OSs most ATMs run.

The analysis of the injector is poorly written, it targets the proprietary ATM software process atmapp.exe

“The injector, which targets the atmapp.exe (proprietary ATM software) process, is fairly poorly written, since it depends on several parameters. If none are given, the application catches an exception.” reads the analysis.

The supported parameters include:

• /load, which attempts to inject dll.dll into atmapp.exe.
• /cmd, which creates or updates the C:\ATM\c.ini file to pass commands and params to infected library.
• /unload, which tries to unload injected library from atmapp.exeprocess, while restoring its state.

The available commands allow dispensing a desired amount of cash, retrieve information about ATM cash cassettes, and completely remove the C:\ATM\c.ini file from the ATM.

After the injection of the DllMain function, the dll.dll library loads msxfs.dll and replaces the WFSGetInfofunction with the function mWFSGetInfo.

The injected module attempts to find the ATM’s CASH_UNIT service id to and stores the result.

If successful, all successive calls are redirected to the mWFSGetInfofunction, which parses and executes the commands from the C:\ATM\c.inifile.

“ATMii is yet another example of how criminals can use legitimate proprietary libraries and a small piece of code to dispense money from an ATM. Some appropriate countermeasures against such attacks are default-deny policies and device control.” concluded Kaspersky.

“The first measure prevents criminals from running their own code on the ATM’s internal PC, while the second measure will prevent them from connecting new devices, such as USB sticks,”

Pierluigi Paganini

(Security Affairs – ATMii malware, banking)

The post Kaspersky spotted ATMii, a new strain of ATM malware appeared first on Security Affairs.

Law enforcement agencies dismantled a criminal ring and arrested four key members responsible for ATM attacks and performing illegal transactions.

European law enforcement agencies announced the success of an operation called “Neptune” that allowed to dismantle a criminal ring and arrest of four key members responsible for stealing payment card data and performing illegal transactions.

The investigation supported by the Europol, involved law enforcement agencies in Italy, Bulgaria, and the Czech Republic.

“The operation run by the Italian Carabinieri, in cooperation with the Bulgarian General Directorate of Combating Organised Crime, and the National Police of Czech Republic, supported by Europol’s European Cybercrime Centre (EC3) culminated today with the arrest of four Bulgarian citizens.” states the press release published by the Europol

“The leaders of the transnational criminal group actively supervised all stages of criminal activities, including placing technical equipment on ATMs in the central areas of European cities, producing counterfeit credit cards and subsequently cashing out money from ATMs in non-European countries, for example Belize, Indonesia and Jamaica.”

The four criminals were arrested on November 30, 2017, they are all Bulgarian citizens.

Crooks targeted ATMs in central areas of European cities to steal credit card data by placing skimmers and hidden cameras. The stolen data were used to clone the cards and use the fake cards to cash out money from ATMs in non-European countries, including as Belize, Indonesia and Jamaica.

Investigators identified dozens of ATMs that have been compromised by the crooks.

Law enforcement seized more than 1,000 counterfeit credit cards and collected of evidence of many fraudulent international transactions worth more than EUR 50,000.

“The coordination and exchange of intelligence has been supported by the Joint Cybercrime Action Taskforce (J-CAT) set up at Europol. Since most of the illegal transactions with counterfeit cards took place overseas, the cooperation through dedicated investigative networks set up by Europol has been instrumental.” continues the press release.

In September, a report published by the Europol warned of a rise of cyber attacks against ATM machines. Criminal organizations are targeting ATM machines through the banks’ networks, the operations involve squads of money mules for the cashout.

Earlier this week, Europol shared the results of the European Money Mule Action ‘EMMA3’, a global law enforcement operation against money mulling. The operation resulted in 159 arrested, 409 suspects interviewed, and 766 money mules and 59 money mule organizers identified.

Pierluigi Paganini

(Security Affairs – cybercrime, ATM skimming)

The post Europol and law enforcement agencies dismantled a criminal ring specialized in ATM attacks and payment Card Fraud appeared first on Security Affairs.

Group-IB spotted the operations of a Russian-speaking cyber gang tracked as MoneyTaker group that stole as much as $10 million from US and Russian banks.

Researchers from security firm Group-IB has spotted the operations of a Russian-speaking cyber gang tracked as MoneyTaker that has stolen as much as $10 million from U.S. and Russian banks in the last 18 months,

According to the experts, in less than two years the MoneyTaker group conducted over 20 successful attacks on financial institutions and law firms in the USA, UK, and Russia.

The average amount of money stolen from U.S. banks was about $500,000, the hackers also stole over $3 million from three Russian lenders.

The group was primarily focused on card processing systems, including the AWS CBR (Russian Interbank System) and purportedly SWIFT (US). Experts believe that financial institutions in LATAM could have particularly exposed due to their usage of a STAR system.

The MoneyTaker group also targeted law firms and financial software vendors, Group-IB has confirmed that 20 companies were successfully hacked, with 16 attacks on US organizations, 3 attacks on Russian banks and 1 in the UK.

The researchers highlighted that the group remained under the radar by constantly changing their tools and switching tactics to evade detection.

“MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise,” explains Dmitry Volkov, Group-IB Co-Founder and Head of Intelligence. “In addition, incidents occur in different regions worldwide and at least one of the US Banks targeted had documents successfully exfiltrated from their networks, twice. Group-IB specialists expect new thefts in the near future and in order to reduce this risk, Group-IB would like to contribute our report identifying hacker tools, techniques as well as indicators of compromise we attribute to MoneyTaker operations”.

Group-IB first noticed the MoneyTaker group in 2016 when the hackers stole funds from a US bank by gaining access to First Data’s “STAR” network operator portal.

“In 2016, Group-IB identified 10 attacks conducted by MoneyTaker; 6 attacks on banks in the US, 1 attack on a US service provider, 1 attack on a bank in the UK and 2 attacks on Russian banks. Only one incident involving a Russian bank was promptly identified and prevented that is known to Group-IB.” reported the security firm.

“In 2017, the number of attacks has remained the same with 8 US banks, 1 law firm and  bank in Russia being targeted. The geography, however, has narrowed to only the USA and Russia.”

The researchers at Group-IB discovered many similarities between 20 incidents throughout 2016 and 2017, hackers used same tools and shared the attack infrastructure. The attack infrastructure is complex and it was able to deliver payloads only to victims with IP addresses in group’s whitelist.

To evade detection, MoneyTaker employs SSL certificates generated using names of well-known brands such as Bank of America, Federal Reserve Bank, Microsoft, and Yahoo.

A look at the MoneyTaker arsenal reveals that the hackers use both borrowed and their custom tools, in one case they developed a keylogger that is also able to take ‘screenshots’ of the infected system.

In the arsenal of the group, there are ‘fileless’ malware whose persistence in the infected systems was obtained by using PowerShell and VBS scripts.

Experts observed the hackers using privilege escalation tools compiled based on codes presented at the Russian cybersecurity conference ZeroNights 2016. The group also used popular banking Trojans in their attacks such as Citadel and Kronos.

The Kronos malware was used to deliver the ScanPOS Point-of-Sale (POS) malware.

In an attack on a Russian bank through the AWS CBR, the MoneyTaker group used a tool called MoneyTaker v5.0 that has a modular structure that performs the following actions:

• searches for payment orders and modifies them;
• replaces original payment details with fraudulent ones;
• erases traces;

Even after the attacks, the MoneyTaker group continues to spy on the victims, the group continuously exfiltrates internal banking documentation (admin guides, internal regulations and instructions, change request forms, transaction logs) to learn about bank operations in preparation for future attacks.

Experts from Group-IB also discovered MoneyTaker uses a Pentest framework Server and leverages Metasploit for the attacks.

“After successfully infecting one of the computers and gaining initial access to the system, the attackers perform reconnaissance of the local network in order to gain domain administrator privileges and eventually consolidate control over the network.” continues the firm.

Group-IB has already shared findings of its investigation with the Europol and Interpol.

The full report is available on the Group-IB website.

Pierluigi Paganini

(Security Affairs – MoneyTaker group, cybercrime)

The post MoneyTaker group: Group-IB uncovered a cyber gang attacking banks in the USA and Russia appeared first on Security Affairs.

Crooks are now involving a small, battery-powered device dubbed Smart Shield Detector that is able to detect digital anti-skimming technology used by ATMs.

ATM skimmers are widely adopted by crooks to steal payment card data, in the last months, experts observed an increase in the number of cyber attacks against ATM involving so-called ‘insert skimmers.’

In response, financial institutions are adopting a variety of technological measures designed to defeat skimming devices, but crooks are now involving a small, battery powered device that is able to detect digital anti-skimming technology.

According to the popular investigator Brian Krebs, a well-known skimmer thief is marketing a product called ‘Smart Shield Detector’ claiming that this device is able to detect a variety of anti-skimming technology used by financial institutions.

“The device, which sells for $200, is called a ‘Smart Shield Detector,’ and promises to detect “all kinds of noise shields, hidden shields, delayed shields and others!”” wrote Krebs.

“It appears to be a relatively simple machine that gives a digital numeric indicator of whether an ATM uses any of a variety of anti-skimming methods.”

The device is able to determine if an ATM uses an anti-skimming method such as the “frequency jamming,” that relies on electronic signals to scramble both the clock (timing) and the card data itself in a bid to interfere with skimming devices.

“You will see current level within seconds!,” says the seller in an online ad for the Smart Shield Detector. “Available for sale after November 1st, market price 200usd. Preorders available at price 150usd/device. 2+ devices for your team – will give discounts.”

As you can see in the following video, low level (a score between 3-5) means that the ATM isn’t protected by any anti-skimmer shield, while a readout of 15 or higher indicates the presence of some type of electronic shield or jamming technology.

The following video was shared with Krebs by Alex Holden, founder of Hold Security.

The Smart Shield Detector is a very precious instrument for thieves that can avoid attacking protected ATM. 

“KrebsOnSecurity shared this video with Charlie Harrow, solutions manager for ATM maker NCR Corp. Harrow called the device “very interesting” but said NCR doesn’t try to hide which of its ATM include anti-skimming technologies — such as those that claim to be detectable by the Smart Shield Detector.” continues Krebs.

“The bad guys are skilled, resourced and determined enough that sooner or later they will figure out exactly what we have done, so the ATM has to be safe against a knowledgeable attacker,” Harrow said. “That said, a little secret sauce doesn’t hurt, and can often be very effective in stopping specific attack [methods] in the short term, but it can’t be relied on to provide any long term protection.”

A good habit for bank customers while using ATM consist of covering the PIN pad with your hand while you enter your PIN, this precaution is effective against the majority of cases in which crooks use a skimmer and a tiny hidden camera to read the PIN while customers are entering it.

Users can also check the presence a fake keypad that could be placed over the top of the genuine keypad on an ATM as a means of stealing card data.

Another recommendation is to avoid using ATM located outside banks in not controlled places., be aware of your physical surroundings while using an ATM; you’re probably more apt to get mugged physically than virtually at a cash machine. Finally, try to stick to cash machines that are physically installed inside of banks, as these tend to be much more challenging for thieves to compromise than stand-alone machines like those commonly found at convenience stores.

If you are interested in skimming activity, give a look at the Krebs’s material about skimming scam (All About Skimmers)

Pierluigi Paganini

(Security Affairs – skimmers, Smart Shield Detector)

The post Smart Shield Detector allows thieves to discover if the ATM is protected by anti-skimming technology appeared first on Security Affairs.

Cybercriminals are targeting ATM machines in the US forcing them to spit out hundreds of dollars with ‘jackpotting‘ attacks.

According to a senior US Secret Service official, the organization has managed to steal more than $1m from ATM machines using this technique.

Once crooks gain physical access to the ATM, they will infect it with a malware or specialized electronics that is designed to instruct the machine to deliver money in response to specific commands.

The jackpotting technique was first proposed by white hat hacker Barnaby Jack in 2010.

The popular investigator Brian Krebs obtained an alert issued by ATM maker manufacturers Diebold Nixdorf this month, the company warns of an ongoing campaign conducted by a gang in the US.

“On Jan. 21, 2018, KrebsOnSecurity began hearing rumblings about jackpotting attacks, also known as “logical attacks,” hitting U.S. ATM operators. I quickly reached out to ATM giant NCR Corp. to see if they’d heard anything. NCR said at the time it had received unconfirmed reports, but nothing solid yet.” wrote Krebs.

“On Jan. 26, NCR sent an advisory to its customers saying it had received reports from the Secret Service and other sources about jackpotting attacks against ATMs in the United States.”

“While at present these appear focused on non-NCR ATMs, logical attacks are an industry-wide issue,” the NCR alert reads. “This represents the first confirmed cases of losses due to logical attacks in the US. This should be treated as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences.”

The crooks are infecting the ATM with the Ploutus-D malware, the vendor warns that Opteva 500 and 700 series machines are particularly vulnerable to these attacks.

These attacks are the first confirmed cases of jackpotting attacks against ATMs in the US. Jackpotting attacks were already reported in Europe, in May 27 people have been arrested by the Europol for jackpotting attacks on ATM across many countries in Europe.

Ploutus is one of the sophisticated ATM malware that was first discovered in Mexico back in 2013. The malicious code allows crooks to steal cash from ATMs using either an external keyboard attached to the machine or by sending it SMS messages.

In January, experts at FireEye Labs have discovered a new version of the Ploutus ATM malware, the so-called Ploutus-D, that works the KAL’s Kalignite multivendor ATM platform.

The experts observed the Ploutus-D in attacks against ATM of the vendor Diebold, but the most worrisome aspect of the story is that minor changes to the malware code could allow Ploutus-D to target a wide range of ATM vendors in 80 countries.

The alert issued by Secret Service explains that the cybercriminals use an endoscope to inspect the internal parts of the ATM searching for the place where they can attach a cord that allows them to sync their laptop with the ATM’s computer.

Diebold Nixdorf urges the improvement of physical security for ATMs, especially for those located in public places such as malls and pharmacies. Also, tightening the security configuration of the firmware is recommended.

The alert issued by Secret service recommends to limit physical access to the ATM machines and implement protection mechanisms for cash modules (i.e. Use firmware with latest security functionality. use the most secure configuration of encrypted communications incl. physical authentication).

Pierluigi Paganini

(Security Affairs – Jackpotting, banking)

The post Crooks target ATMs with Ploutus-D malware, these are the first confirmed cases of Jackpotting in US appeared first on Security Affairs.

The post Russian hackers stole 860,000 euros from 32 ATMs belonging to the Raiffeisen Romania in just one night appeared first on Security Affairs.

Besides being known about corruption scandals, South America is a reference to the development of ATM malware spreading globally with Brazil, Colombia, and Mexico leading the way.

A research conducted by KASPERSKY has revealed a convergence on attacks against financial institutions, where traditional crimes and cybercrime join forces together to target and attack ATM (Automated Teller Machine) machines.

Around the globe, the region where criminals had achieved expertise and have become highly professionals is Latin America. As a resulting of this criminal union to steal money directly from ATM, criminals and cybercriminals from Latin America have been developing brand new zero-day techniques and tools that are not found in any other place in the world.

These tools and techniques that were developed are imported from Eastern Europe and customized, to pave the way to other criminals and create a network of malware on a global scale.

The research points to a combination of factors behind the development of ATM malware like obsolete operating systems and a availability of development platforms to create the malicious codes such as .NET framework.

The report points out the motivation being a key factor to criminals, but we can consider also as a key factor the corruption that is widespread in every level of Latin America society. The prevalence of corruption can be considered as a fuel to criminal motivation once piracy and corporate data are sold in every corner of Latin America countries. Also, it is important to notice the role of insider informants in organizations, where employees give precise details and reveal the security measures in place to be bypassed by criminals.

Among the myriad of techniques employed to rob banks, the criminals still use explosives on a regular basis, due to its effectiveness and cost benefit. Security measures like cameras and CCTV, for example, are easily bypassed in a raid that takes just a few minutes. The collateral damage caused by the use of explosives goes beyond the ATM machines of the bank agencies in which they are located also reaching out public squares, shopping malls and buildings nearby the banks.

Brazilian banks in an attempt to stop ATM attacks have adopted ink cartridges to stain the ballot and make them useless when the ATM is blown up. However, the organized crime developed a special solvent to remove the ink. Other attack vectors exploited by criminals in Latin America is the use of obsolete unpatched software, like Windows XP or Windows 2000 in production environments. ATM machines were also found with cables and network devices exposed to no implementation of physical security measures in place.

Brazilian criminals do not restrict themselves to this approach developing other ways to compromise banking security. Fake replicas to cover the front of ATM machines and steal card data and PIN numbers are also used. In many cases, these fake machines are installed in daylight in retail business and supermarkets. The components to assembly such replicas are sold in the black markets and on online stores easily.

Another common type of ATM machine fraud in Brazil is the “Chupa Cabra”, where criminals install skimmer devices that get all data from the credit card once they are inserted on ATM machines.

Once these methods involve exposure, and criminals can be recognized by cameras and CCTV devices alike they have also started to use malware to attack banking systems.

The report describes four stages used by criminals to steal money from ATM machines, that are: Local/remote access to the machine, installation of malicious code in ATM system, reboot of the target device and withdraw of the money. Aiming to evade security from ATM machines criminals from Latin America have developed different malware to steals money, both intercepting data from keypads running Windows machines (Chupa Cabra malware) and by remote access. To withdraw money with malware criminals can program a specific key combination of PIN pad, insert a “special card” or send a remote command to a machine infected in the bank network.

The report has found out that there is a cooperation between Eastern European and Latin American criminals. In 2017, a coordinated Police operation took place where 31 criminals were arrested for credit card cloning in Cuba, Ecuador, Venezuela, Romania, Bulgaria, and Mexico. This major operation highlights the criminal network working together globally. This union backs to 2008 when the first malicious program to infect ATM machines was developed (Backdoor.Win32.Skimer) aiming to target Russia and Ukraine. In 2014, the researchers discovered the Tyupkin malware affecting ATM machines in several Eastern Europe institutions.

There was collected enough evidence that a collaboration between criminals has taken place with the involvement of Latin American criminals involved in the development of ZeuS, SpyEye and other banking malware created in Eastern Europe. This criminal cooperation has resulted in coding quality and sophistication of Latin American malware and sharing of infrastructure for deployment. Also, it was found out that Latin American criminals access Russian underground forums on a constant basis looking for samples, to buy new malware or even exchange data about ATM/PoS malware. It is believed that this criminal exchange started back in 2008.

As we dive into the development of ATM malware in Latin America we can highlight specific examples in Mexico, Colombia, and Brazil. In Mexico, on October 2013, was spotted the Ploutus malware. According to Greek mythology, Ploutus represents the abundance and wealth. At a first moment, the malware was difficult to identify being detected as Backdoor.Ploutus by Symantec or by Trojan-Banker by Kaspersky. The damage caused by this malware surpassed $64 million only in Mexico and has compromised 73.258 ATMs. In a nationwide operation deflagrated during 2014 and 2015, related to robberies using malware, it was uncovered a criminal network acting on 450 ATMs from 4 major Mexican banks.

The machines were located in places that had no surveillance or limited physical security, and the malware was deployed both using CD-ROM drive or by USB port. The attack caught the attention of banks security departments because the transportation company started to receive phone calls and alerts regarding uncommon high amounts of money being withdrawn hours later being filled. Other attacks took place on dates where the ATMs was stocked with more money to supply customer demands, like the Mexican Black Friday and on Valentine’s day. In this scenario, the cybercriminals obtain licenses that are valid for one day to withdraw money from any number of machines. It takes, according to the report, from two and a half to three hours to entirely empty an ATM machine. The cybercriminals gangs are composed of at least 3 individuals, while the campaigns can have up to 300 people involved. Each group compromise a chosen ATM obtaining its data to further request an activation code and have full access to the ATM service.

As discovered by the researchers there are at least four different versions of the malware, and the last one dating back to 2017 has bugs fixes and code improvements. On its first version, there was no reporting on the activities on the ATM and the command and control server. Also, an SMS module used to obtain a unique identifier for the machine was found, that enabled the activation of malicious code remotely for criminals on the machine to withdraw money. The procedure with 5 stages is the following: Compromise of the ATM via physical access, installation of the malware as a Microsoft Windows Service, acquisition of ATM ID, activation of ATM remotely or physically and withdraw while the malware is active for 24 hours.

The latest versions of the malware, named Backdoor.MSIL.Ploutus, Trojan-Spy.Win32.Plotus and HEUR: Trojan.Win32.Generic by researchers, have the capability of full remote administration of infected ATMs and diagnostic tools. The cybercriminals switched their methods and instead of using physical keyboards they now use WiFi access with a modified TeamViewer Remote management module to reduce risks.

As we advance analyzing the developments in Latin America of ATM malware, we have to notice a sum of factors involving corruption, insider threats and legit software in Colombia. According to the report, in October 2014, 14 ATMs were compromised in different cities of Colombia leading to a loss of 1 million Pesos without any trackable transaction. An employee of one bank was arrested being suspected of installing remotely malware in ATMs using privileged information before quitting his job. The suspected had worked for the Colombian police for 8 years as an electronic engineer and police investigator. In his duty, he was in charge of large-scale investigations.

But on October 25th he was arrested under the charge of a multi-million fraud scheme at a Columbian bank. He had in his possession remote access to 1.159 ATMs across Colombia and a modified version of legitimate ATM software that paved the way for other members of the criminal organization to commit fraud in six different cities in less than 48 hours. To launch the attack the former police officer used a modified version of the ATM management software distributed by the manufacturer and their technical staff. He used his clearance to access the software, that after installation interacted with the XFS standard to send commands to the ATM. In this case, the target was the Diebold ATM machine. After the attack, a special access was granted that permitted the installation of any ATM malware including Ploutus. The name of the malware as described by the researchers is Trojan.MSIL.Agent and Backdoor.MSIL.Ploutus.

Last but not least, we have to consider the country of nationwide corruption scandals: Brazil. Brazil is known for the development and spread of locally build malware to target both ATM and PoS devices. Researchers found out in 2017 a new malware named Prilex being spread that was developed from scratch by Brazilian criminals, that doesn’t have similarities with another malware family. The difference in Brazilian malware is that instead of using the common XFS library to interact with the ATM sockets it uses a specific library of vendors. There is a suspicion of insider threats sharing information with criminals due to the cybercriminals deep knowledge about the network diagram as well as the internal structure of the ATM used by the banks. A specific user account of an employee of the bank was found that also raised the doubt of a targeted attack taking place to exfiltrate information.

The malware was named by researchers as Trojan.Win32.Prilex and once running it is capable of dispersing money from the sockets using special windows that are activated through a specific key combination. It also contains a component that reads and collects data from the magnetic stripe of the cards used at the ATMs infected with the malware. Measures were taken globally to reduce credit card fraud, but researcher discovered another development of Brazilian criminals to steal card data and clone chip and pin cards.

A modified version of the malware with additional features was discovered by researchers aimed to infect point of service (PoS) terminals to collect card data. This new variant is capable of modifying PoS software to allow a third party to capture the data transmitted to a bank. The Prilex group also developed new ways to clone cards and bypass security mechanisms. The card works based on a standard called EMV. The chip on the card is a microcomputer that can run applications and once inserted in a PoS terminal it begins a sequence of four steps.

The first step is called initialization and the terminal receives basic information like cardholder name, expiration date, and the applications installed. The second step is data authentication where the terminal checks if the card is authentic using cryptographic algorithms. On the third step called cardholder verification, the user is requested to provide the PIN code to prove he is the owner of the card. The fourth step is where the transaction happens. As noted by the researchers only step one and forth are mandatory. For this reason, Brazilian criminals can easily bypass authentication and verification steps.

The number and the complexity of steps needed for transactions depend on the available applications on the card, which the PoS asks the card during its first handshake. As the researchers notice, the criminals created a Java application for cards to run that has two functions. The first tells the PoS terminal that data authentication is not necessary bypassing in this way the cryptographic operation. The second function is based on the EMV standard to check if the PIN is correct on the application running in the card. The cybercriminals application can validate any PIN as correct no matter what PIN is informed. Even random numbers are accepted as a valid input.

The researchers discovered a complex infrastructure where Prilex operates. Besides the Java applet, a client application called “Daphne” is used to write information on smart cards and a database with card numbers and other data. The daphne application is used to check the amount of money that can be withdrawn with the card and to clone both credit and debit cards. The cybercriminals sell the application as a package to other criminals in Brazil to clone cards.

On its recommendations, the report lists two scenarios, one with direct bank losses and other with losses to the customers. The attackers will have to bypass the customer authentication mechanisms or bypass ATM security. Criminals are shifting from physical attacks to logical attacks that helps them to go unnoticed for longer periods of time. The researchers suggest that manufacturers and vendors should improve security measures and work with antimalware companies to better address logical attacks. The researchers also suggest the use o Threat Intelligence to further collect information on new developments of malware families.

To address the card cloning issue, the researchers recommend a constant verification of the card transaction history and the communication to the bank in case of suspicious activity. None the less, the researchers recommend that users only use AndroidPay or Applepay to avoid the disclosure of card data and to separate a card to internet payments. Finally, it is recommended to users to avoid keep large sums of money on the card.

Sources:

https://securelist.com/atm-malware-from-latin-america-to-the-world/83836/
https://securelist.com/the-chupa-cabra-malware-attacks-on-payment-devices-27/32248/
https://krebsonsecurity.com/2013/12/the-biggest-skimmers-of-all-fake-atms/
https://www.association-secure-transactions.eu/atm-explosive-attacks-surge-in-europe/
http://cyberparse.co.uk/2018/02/14/bingo-amigo-jackpotting-atm-malware-from-latin-america-to-the-world/
https://www.exploitthis.com/2018/02/14/bingo-amigo-jackpotting-atm-malware-from-latin-america-to-the-world/
https://www.kaspersky.com/blog/chip-n-pin-cloning/21502/
http://www.cs.ru.nl/~erikpoll/papers/EMVtechreport.pdf

About the author Luis Nakamoto

Luis Nakamoto is a Computer Science student of Cryptology and an enthusiastic of information security having participated in groups like Comissão Especial de Direito Digital e Compliance (OAB/SP) and CCBS (Consciência Cibernética Brasil) as a researcher in new technologies related to ethical hacking, forensics and reverse engineering. Also, a prolific and compulsive writer participating as a Redactor to Portal Tic from Sebrae Nacional.

Pierluigi Paganini

(Security Affairs – malware, cybercrime)

The post The South America connection and the leadership on ATM Malware development appeared first on Security Affairs.

The head of the crime ring behind the Carbanak gang that since 2013 targeted banks worldwide has been arrested in Spain.

The mastermind suspected of stealing about £870m (€1bn) in a bank cyber heist has been arrested in Spain.

The man is suspected to be the kingpin of the crime ring behind the Carbanak gang that since 2013 targeted banks worldwide with the homonym malware and the Cobalt malicious code.

“The leader of the crime gang behind the Carbanak and Cobalt malware attacks targeting over a 100 financial institutions worldwide has been arrested in Alicante, Spain, after a complex investigation conducted by the Spanish National Police, with the support of Europol, the US FBI, the Romanian, Belarussian and Taiwanese authorities and private cyber security companies.” reads the official announcement from the Europol. “Since 2013, the cybercrime gang have attempted to attack banks, e-payment systems and financial institutions using pieces of malware they designed, known as Carbanak and Cobalt. The criminal operation has struck banks in more than 40 countries and has resulted in cumulative losses of over EUR 1 billion for the financial industry. The magnitude of the losses is significant: the Cobalt malware alone allowed criminals to steal up to EUR 10 million per heist.”

The operation that allowed to arrest the head of the gang was conducted by the Europol, the FBI, along with cyber-security firms and law enforcement agencies in Spain, Romania, Belorussia and Taiwan.
In early 2016, the Carbanak gang target banks and financial institutions, mainly in the US and the Middle East.The Carbanak gang was first discovered by Kaspersky Lab in 2015. the group has stolen arounbd 1 billionn from 100 financial institutions.

In November 2016, experts at Trustwave uncovered a new campaign launched by the group targeting organizations in the hospitality sector.

In January 2017, the Carbanak gang started using Google services for command and control (C&C) communication.

The arrest was the result of one of the most important investigations conducted by the European authorities.

“This global operation is a significant success for international police cooperation against a top level cybercriminal organisation. The arrest of the key figure in this crime group illustrates that cybercriminals can no longer hide behind perceived international anonymity.” said Steven Wilson, Head of Europol’s European Cybercrime Centre (EC3). “This is another example where the close cooperation between law enforcement agencies on a worldwide scale and trusted private sector partners is having a major impact on top level cybercriminality.”

Which is the Carbanak modus operandi?

The infection started with a classic spear phishing attack that allowed Carbanak cybergang to compromise banks’ computer systems. The malicious emails included a link that once clicked triggered the download of the malware.

The malicious code was used by the hackers of the Carbanak cybergang to gather information on the targeted bank, for example, to find employees who were in charge of cash transfer systems or ATMs. In a second phase of the attacks, the hackers installed a remote access tool (RAT) to control the machines of those employees. With this tactic the Carbanak cybergang collected imagines of victims’ screens and study what their daily activity in the bank. At this point, the hackers were able to remotely control the ATMs to dispense money or transfer money to fake accounts.

“The bank’s internal computers, used by employees who process daily transfers and conduct bookkeeping, had been penetrated by malware that allowed cybercriminals to record their every move. The malicious software lurked for months, sending back video feeds and images that told a criminal group — including Russians, Chinese and Europeans — how the bank conducted its daily routines, according to the investigators.

Then the group impersonated bank officers, not only turning on various cash machines, but also transferring millions of dollars from banks in Russia, Japan, Switzerland, the United States and the Netherlands into dummy accounts set up in other countries.” reported the New York Times

Pierluigi Paganini

(Security Affairs –  cybercrime, Carbanak cybergang)

The post Law enforcement arrested the head of the Carbanak gang that stole 1 billion from banks appeared first on Security Affairs.