Security researchers from anti-virus vendor Sophos have uncovered a trojan that can infect the operating systems of automated teller machines and hook into the software developed by one of the leading global suppliers of such devices, Diebold. The malware is able to monitor transactions and log inputted credit card PIN numbers.
The malware, detected by Sophos as Troj/Skimer-A, has been analyzed by Vanja Svajcer, principal virus researcher at SophosLabs, UK. Mr. Svajcer notes that he has had the idea of looking for such malware after a friend working at a bank told him of rumors that Diebold cash machines had been infected in Russia.
The researcher has found three Diebold-related files that have been submitted by anonymous users through the VirusTotal service. Upon doing a more in-depth analysis of the samples, he has concluded that one of them is a trojan dropper, which disables storage protection and installs a file called lsass.exe (not the legit one found in Windows).
Further analysis has revealed that the trojan is able to log the keyboard input and stores the captured data in encrypted form. It also has printing capabilities, which suggests that whoever engaged in this scheme was probably planning to send "money mules" to retrieve the data. "Looking at the code makes us believe that it could be possible that a criminal could enter a specially crafted card into an infected ATM, which would then instruct the ATM to print out encoded information about stolen credit cards and PINs onto what is normally the receipt slip," Graham Cluley, senior technology consultant at Sophos, explains.
The file makes use of functions in the Diebold Agilis 91x ATM software in order to manipulate the magnetic stripe. Because these functions are not documented and certainly not available to the general public, Svajcer concludes that, "The malware seems to be a work of a programmer with a good knowledge of the internals of Diebold ATMs." In addition, physical access is most likely required to install the malware in the first place, pointing to an insider job.
The Register reports that Diebold has been aware of the malware since January, when it was used in Russia in an attempt to intercept transaction data. The company has issued an advisory to its customers along with a software update. It is also noted that several suspects have been detained by the local authorities, who are still investigating the crime. The fact that the trojan monitors transactions in US dollars, as well Ukrainian and Russian currencies, suggests that it has originated in Eastern Europe.
This might be the first incident of fraudsters using malware to infect ATMs, but it's not the first time that an insider job results in the tampering of payment devices. Back in October 2008, we reported that hundreds of modified "chip and pin" devices had been discovered in retail stores across Europe. The authorities shared that the tampering was so complex and unnoticeable that the devices were likely modified directly at the factory in China by accomplices before being shipped to Europe.