Trojans in ATMs from East Europe

A whole family of data-pilfering trojans nestled inside Eastern European automatic teller machines (ATMs) for over the past eighteen months has been recently found by security experts from the TrustWave security firm.

According to the analysts of SpiderLabs, the research arm of Trustwave, the trojans copy the personal identification numbers (PIN) and other private information of cards inserted into compromised ATMs and present an easy-to-use interface to retrieve the data via the receipt printer.

What's more, this has been going on since about two years ago, with at least sixteen updates to the software by the meticulous and lawbreaking authors of the program.

Money ATMs infected by Trojans to steal money

Nicholas Percoco, the head and vice-president of SpiderLabs, noted that the ATM hijackers were following more of a rapid development cycle for their malware wherein they test what works, improve on flaws, and then put the new features in the next iteration.

The hackers don't only have the audacity to defraud people of their personal information using ATM trojans; they also have the persistence to do it repeatedly until they perfect their sinister craft.

The analysts from SpiderLabs investigated the recent versions of the trojans—about four editions of them—and they discovered a very proficient malware family with high-grade code that could pass the professional standards of propriety programming.

Once the trojan has infected the ATM, it looks for track 2 data stored on ATM cards inside the ATM's transaction message queue.

If it has information that is owned by a bank client, it registers it and the accompanying PIN code into its database.

The malware also uses specially modified cards that let the hackers manipulate compromised ATMs.

When this type of card is used, the machine's display features a window providing ten options that can be picked out with the keypad.

You have the option of restoring log files to the state it was in before the malware infection, printing stashed banking information, and outright uninstalling the malware.

An alternate menu also allows the hacker to induce the ATM to dole out its money.

There are records for another feature that allows the delivery of stolen card information to a chip on the modified card, but that nonexistent capability appears to be in the initial stages of development.

Modified cards contain both a single and master function—the former reserved for minions that aren't fully trusted, and the latter reserved for the masterminds of the crime organization.

At any rate, these trojan discoveries substantiate earlier reports by Sophos last March concerning card-info-stealing malware that besieged ATMs manufactured by Diebold.