"There is indication that there is activity around this network in other parts of the world. It's likely not to just stop here," said Nicholas Percoco, vice president of consulting at Trustwave. "Hopefully it does - the alerts that we have sent out will cause other banks to secure their systems - but there is an indication that there is activity around this region, around the same type of malware,"
Trustwave detected the software on ATM devices located in Eastern Europe last month. The malware is designed to allow third parties to control different aspects of the machine's operation, including the gathering of sensitive data from the magnetic stripe on the card. It is also possible to use the software to force an ATM to dispense all of the cash stored in its cassette.
The malware was produced by a developer serving an organised team, according to experts from the company. It codifies roles and responsibilities with different privileges, accessed using different trigger cards, with identity data designed to specify the holder's role codified on the magnetic strip.. "If they were all the same person, then it wouldn't make sense to put all of these different roles and responsibilties in the malware," said Percoco.
Peracoco explains that there are different types of card. A single-use card enables a presumably lower-ranked individual within the organised crime team to carry out basic reporting and monitoring functions. A multi-use card enables the holder to carry out more actions, on a repeated basis. The command to dispense the cash cassette is contained on the multi-use card, but is granted only after the account holder has satisfied a challenge/response request.
The software would most likely have been installed by someone with physical access to the ATM, said Percoco, adding that the ATMs were exclusively Windows-based, and were older machines.
"The systems we looked at were older systems, and they were not classified as your PCI compliant ATMs," said Percoco, arguing that in newer systems, tamper-proofing and encryption key management are performed more effectively.
Significantly, Alistair Kelman, a barrister specialising in financial fraud, argues that many older ATMs were sold off by banks in developing countries as they modernised their own equipment. "When we finally got around to upgrading our systems, instead of selling off their old machines as scrap, they sold them off to developing countries as an ideal system for them to use, because they didn't feel that people in developing countries had the skill sets to require top-end security," he says.