ATM malware could hit SA

Johannesburg, 17 Jul 2009

New ATM malware found in machines in Russia, Ukraine and Romania could spell trouble for other countries, particularly countries where ATMs are popular but the general income is low.

So says Costin Raiu, chief security expert, Kaspersky Lab EEMEA Global Research and Analysis Team, who adds that where the malware could potentially spread to, is strongly related to how the ATMs get infected in the first place.

“Obviously, for somebody to install this malware, they need physical access to the ATM. This is relatively hard to do without the bank noticing. It is therefore most likely done with help from the inside. Securing help from inside the bank is not necessarily easy and might work well only in countries where bribing bank workers is possible.”

He describes the malware as a Trojan horse. “Kaspersky detects the multiple variants of this threat as Backdoor.Win32.Skimer. There are quite a few variants that we have seen so far,” he adds. “In general, they all work the same way. They are all designed for Diebold ATMs running Windows XP. The malware uses specific functions available on these implementations of Windows, meaning, they are probably not going to work with other ATMs.”

Victims of this particular scam have reported that an English message, "please wait", appears when they try to draw money. Following this, they are notified that the money requested cannot be drawn as there are insufficient funds in their account. However, the following day, the victims notice that the amount requested has been debited from their account. Some victims also report their entire bank account being emptied the next day.

Raiu says it is hard to gauge how widespread these attacks are, for several reasons. “Firstly, banks don't usually like talking about them and victims will complain to the banks and to the police. Secondly, we only hear about the big incidents, the small ones usually go unnoticed.”

He says it is Kaspersky's opinion that someone from the bank needs to be involved, as the attacker needs physical access to the ATM. “We are not aware of any exploit that can be used to infect the ATMs from the 'usual' user interface.”

On guard

In order to protect their customers, it is vital for the banks to do a 24/7 surveillance of the ATM and record all access to the machine, argues Raiu. “People with access to the ATMs must be properly screened and in the case of a compromise, the list of suspects should allow them to identify the cyber criminal.

“Additionally, it might be important for the banks to talk the ATM suppliers and request them to deploy more efficient security software on these ATMs.”

According to Raiu, it would be wise for banks to take extra precautions, as the liability for the missing funds lies with them, because these attacks can only be executed with inside assistance.

Whether or not this threat will grow, says Raiu, depends entirely on how the banks react to this new risk. If the banks and ATM suppliers begin implementing stronger security measures, the attacks would become less popular. “If the issue is ignored, then it will most likely continue.”

Unfortunately, there is little users can do to protect themselves from such attacks, according to Raiu, but he adds that there are a few important things to keep in mind. “Don't use an ATM if it has any strange messages on it, such as error boxes. Error messages do not necessarily mean that the ATM is infected, although they are a sign that something is definitely wrong with the ATM.”

Raiu also suggests looking for signs that the machine has been physically compromised. “For instance, when I was in SA, I noticed one ATM where the display was hanging loose and it was possible to push it inside. This allowed physical access inside the ATM. Whenever your notice something like this, call the bank immediately and do not use the machine.

“Finally, it is important to check your banking account often and to immediately inform the bank when you find money missing,” says Raiu. “If this happened through a similar ATM attack, the bank should immediately refund the loss.”