New malware hits ATM and electronic ticketing machines

Both ATMs and electronic ticketing machines are facing further hacks as fraudsters focus on inadequately defended environments.

New malware hits ATM and electronic ticketing machines
New malware hits ATM and electronic ticketing machines

European cyber-criminals have created new ‘Daredevil' malware that explicitly targets electronic ticketing machines and kiosks such as those found in train stations.

And in another leap by the bad guys, users of European bank ATM machines are being hit by a new, almost invisible ‘wiretapping' device which eavesdrops on the customer's cash transaction.

The Daredevil – or “d4re|dev1|” – malware is a new strain of point-of-sale (POS) attack software spotted by US-based security research firm IntelCrawler.

In a 26 November blog post, the company said Daredevil is one of a growing list of POS variants being developed by underground cyber-criminals because of the success of past attacks on US retailers like Target and Home Depot.

This time, IntelCrawler said, the POS malware is aimed at “ticket vending machines and electronic kiosks installed in public places and mass transport systems”. Daredevil infiltrates the machines using an advanced backdoor, then infects them with remote administration, RAM scrapping and keylogging software.

IntelCrawler believes the malware authors are from Europe, and CEO Andrew Komarov told SC Magazine US that around 80 merchants have been hit across Europe, the US and Australia. The blog cites one specific compromised device found in Sardinia in August.

In the blog, the company explains: “Such devices will become the new target for cyber-criminals. These kiosks and ticket machines don't usually house large daily lots of money like ATMs, but many have insecure methods of remote administration allowing for infectious payloads and the exfiltration of payment data in an ongoing and undetected scheme.”

Daredevil also has ‘File Upload' option which allows criminals to remotely install additional backdoors and tools, and so target a range of POS terminal types.

And IntelCrawler says other new POS malware variants it has identified recently include POSCLOUD, Nemanja, JackPOS, BlackPOS and Decebal.

The company warns: “As this POS malware market is evolving, new security measures are needed to combat the seemingly continuous strains being developed by the underground.”

Over in the ATM area, the new ‘wiretapping' attack has so far been seen in two unnamed European countries, according to a report this week by the non-profit organisation EAST (European ATM Security Team).

The new method has been analysed by cyber-security expert Brian Krebs in a recent blog. He says “virtually invisible” wires are inserted through a tiny hole cut into the cash machine's front and attached to the ATM's internal card reader. The criminals then cover up the hole. Afterwards they fish out the wire, and connect it to a handheld data storage device.

EAST has also reported that the use of concealed cameras to capture PIN codes “appears to be becoming more prevalent”. And Krebs said criminals are also becoming more adept in the use of ATM ‘skimming' devices that fit “snugly and invisibly” inside the card acceptance slot and capture the card details.

In the face of all this criminal innovation, UK cyber-security expert Mike Loginov, CEO of consultancy firm Ascot Barclay and vice chairman of the Advisory Board for the National MBA in Cyber Security, said it should provide “a further wake-up call to not just retailers and the card industry but underpin the ongoing need to raise awareness at all levels across business and society”.

Loginov said solutions are available – such as anti-vibration alarms on ATMs and hardening the machine surface at critical points to protect against the wiretapping attack, and adding extra authentication such as fingerprint recognition for POS devices.

He told SCMagazineUK.com via email: “There are so many simple and practical low-cost methods that organisations can deploy - but at the moment don't - to make it riskier and therefore more expensive for the criminals to operate.”

But highlighting the scale of the threat, Loginov said he himself had recently fallen victim to a card scam at an ATM machine at a mainstream bank in central London.

He told SC: “A Lebanese Loop was installed and my card stolen. The quality of the device used was so good it was almost impossible to detect.

“On this occasion however the culprits - a prolific Romanian gang targeting the ATM machines of the city of London - were arrested and charged.”

Looking at how to combat the new attacks, Sarb Sembhi, consulting services director at STORM Guidance and a leading member of the ISACA security professionals organisation, put the onus on the hardware manufacturers.

He told SCMagazineUK.com: “Whether they're ticket machines, whether they're ATMs, there's been an assumption for a long time by the manufacturers of these machines that no-one is going to attack them.

“The designs are old and they haven't been built with (communications) security in mind. They have made minor changes, but they have not had a complete redesign from top to bottom for security.”

He added: “Criminals are quite innovative. This is just another area that has been untapped that is going to be tapped more as each of these attacks gets publicity. Attacks on ATMs are going to continue and become more sophisticated - until they become more secure than they are now.”

Ben Densham, CTO of Nettitude, agreed that ATM and kiosk manufacturers need to do more.

He told SCMagazineUK.com via email: “Criminals are still very focused on the humble credit card as a means of making money. Even with the increase in internet payments and online e-commerce, the fact that physical skimming devices are still being designed and deployed shows that these hacks do pay.

“Although the detailed circumstances here are unknown, the fact that ‘internally' an ATM or kiosk terminal is often seen as a trusted environment, is shown to be flawed. As with our own networks and environments, we need to ‘expect' to be hacked and ensure we have the controls to monitor and manage an internal breach.

“The secure design of our systems and the ‘response in depth' capabilities need to be applied to ATMs and other secure devices – not just to our corporate systems.”