A new piece of malware designed to infect cash machines to steal payment cards and card-holders’ information has been discovered by American cyber-security researchers.
The virus, named Backdoor.ATM.Suceful, was said to have come from Russia. It was discovered by US cyber-security firm FireEye Labs, which describes it as the first virus focused on automated teller machines (ATMs) that directly targets card-holders and is capable of operating on multiple types of machine.
In a post on its website, FireEye said that the virus, probably still in development, has shocking features “never seen before in ATM malware”.
Although it has not been observed in the real world yet, the researchers believe the malware, targeting Diebold and NRC ATMs, can be used by the attackers to first steal information such as the card number, date of expiry and encrypted PIN and then the physical card itself.
The latter can be done by issuing commands to either retain or eject the card. In a practical situation, a card-holder would have his or her card retained by the ATM and then stolen by the attackers as he goes to find help.
The virus interacts with the XFS Manager – an interface for control of peripheral devices including the card reader, cash dispenser, pad or printer.
“One benefit of the XFS Manager is that it is vendor-independent, similar to Java’s ‘Write once, run anywhere’ mantra,” FireEye explained in the post. “This means that it can be used maliciously by ATM malware, so that it can run transparently in multiple hardware vendors.”
Previously discovered ATM malware such as the Ploutus or PadPin virus were also targeting the XFS Manager. These viruses, however, did not target card-holders but were designed to empty ATMs.
FireEye said it wasn’t clear how the malware, created around 25 August this year, should be uploaded onto the ATM.
The firm, however, recommends card users to have their bank’s phone number saved in their phones and not leave the cash machine if the card is retained.
The malware was uploaded to Virus Total, a free website checking for viruses in files.
“The fact that this has been uploaded to VirusTotal should be a red flag – any version used going forward will probably be different enough to avoid easy detection,” said Tim Erlin from cyber security firm Tripwire.
“Embedded systems, like ATMs and point-of-sale devices, present unique challenges for information security, and unique opportunities for attackers. We’re fast approaching a situation where consumers need to have a healthy scepticism for security of the devices into which they stick their cards.”