Malware: Banks, Customers and ATMs All Under Fire

Uploaded on 2015-10-15 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

Security experts warn about a trio of malware threats that are designed to steal cash, online banking credentials as well as payment-card data from point-of-sale devices.

The new warnings center on three types of unrelated malicious code. For starters, malware has been spotted in the wild that is being used to drain cash from ATMs in Mexico, although security researchers warn that it could go global. The Shifu banking Trojan, meanwhile, has moved beyond Japan and is now being used to target customers of four U.K. banks. Finally, the notorious Neutrino crimeware has gotten an upgrade, allowing it to scrape POS device memory and steal payment-card data.

The newly spotted ATM cash-out malware has been dubbed "GreenDispenser," by cybersecurity firm Proofpoint, which says that while it has only seen the malware used to "cash out" ATMs in Mexico, the malicious code could soon spread to other countries (see Authorities Detain Suspects in ATM Cash-Out).
"GreenDispenser provides an attacker [with] the ability to walk up to an infected ATM and drain its cash vault," Proofpoint security researcher Thoufique Haq says in a blog post. "When installed, GreenDispenser may display an 'out of service' message on the ATM, but attackers who enter the correct PIN codes can then drain the ATM's cash vault and erase GreenDispenser using a deep-delete process, leaving little if any trace of how the ATM was robbed." A deep delete in this case means that the malware not only deletes itself, but also employs Microsoft's sdelete to make it much more difficult for any malware-related bits and bytes to be recovered via later digital forensic analysis. 

The malware resembles the PadPin - a.k.a. Tyupkin - ATM malware that first surfaced in March 2014, and which could be used to make an ATM dispense all of its money, in what's known as a "jackpotting" or cash-out attack, Proofpoint says, adding that it believes that installing the malware requires physical access to an ATM (see Easy Access Fuels ATM Attacks).

Like PadPin, GreenDispenser is designed to interact with a set of standard programming interfaces, or APIs, that are built into most ATM host computers and components, known as XFS - which stands for "extensions for financial services" (see Hacking ATMs: No Malware Required).

This new generation of ATM malware includes a number of tricks designed to disguise the presence of the malware, as well as prevent unauthorized thieves from using it to drain ATMs. For starters, any ATM that gets infected with GreenDispenser displays an "out of order message." Proofpoint says it has recovered samples of the malware that display a message either in grammatically challenged English - "We regret this ATM is temporary out of service" - or else in Spanish: Temporalmente fuera de servicio.

Based on Proofpoint's GreenDispenser teardown, it found that the malware was coded to only run if the year was 2015, and the month was earlier than September, thus suggesting that this might have been a test run, or else designed to avoid detection. To cash out the ATM, meanwhile, an attacker must enter a preset PIN, scan a QR code displayed on screen, and then enter a second PIN, after which they can instruct the ATM to dispense all of its money, or tell the malware to delete itself.
"We suspect that the attacker has an application that can run on a mobile phone with functionality to scan the barcode and derive the second PIN - a two-factor authentication of sorts," Proofpoint says. "This feature ensures that only an authorized individual has the ability to perform the heist."

The banking malware known as Shifu - after the Japanese word for thief - has returned, and is no longer just targeting Japanese banks. In a Sept. 25 blog post, the French researcher who maintains the Malware Don't Need Coffee blog, who goes by the name Kafeine, warns that in recent days, the malware has been spotted targeting four U.K. banks: Bank of Scotland, Halifax, Lloyds Bank and TSB. To date, it's not clear how many banking customers' systems may have been infected with the malware.

In August, IBM reported that it first saw Shifu being used for in-the-wild attacks, beginning at least in April. But Kafeine says that after cross-referencing his findings on Sept. 24 with security researchers at Fox-IT and Dell SecureWorks, they found that collectively they had been tracking Shifu since September 2014. "We were using a 'non public' name to talk about it," Kafeine reports.

In the United Kingdom, Shifu is being spread via malvertising attacks, Kafeine says. To date, it's not clear if these attacks are part of a campaign that has successfully served malicious advertising via multiple popular sites, including dating sites Plenty of Fish and Match.com.

Databreachtoday: http://bit.ly/1KU8QDi

 

« Best Practices for Cybersecurity Breaches
Bitcoin - It's Uncomplicated »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Galaxkey

Galaxkey

Galaxkey is a data protection product that protects email, documents and any data using access control and an encryption platform.

Performanta

Performanta

Performanta offer a consultative approach to people, process and technology, focusing on security projects in line with adversarial, accidental and environmental business risk.

ADF Solutions

ADF Solutions

ADF Solutions is a leading provider of digital forensic and media storage exploitation tools.

Fidelis Security

Fidelis Security

Fidelis Security is a leading provider of extended threat detection and response (XDR) solutions for your security operations.

Dual Layer IT Solutions

Dual Layer IT Solutions

Dual Layer offer a full range of IT Services and Solutions for businesses from IT infrastructure design to cloud/hosted solutions, cybersecurity, disaster recovery and IT training.

Project Moore

Project Moore

Project Moore is an Amsterdam law firm specialising in IT-law and privacy.

T-REX

T-REX

T-REX is a coworking space, technology incubator, and entrepreneur resource center for technology startups.

VectorUSA

VectorUSA

VectorUSA is a premier technology solution provider. We design, build and maintain cybersecurity, data center, wireless and managed solutions – transforming business needs into technology solutions.

DataFleets

DataFleets

DataFleets is a privacy-preserving data engine that unifies distributed data for rapid access, agile analytics, and automated compliance.

CISO Global

CISO Global

CISO Global (formerly Cerberus Sentinel) are on a mission to demystify and accelerate our clients’ journey to cyber resilience, empowering organizations to securely grow, operate, and innovate.

GovernmentCIO

GovernmentCIO

GovernmentCIO was founded with a single purpose: to transform government IT. We are thought leaders in data analytics, machine learning, cybersecurity and IT transformation.

ITProTV

ITProTV

ITProTV is part of the ACI Learning family of companies providing Audit, Cyber, and IT learning solutions for enterprise and consumer markets.

Pathlock

Pathlock

Pathlock (formerly Greenlight) help enterprises and organizations automate the enforcement of any process, access, or IT general control, for any business application.

Mitigo Group

Mitigo Group

Mitigo offers a well considered and effective approach to keeping businesses completely secure from any digital attacks.

Seedcamp

Seedcamp

Seedcamp identify and invest early in world-class founders attacking large and global markets through disruptive technology in areas including AI, cybersecurity, and Fintech.

CYTUR

CYTUR

CYTUR provide trusted and secured maritime cybersecurity solutions to keep ships safe, protecting them, their crews, cargo and all stakeholders from maritime cyber threats.