Directory of RSS feeds

RSS feeds in the directory: 374

Added today: 0

Added yesterday: 0


Business / Finance

Fork, ATM! themes of the day 14.11.2017 at 21:00

Banking and financial news on the website

Today to profit a tidy sum without the plaque on the Bank building. Especially when there were a number of ATMs. This so-called logical attacks on ATMs — "fashion novelty", which gradually becomes a new trend of attacks on financial organizations.

"Everybody down, this is a robbery!"

will Ask any person that first comes to his mind when he hears the words "attack on the Bank." Without hesitation, 90% of the time people will remember about the RAID group of heavily armed men in black masks-balaclavas. Imagination and familiarity with more or less decent specimens of the Western film will evoke cries of "Everybody down, this is a robbery!". Well, after scenario: the noble intentions of the criminals, causing sympathy, unexpected rescue hostage one of the hijackers, love, tears, optionally a hero's death... Stop! Cut! Alas, tales, even a criminal, is possible, but only in the movies. Everything in life is more than prosaic. And even if attacks on financial institution means a trivial RAID on the Bank, the romance in this crime is not enough. Physical violence usually ends in death for many, and tears have nothing to do with love: behind them the horror, death, humiliation.

to begin To understand which types of attacks on ATMs exist. So, there are two types of attacks on ATMs: physical and logical.

, physical attacks on ATM are:

— stealing the ATM (with this kind of vandalism for a long time, but not all devices cope the capsule with the paint that any attempt to forcibly open the ATM "explodes" inside the dispenser and stains the banknotes, making them absolutely useless);

— the undermining of the ATM with gas or explosives;

— the robbery of collectors.

the rapid growth in Russia in 2016, the number of incidents undermining ATMs, logically followed by the widespread adoption of credit institutions ATMs with protection from explosions. This move has largely been the reason that the crooks were rapidly switch from the physical to the so-called logical attack using malicious software. This, among other things, due to the sharp increase in the number of logical attacks with malware in Europe in 2016, which amounted to 287% in comparison with 2015.

Quote Logical. Super

the First malware for ATMs appeared in the already distant 2009. It was called Skimer, as he transformed the ATM in the familiar to many "skimmer" - a device to steal payment card data, reads information from the magnetic strip of the card. Skimer is widespread and by 2016, was discovered on ATMs around the world, including in Russia. New modification Skimer continue to be fixed by experts everywhere.

Ploutus — a "Mexican" brother Skimmer — appeared in 2013 in Mexico and after a few years was seen in Eastern Europe. Installation of the "malware" comes with a bootable CD, and the cybercriminal is able to control the compromised ATM using your PIN pad or plug in an external keyboard. All the functionality Ploutus is aimed at achieving one goal — to withdraw cash from the ATM. Urgent and very dangerous.

NeoPocket is another "pest" found in 2014. The technique uses a "middle man" to intercept the transaction data using the setup key on your external keyboard.

In 2014 the financial world excited the news of a major theft of cash from ATMs in Eastern Europe and Southeast Asia. The reason was the malware Tyupkin (aka Padpin). Feature of the functioning of this "pest" is in the embedded two-factor authentication to gain access to the control system of the ATM. After entering the first key PIN-Pade infected the ATM displays a hidden panel to input the second key. Then the attacker gets access to the cash cassettes. At the time of "work" does not disable server-side interfaces to the security had not responded to the unauthorized issuance of money.

In 2015, ATMs in Mexico were attacked by new Trojan GreenDispenser (literally: "green distributor", eng.). Soon Trojan was discovered on ATMs in Eastern Europe. Experts of Russian companies for the implementation of the cyber security Positive Technologies conducted a comprehensive investigation of the mechanisms and principles of functioning GreenDispenser. Thanks to this investigation we are able to understand logical attacks, their organization and the complexity of their conduct.

the Green thrower

Every ATM is a computer and, as a rule, running on Microsoft Windows. Imagine that you have a huge laptop, but instead of the USB slots, CD-drive (they still are actually?) the laptop is attached a container of securities and the keyboard to enter the PIN, a pair of buttons on the sides, holes for a Bank card and receiving banknotes. To communicate this "notebook" all of these devices require a special extension like to install a mouse driver is required. In the case of ATMs, the role of the driver performs the Extension for Financial Services (extension for financial services, for short — XFS). Trojan uses an extension of the special library (it comes to banks along with Microsoft Windows), and it gets access to control all the devices: PIN pad, the hole for the issuance of money, etc. to Attack in this way can the ATM of almost any manufacturer, as used by the extension is one of the most popular in its kind.

the Question is: how the criminal gets access to the library? There are several ways and they are striking in their simplicity:

— buy decommissioned ATM for a comprehensive study and further testing;

is to bribe a Bank employee, which can not only download the required library, but also installed a Trojan on the ATM;

— openly ask the necessary files on one of the Internet forums devoted to banking.

it is Interesting that the author of the Trojan in the theft is not involved. He deals with the localization and support of his malicious offspring, the main its goal is to sell "product". Such conclusions were made on the results of the investigation.

having Caught the Trojan and support of the Creator, the attackers are faced with two non-trivial tasks:

1. How to install a Trojan on an ATM?

2. How to take the money out of the ATM?

the Question is: who can install a Trojan on an ATM without arousing suspicion? One who has access to the service zone of ATMs. For example, a Bank employee or a professional burglar. That is, criminals need to find such a person.

After "hero" was found, and the ATM is infected, the attackers proceed to the second part of the plan: cash withdrawal using an installed Trojan GreenDispenser. This stage is associated to the hackers of ATMs with a maximum risk. Well, judge for yourself: we must act clearly, quickly, in high-risk environments — you all at once, the clock is ticking. Yes, this is not an easy "job". However, sympathy aside! It is time to introduce you to a new word.

Quote Drop-stop, we approached from the corner

To withdraw cash from victims GreenDispenser ATM cybercriminals use the services of so-called mules (from the English. drop — throw, to drop). Common tasks drop — to get the money in your name, withdraw money from the card at an ATM. Or, as in the case with the infected ATM to get money on command from the interface control programs. As payment for the drop keeps a share of the cashed money. The more infected ATMs need to "serve" the more an attacker would need drops.

To manage a team of mules, there are topology a sort of foremen. They recruit, train and coordinate drops. The scenario is simple: the drop is at the ATM, the ATM is infected with a Trojan, and the management interface is the organizer of theft. He tells dropout confirmation code and dropout drop already conveys this information. Easy! But...

what about the usual card holders? They legitimately want to withdraw their honestly earned, and at any time of the day or night. They are not pushing the usual "you here did not stand". They also want to withdraw cash and the ATM resources are thinning, which, of course, not included in the plans of cyber criminals. To ward off intruders, attackers resort to one simple trick: after you install Trojan on the ATM screen displays localized for a specific country, a message about device malfunction.

"Weregretthis istemporary out ofservice ATM", "ATM is temporarily not working", "vybachte, ATM / cash machine tymczasowo not working"... Familiar? Next time at the sight of the familiar lettering inadvertently to think about. To a normal passerby ATM with the inscription will look like a normal faulty. No one in the right mind would approach him and start to withdraw money. In actual fact, the ATM is working, and at this particular moment with it committed heinous crimes by malware GreenDispenser that using XFS already gained control of a PIN pad and is waiting to enter the established authors of the Trojan a static PIN.

to ensure the uniqueness of the second pin, GreenDispenser generates a random code, encrypted with Microsoft CryptoAPI and then encoded in Base64. The encoded PIN is displayed on the screen as a string and QR-code in case of drop there is no phone or ATM screen "shabby".

After authentication, the drop goes into the management interface Trojan, in which it becomes available is a function of withdrawal. Successfully removing the cash drop at the direction of the dropper removes the Trojan from the system with a special utility SDelete. Today SDelete is actively used by attackers as a "antiforensic". The tool, after the application of which to recover deleted files is not possible, which greatly complicates forensic examination of a compromised system and hampers the investigation. Run SDelete on the ATM can be in any "freelance" situation: the drop has attracted unwanted attention, the drop is not enough time for a withdrawal, the ATM too long hanging about in mode "out of service", etc.

Predictions, conclusions, recommendations

For the assessment of Positive Technologies, the total damage caused during the incidents of the Trojan GreenDispenser in 2015-2016, amounted to about 180 thousand dollars. This, of course, a trifle compared to the really large campaigns. But considering that these methods started to be applied by hackers recently, and on the background of the planned increase of protection of the safe with the cash cassettes from the explosion this method can obtain a large spread. Hence, the damage will grow. Moreover, there is every reason to believe that cybercriminals are preparing fundamentally new malware that can be used for remote attacks on ATMs. This is evidenced by increased interest in specialized communities to various kinds of system libraries used in the ATMs.

today is Obviously imprudent to rely only on competent protection from a physical attack on the ATM.

of Course, the money is still stored inside this iron cash drawer, and physical impact on him it seems self-evident (but only at first glance). However, to act physically on such a machine is not easy. It's another to have money, having access to a computer, which controls the issuance of money here and have a special power is not necessary, and the probability of "sleep" is much less. Yes, and everything happens faster: criminal enough to connect to the microprocessor using malware, and steal a cash machine in minutes.


Some tips from the team Positive Technologies against logical attacks:

1. Follow the persons having the admission into the service area.

2. Pay special attention to the protection of the computer managing all the equipment in ATM, namely,

, enter the ban on external devices (mouse, keyboard) and to boot from external media (flash drives, CDs) — all of which can bring the offender to use to gain control over the management of the ATM;

— set a strong password to access the BIOS to not allow the attacker to modify the boot configuration of the system.

3. Install and correctly configure the security system.

4. Conduct regular security analysis of ATMs to have current information about the state of their security and to minimize the probability of cracking.

the Future of cybercrime is not predetermined. Hackers are devising more sophisticated ways to attack financial institutions and financial equipment. But developers of systems cyber security does not cease to be vigilant: experts conduct investigations, study methods of cyber-attacks, allowing them time to respond to the latest hacking methods action generate a new system of protection, improve cybersecurity and to prevent break-ins.

Vadim KUZNETSOV, expert of Positive Technologies for

Other feed items

Nurses for sanatory 13.11.2017 at 21:00

Recoverable dividends 08.11.2017 at 21:00

The Test What are you a revolutionary? 08.11.2017 at 21:00

"Nobody believed that Bank money could be lost" 07.11.2017 at 21:00

Taxes and disputes 06.11.2017 at 21:00

Pay and don't buy 05.11.2017 at 21:00

X-factor: the invasion "shovels" 01.11.2017 at 21:00

Mutual funds hit record 01.11.2017 at 21:00

Give up. Expensive 31.10.2017 at 21:00

Bosses don't bare 31.10.2017 at 21:00