Windows XP cash machines can steal your PIN

IT WIRE
It is bad enough that the bad guys constantly try and phish your financial data via email and fake websites, now cash machines are getting in on the act.

The Trustwave SpiderLabs, an outfit that deals with everything from ethical hacking through to incident response and security forensics, is warning that the bank cash machine network is at risk from a malware attack that collects PIN numbers.

The SpiderLabs team reports that it has been able to perform an analysis of the malware, which had been discovered on compromised East European cash machines running Windows XP.

The malware was able to capture the magnetic stripe data from the private memory space of transaction-processing applications that were installed on these compromised ATMs, along with PIN codes for good measure.

Courtesy of some advanced management functionality found within the malware code, the attackers are able to control the compromised cash machines via a customised interface which can be accessed by simply inserting a controller card into the ATM card slot.

The stolen data can then be printed using the receipt printer built into the ATM, or output via the card reader to a suitable storage device. SpiderLabs do not believe that there is any networking functionality built into the malware, however.

I understand that the malware can be installed, and activated, by way of a Borland Delphi Rapid Application Development executable that replaces the original isadmin.exe utility file. Executing this dropper produces the malware file within the C:\WINDOWS directory of the machine.

This is not the first time that ATM security has left customers vulnerable nor will it be the last.

Trustwave warns it "highly recommends ALL financial institutions with ATMs under management perform analysis of their environment to identify if this malware or similar malware is present. Trustwave collected multiple version of this malware and therefore, feels that over time it will
evolve."