Posted on March 31, 2013 9:19 pm

Russian malware spies on US ATMs

Security firm Group-IB has identified a malware program called Dump Memory Grabber that can take debit and credit card data from point-of-sale (POS) terminals and ATMs. The researchers say that the program has already been used to steal data from clients of US banks including Chase, Capital One, Citibank, and Union Bank N.A. as well as from clients with Nordstrom-branded cards.

SecurityWeek reports the author of Dump Memory Grabber has put a video online to teach other hackers how it works. The Windows program written in C++ reads the target system’s memory using an external tool called mmon.exe.

Dump Memory Grabber uses FTP to pass card and account numbers, user names, and card expiry dates on to a control server that is most likely run by Russian attackers. Group-IB says that several hundred POS terminals and ATMs in the US have been infected with the program.

Hints in the video lead to a Russian hacker who goes by “Wagner Richard” online and also offers denial-of-service attacks on a number of forums. According to the web site Security Affairs, Wagner Richard is a member of a seven-person cybercriminal group.

The Group-IB researchers believe that most of the POS terminals and ATMs were infected on site with help from insiders. Only a few of the systems – ones running Windows XP or Windows Embedded – were compromised from a distance. In some cases, the attackers made use of security vulnerabilities in the banks’ networks.

Just a few days ago, McAfee reported on a similar trojan, called VSkimmer, that is being sold on cracking forums. The developer of VSkimmer has already announced a successor to their creation that can apparently read chips on cards.

In Germany, for example, the Central Credit Committee does not allowPDF any POS terminals or ATMs that use Windows. With a middleman or manipulated terminals, however, it certainly wouldn’t be impossible to get access to card data and even PINs there, either.