Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

CD-ROM helps hackers in Mexico plant malware in bank ATMs

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

October 11, 2013

The lack of the most basic security at Mexican banks has allowed cybercriminals to place their own malware-ridden CDs into ATM machines in order to gain control of the easily-compromized cash machines.

The so-called Ploutus malware was installed after criminals acquired access to the ATM’s CD-ROM drive and inserted a new boot CD into it.

The hacking attempt was possible because many ATMs in Mexico use a simple lock that is easily picked, allowing the attackers to gain physical access to the ATMs.

Attacks involving getting malware on ATMs are rare but far from unprecedented. Normally, all sorts of trickery is necessary before being able to get a trojan onto a target machine, but in Mexico, it's very easy.

Malware-based ATM scams have previously involved using corrupt insiders to infect hole-in-the-wall machines. Learning how an ATM machine works by posing as an repair technician is also unnecessary thanks to Ploutus. And you don't need a genius security researcher to develop a friendishly cunning ATM attack, either.

Schoolboy errors made the self-service ATM-pawning tactic all too easy for Mexican crooks. The extent of the resulting scam - either in terms of how much money was lost or how many machines were infected - still remains unclear for now.

But details of how the malware itself works are fairly well understood. Information security firm Trustwave has completed an analysis of the malware used in Mexico after obtaining samples of the malicious code.

Infected machines still carry out their normal functions of dispensing cash, but if a particular key combination is input into the compromised device, the attacker will be presented with a hidden GUI, written in Spanish, complete with drop-down menus apparently designed for a touch screen.

Once criminals input a passcode - derived from a fixed four digit PIN combined with the figures for the date and month – they obtain the ability to dispense money from the compromised ATM.

"If you are a bank or the owner/operator of ATMs in Mexico, you will want to closely examine your machines for evidence of tampering," says Josh Grunzweig, an ethical hacker in TrustWave's SpiderLabs team."

"Banks and ATM owner/operators outside of Mexico could also benefit from an inspection of their ATMs," he added.

"Examples of targeted malware like Ploutus serve as a reminder of the importance of a thorough security review of ATMs and the back-end systems connected to them," he added.

Grunzweig has put together a blog post explaining how the malware works - containing code snippets and a screenshot of the GUI cybercrooks are able to feast their eyes upon once the malware is installed on compromized cash machines.

This is ATM fraud without recourse to skimmers to harvest the card details of consumers or other more complex approaches. So far, Ploutus-based attacks were targeted against ATMs at off-premise locations, according to self-service device information security software developer SafenSoft.

"The emergence of new malware with ability to directly extract cash from ATMs is a very alarming sign for self-service device security," says Stanislav Shevchenko, chief technology officer at SafenSoft.

Malware like this allows the cybercriminals to skip the whole process of cash withdrawal they have to take part in after using traditional ATM trojans and skimmer-like devices to steal the plastic card information.

Additionally, by spreading malware like that criminals can easily bypass the traditional antivirus-based protection on the ATMs. If that trojan gets massively distributed, then any bank without specialized protection software on its ATMs will have a difficult time getting ahead," he added.

In other internet security news

It looks like Symantec is taking full credit for luring a the powerful Zero Access botnet into an effective sinkhole where it can't do anymore harm to internet users.

ZeroAccess has been active for the past two years already and is one of the largest known botnets in existence. It has upwards of 1.9 million infected computers and servers forming its nasty army, all remotely controlled by miscreants.

It's estimated that this group of computer robots is literally put to work generating tens of millions of dollars annually.

It's claimed that cyber criminals make money from the infected Windows machines by instructing the computers to virtually and fraudulently click on web adverts, thus ramping up income for an affiliate ad network or, to a lesser extent, mine for new Bitcoins.

By subverting the communications system used by the bots to organize, Symantec has sinkholed (IE- gained control or disabled) more than half a million bots, Symantec claims.

This will have made a serious dent in the number of zombie drones under the thrall of the ZeroAccess group. Symantec added that it's working with ISPs and government computer security teams such as CERT globally, in an effort to help get infected computers cleaned up as fast as possible.

ZeroAccess infects Microsoft-powered computers caught up in drive-by-downloads-- booby-trapped websites attempt to exploit security holes in web surfers' machines to install the malware.

It then uses a rootkit to hide itself from the operating system and the victim, set itself up on a secret file system, downloads yet more bogus software, then connects itself to other infected systems and opens up more backdoor access.

And the whole process is repeated over and over. The Zero Access botnet is very sophisticated and powerfully resilient, using a peer-to-peer architecture to communicate in the wild.

So it seems to enjoy a high degree of redundancy and no central command-and-control server for the good guys to target. As a result, nobody is under any illusions that Symantec's action has finally put an end to the zombie network.

More details and additional information on the takedown effort can be found in a blog post on Symantec's site.

In other internet security news

Leaked documents in the wild now provide evidence that GCHQ planted malware in the systems of Belgacom, the largest telecommunications company in Belgium.

According to slides obtained by NSA whistleblower Edward Snowden and supplied to German newspaper Der Spiegel, the attack targeted several Belgacom employees and involved planting hacking technology called 'Quantum Insert' which was developed by the NSA.

The attack technique surreptitiously directs victims to spook-run websites where they are exposed to secondary malware infection.

The ultimate goal of "Operation Socialist" was to gain access to Belgacom's Core GRX routers in order to run man-in-the middle attacks against targets roaming with smartphones.

The leaked documents reveal that spooks in Cheltenham were particularly interested in BICS - a joint venture between Belgacom, Swisscom and South Africa’s MTN - which provides wholesale carrier services to mobile and fixed-line phone companies around the world, including trouble spots such as Yemen and Syria.

BICS is among a group of companies that run the TAT-14, SEA-ME-WE3 and SEA-ME-WE4 cables connecting the United States, Britain, Europe, North Africa, the Middle East and Singapore to the rest of the globe.

Early goals for the spies included mapping its network to understand Belgacom's infrastructure as well as investigating VPN links from BICS to other telecoms providers. The leaked slides describe the exercise as already being a success and close to achieving its ultimate goal of compromising enough of Belgacom's infrastructure to run man-in-the-middle attacks.

One slide explains spooks had successfully compromised "hosts with access" to Belgacom's Core GRX routers, leaving them just one step away from their objective. The slides themselves aren't dated but other leaked documents date the compromise of Belgacom's systems to around three years ago in 2010.

In a statement issued earlier this week, Belgacom admitted its internal systems were compromised but played down the impact of the breach, saying that the intrusion didn't compromise the delivery of communications. It added that the intrusion is under investigation by Belgian law enforcement.

If GCHQ was indeed the agency concerned at that time, then this investigation is unlikely to go anywhere soon, and the most that can be expected is some sort of diplomatic complaint from Belgium to Britain, its EU and Nato partner.

We've asked Belgacom if it has any comment on Der Spiegel's revelations. In response, a spokesman supplied the following short statement which clarifies that Belgacom filed a criminal complaint in July shortly after detecting the hacking attmpts, and long before going public with the problem on Monday.

Belgacom said-- "We have filed on July 19 a formal complaint against an unknown third party and have granted since then our full support to the investigation that is being performed by the Federal Prosecutor."

Background on GRX (GPRS Roaming Exchange), a tasty target for signals intelligence types, can be found in a presentation put together by Philippe Langlois, founder and chief executive of P1 Security, from the Troppers security conference in Germany back in 2011.

In other internet security news

According to a recent study by online reputation–tracking firm Iovation, internet users who access the web through the anonymizing Tor network are much more likely to be hackers or other troublemakers than are typical people.

The company announced yesterday that about 30.2 percent of all transactions it logged as coming from the Tor network during the month of August were fraudulent, compared to about a one per cent fraud rate for internet transactions as a whole outside of the Tor system.

Tor disguises the source of internet connections by shuttling them through hard-to-follow network routes and assigning them IP addresses at random from a large pool of distributed IPs around the globe.

While it's not too difficult to tell whether a connection is coming from Tor, it's rather very hard to know just who is behind any given connection, or even where in the world they are located when they come from Tor.

For that reason, while Tor has often been used for political activism, whistleblowing, and other risky but laudable activities, it's also home to a shady underworld of less-praiseworthy dealings, ranging from drug trafficking to child pornography.

For example, the online black market Silk Road website conducts its business entirely over Tor. Online criminals have recently began experimenting with using Tor as a cover for other kinds of internet traffic, as well.

The number of clients accessing the network on a daily basis doubled in August when the Mevade.A botnent began using Tor to route its command and control data.

Iovation found that about 31.8 percent of all Tor transactions were suspect and that the company isn't just talking about sales on Silk Road, either.

"Transactions simply means any online action at one of our customer sites like online purchases, account registrations, credit applications, logins, wire transfers, comments, etc, etc" said Scott Olson, Iovation's vice president of product.

"Any interaction where fraud, abuse or other similar nature are of grave concern to all our subscribers," he added.

Iovation's Reputation Manager service can't identify individual Tor users, but it can spot traffic that originates from known Tor IP addresses, called "exit nodes."

To conduct its study, it analyzed 240 million transactions conducted in August 2013 and compared the fraud rate of Tor traffic to that of the whole internet.

Iovation is making the ability to identify Tor traffic generally available to its Reputation Manager customers at no charge.

"Tor in itself isn't a bad service," Olson said. "It can be used for positive things as well as fraudulent things. For our clients, they are concerned with mitigating risk and in this case, Tor is disproportionately associated with a much higher fraud rate for online purchases, account applications, logins, etc."

And Iovation isn't the first to identify this issue. As recently as August, the head of Russia's Federal Security Service said he would like to block Tor traffic at the national level as part of the country's anti-terrorism efforts.

Although blocking all Tor traffic would be challenging, blocking traffic that re-enters the mainstream internet via Tor exit nodes is comparatively easy.

Wikipedia prevents editing by Tor users, for example, and if Tor's reputation for being rife with bad actors grows, more sites may choose to do the same.

In other internet security news

According to new documents unearthed using the Freedom of Information Act, the NSA acquired professional computer and server hacking tools complete with their documentation from French security firm Vupen.

A bonafide contract shows the U.S. security agency paid for a whole year's supply of zero-day vulnerability information and the software needed to exploit those security holes to attack various electronic systems.

The documents, obtained by government transparency and accountability site MuckRock, show that the U.S. intelligence nerve-centre signed up to a one-year subscription to Vupen's “binary analysis and exploits service” in September 2012.

Vupen prides itself on advanced vulnerability research as well as selling software exploits for unpatched flaws in systems - known as zero-days - to governments. Several U.S. defense contractors and security startups, such as Endgame Systems, are also in the business of privately researching and selling information about software security vulnerabilities and associated attack code.

That U.S. government organizations may be among Vupen's customers' list isn't a surprise to most people in the internet security industry. The NSA, even though it has advanced offensive cybersecurity capabilities, not least in the shape of its Tailored Access Operations cyber-espionage unit, might still find it valuable to tap into external help from commercial providers such as Vupen.

"Likely reasons for NSA's subscription to Vupen's 0-day exploits could be-- 1) know what capabilities other governments can buy, and, 2) false flag, deniable cyber-ops," writes Christopher Soghoian, principal technologist and senior policy analyst at the American Civil Liberties Union.

"There are specific times when U.S. special forces use AK-47s, even though they have superior guns available. It's the same for the NSA's Vupen purchase. Deniability," he added.

Soghoian, who delivered a presentation about the exploit vulnerability marketplace at the recent Virus Bulletin conference, has previously likened the trade in software exploits to a trade in conventional weapons - think bullets, bombs and rockets.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Source: TrustWave.

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.

















Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer






Click here to order our special clearance dedicated servers.


Get your Linux or Windows dedicated server today.





Click here to order our special clearance dedicated servers.





Click here to order our special clearance dedicated servers.