Well it seems ATM skimming has resurfaced with the clever criminals finally gaining the ability to remove the anti-skimming devices and modify them to their own nefarious ends.

Banks in Europe are seeing innovative skimming attacks against ATMs, where fraudsters rig special devices to the cash machines to record payment card details.

Many banks have fitted ATMs with devices that are designed to thwart criminals from attaching skimmers to the machines. But it now appears in some areas that those devices are being successfully removed and then modified for skimming, according to the latest report from the European ATM Security Team (EAST), which collects data on ATM fraud throughout Europe.

Skimming devices are designed to record the account details from the magnetic stripe on the back of a payment card. The data can then be encoded onto a dummy card. A person’s PIN (personal identification number) is often captured with a micro-camera, which was done with the illicitly modified anti-skimming devices, according to the report.

Banks in five countries also reported seeing a new type of skimming device, which uses a modified MP3 player to record card details. It also has a micro-camera to record PINs, according to a photo seen by IDG News Service

The advantage of ATM skimming rather than just plain old hacking the data online is that with the placement of a small camera you can also record the PIN number associated with each card – so after cloning it you can actually use it to withdraw money from the ATM.

It seems like the new skimming devices are much more high tech and also use off the shelf components, such as an MP3 player.

EAST doesn’t reveal which banks noticed the fraud or the country in which it occurred. EAST only notes whether the attack occurred in a country that is a “major deployer” of ATMs — where there are more than 40,000 machines in the country. Those countries include France, Germany, Spain, Russia and the U.K.

Installing malicious software on an ATM is a more sophisticated way to execute fraud. One country of the five major deployers saw this style of attack, which was first seen in Eastern Europe in 2007.

ATMs often run operating systems such as Microsoft’s Windows CE and are vulnerable to attacks executed remotely and by people who break into the machines to install malware. Both kinds of attacks were demonstrated by security researcher Barnaby Jack at the Black Hat conference in Las Vegas in July.

European banks haven’t seen a new kind of attack called “shimming.” This attack involved inserting an extremely thin plastic circuit board into a point-of-sale device or ATM. It then can record data either on the card itself or transmit the data using a wireless transmitter. Due to the design of ATM machines in Europe, “we don’t think shimming is an ATM threat,” said Lachlan Gunn, EAST’s coordinator.

They haven’t really released any details such as which banks were effected or even which countries the skimming attacks took place in. There has actually been a record number of skimming attempts this year but the losses have dropped.

I’d guess that would be due to the new security-measures built into the EMV (Europay, Mastercard, Visa) ATM cards which have a chip built in that EMV compliant ATM machines can scan and verify.

Source: Network World

In more recent months it was noted that Zeus has become more focused and variations of Zeus were found to be targeting banks and financial organisations in specific geographic regions.

The latest news is both in the UK and US charges and arrests have been carried out on people involved in the Zeus ring that has been stealing money. Some reports claim the ring has stolen up to 200 Million USD since 2006, quite a substantial amount. In the UK alone they have netted £6m in the past 3 months and were all caught in the Essex region.

U.S. authorities have charged more than 60 people in connection with the money-stealing Zeus Trojan program, according to the U.S. Department of Justice. The arrests follow a Tuesday U.K. sweep that led to 11 charges against Eastern European citizens thought to be involved in moving stolen funds out of the country.

Zeus has been a major problem for computer users and financial institutions over the past few years. Once installed on the victim’s PC, the malware can be used to log into a victim’s bank account and transfer funds to another account controlled by the criminals. The malicious software is sold in black market forums and there are more than a dozen Zeus gangs in operation worldwide. Security experts say that the gangs have netted more than US$200 million since Zeus was discovered in 2006.

The U.S. arrests involve so-called money mules, people who are paid to set up accounts that receive stolen funds and then move the money out of the country, typically via a wire service such as Western Union. The DOJ has scheduled a press conference in Manhattan on Thursday afternoon to further discuss the arrests.

All the individuals involved seem to be Eastern European/Russian, this is true for both the US and UK arrests – Police charge 11 over Zeus cybercrime scam in UK.

You can see a list of the people still wanted by the FBI here – Wanted by the FBI for Federal Cybercrime Charges.

It’s good to see this kind of fraud being taken seriously as it is damaging to the economy, the banks and the consumers themselves. Even if protected by insurance it’s a long winded and time intensive process to claim back and money lost to fraud.

According to documents seen by IDG News Service, prosecutors have filed a total of 26 complaints. Investigators from the agencies including the U.S. Federal Bureau of Investigation and State Department special agents describe in the complaints an elaborate network used to launder funds stolen by the Zeus malware.

One of the complaints describes in-depth the use of money “mules” in order to facilitate the transfer of funds into criminal accounts. Mules agree to allow funds to be transferred out of victims’ accounts into their own accounts. Those funds are typically quickly withdrawn and wired elsewhere before banks detect the fraud.

But that was a risky job, involving withdrawing cash from the banks either in person or visiting cash machines, both of which would be under video surveillance.

“The mule organization typically recruited mules from Eastern Europe who were either planning to travel to or were already present in the United States on J1 visas,” according to the complaint lodged against three individuals: Artem Semenov, Almira Rakhmatulina and Julia Shpirko.

The J1 visa is a non-immigrant visa granted to people such as students. When those mules arrived in the U.S., they were given fake foreign passports in order to open more bank accounts. Stolen funds were transferred to those accounts in amounts close to $10,000, according to the complaint.

Most of them seem to be operating in the same way, entering the US under student visas then opening bank accounts with fake passports, laundering the money in small amounts so as not to trigger banking alerts (less than $10,000) then keeping a small cut and sending most of the money off to some larger organisation.

More from The Register here – Feds accuse 37 of being Zeus ‘money mules’

I’m guessing there will be a lot of news about this and more details will be exposed in the following weeks.

Source: Network World

It’s seems like a new hacker is in the sights of the US Government, this time it’s Ehud Tenenbaum AKA ‘The Analyzer’.

He seems to have been quite sloppy about covering his tracks and remaining under the radar, he acts as if no-one can get him. Perhaps he knows something we don’t?

Anyway he’s firmly under investigation now having first popped onto the radar 10 years at the age of 19 for hacking into Pentagon computers.

Ehud Tenenbaum, an Israeli hacker arrested in Canada last year for allegedly stealing about $1.5 million from Canadian banks, also allegedly hacked two U.S. banks, a credit and debit card distribution company and a payment processor in what U.S. authorities are calling a global “cashout” conspiracy.

The U.S. hacks have resulted in at least $10 million in losses, according to court records obtained by Threat Level, and are just part of a larger international conspiracy to hack financial institutions in the United States and abroad.

The broadened case highlights the continued vulnerability of U.S. financial networks to cybercrime, despite supposedly tight industry security standards. It comes on the heels of other multimillion-dollar heists that also breached the security protecting ATM codes and account information. In late 2007, criminals used four hacked iWire payroll cards to steal $5 million from ATMs around the world in just two days. Shortly thereafter, a processing server that handles withdrawals from Citibank-branded ATMs at 7-Eleven convenience stores was cracked, leading crooks to converge on New York to withdraw at least $2 million from Citibank accounts using the stolen ATM data. And a carefully coordinated global heist last November resulted in a one-day haul of $9 million in cash, following a breach at payment processor RBS WorldPay.

It seems like the US banking system has some major problems, with all their self-invented, self-imposed regulations (SOX, PCI, ISO27001 etc.) you’d think they would be more secure.

Obviously all these regulations and reams of paperwork are just making things worse, burying problems under tonnes of dead trees really doesn’t help.

It’s a very International crime network with participants all over the World including Dutch servers and hackers in Russia and Turkey.

According to the affidavit, in October 2007, the United States Secret Service began investigating “an international conspiracy” to hack into computer networks of U.S. financial institutions and other businesses. As part of that investigation, agents examined network intrusions that occurred in January and February 2008 at OmniAmerican Credit Union, based in Fort Worth, Texas, and Global Cash Card of Irvine, California, a distributor of prepaid debit cards used primarily for payroll payments.

In both cases, the attacker gained access using a SQL injection attack that exploited a vulnerability in the company’s database software. The attacker grabbed credit and debit card numbers that were then used by thieves in several countries to withdraw more than $1 million from ATMs.

In April and May 2008, agents investigated two additional hacks at 1st Source Bank in Indiana, and at Symmetrex, a prepaid debit card processor based in Florida. The intruder again used a SQL injection attack, and losses added up to more than $3 million.

It seems like this might have been going on for some time, he managed to pull similar stunts in both Canada and the US and perhaps even Greece too.

I wonder where he is now, and where he’s going to hit next. Or perhaps he won’t, he must have plenty of cash to lay low in some country with no extradition treaty with the US.

Do read the whole article as it’s very interesting.

Source: Wired Blog