ATMs in Eastern Europe have been infected with a sample of Windows malware that enables criminals to harvest card data and PIN codes via the machine's recipt printer.
The malware - uncovered by UK-based Trustwave - is installed and activated through a dropper file by the name of isadmin.exe and has been found on machines running the Windows XP operating system. Once installed, the attacker can interact with the ATM by simply inserting a controller card and accessing an array of command options via the machine's keypad.
Trustwave says the command options allow for the output of harvested magstripe card data via the ATM's receipt printer or by writing the data to an electronic storage device using the machine's card reader. Analysts also discovered code indicating that the malware could eject the cashdispensing cassette.
Trustwave recommends that all financial institutions perform analysis of their ATM environment to identify if this malware or similar malware is present.
In a statement, the company says: "Trustwave collected multiple version of this malware and therefore, feels that over time it will evolve. It will also begin to propagate to a more wide-spread population of ATMs, thus a proactive approach in prevention and identification will be necessary to prevent future attacks."
Read the full Trustwave analyst briefing document:Download the document now 76.1 kb (PDF File)