The emergence of sophisticated ATM malware in Belarus could spell trouble for English speaking countries...
By Kimberly Zenz
If you were an Eastern European ATM, you would be feeling nervous at the moment, and rightfully so.
First, Diebold warned Russian banks about malicious code installed their machines last January. Then in May, Trustwave reported on malware found on 20 ATMs in Russia and Ukraine, the earliest of which was first infected almost exactly two years ago, and which has been improved at least 16 times since then.
Now Belorussian ATMs face another wave of malicious code, infecting what appears to be a high number of ATMs in urban areas.
In the Belorussian case, victims attempting to withdraw funds first see an English-language message "please wait," after which victims are informed the money requested can not be provided due to insufficient funds.
The requested amount is then debited from their balance the next day.
Some users also report the remaining balance of their accounts disappearing the next day. Others report similar issues when attempting to pay with their debit card in a store. In addition to the problem that this presents in and of itself, anecdotal reports by Belorussian bloggers suggest that the code is quite widespread, especially in the capitol Minsk.
Exacerbating this is the response by the affected banks, confirmed to include the country's four largest, and the government, which is generally responsible for all forms of security in "Europe's last dictatorship".
As with the other Eastern European ATM troubles, the attackers in the Belorussian case must have access to the machine, suggesting insider involvement.
All of the ATMs thus confirmed infected belong to banks which have contracts with Belorussian Processing Center (BPTs), which would lead one to conclude the insider had access there. This is impossible to confirm, however, as the banks are silent and BPTs denies their machines are infected at all, insisting instead that the missing funds were caused by a "technical failure," and subsequently "defective software". BPTs went so far as to tell reporters on June 5th that these technical issues had been resolved, but victims continue to report lost funds.
The state (which controls one affected bank, the dominant Belarusbank), has been equally unhelpful. Two weeks ago it announced that it broke up nine groups of "international cyber criminals" targeting ATMs (and that such fraud, which they are on top of, is responsible for 96% of all cybercrime in the country. One supposes that state-sponsored attacks on opposition news outlets are not included), but nothing directly related to the current losses.
Last week's Ministry of Internal Affair operational meeting discussed cybercrime as well. There is no known law enforcement involvement, although it is possible that police and the banks are working behind the scenes to patch the ATMs and catch those responsible, albeit ineffectively
Secrecy and ineffectiveness is not restricted to cybercrime in Belarus, a situation reflected in a belief voiced by some victims of the ATM malware that the state was in fact stealing the money itself to fill holes in the budget brought about by the economic crisis.
While it is not the author's opinion that the state is responsible for the thefts, it does reflect the public's opinion of both their honesty as well as their capability to address the problem.
This is a problem for Belarus to be sure, but it is also a problem for those of us in wealthier countries. It is a common practice for cyber criminals in the Former Soviet Union to test and perfect new tactics or malcode closer to home, where they know the system better and are safer from investigations.
There is no reason to think that ATM malcode would be any different. True, insider access is necessary at this point, and that may be easier to obtain in Eastern Europe, but it is possible to get elsewhere, and, as Trustwave found, improvements are constantly introduced. That the Belorussian malcode uses English as its language and not Belorussian or Russian suggests that its creators may have similar plans.
Kimberly Zenz is an analyst with iDefense. She specialises in the analysis of cybercrime in the former USSR.