The U.S. Secret Service is warning financial institutions about a recent uptick in a form of ATM skimming that involves cutting cupcake-sized holes in a cash machine and then using a combination of magnets and medical devices to siphon customer account data directly from the card reader inside the ATM.
According to a non-public alert distributed to banks this week and shared with KrebsOnSecurity by a financial industry source, the Secret Service has received multiple reports about a complex form of skimming that often takes thieves days to implement.
This type of attack, sometimes called ATM “wiretapping” or “eavesdropping,” starts when thieves use a drill to make a relatively large hole in the front of a cash machine. The hole is then concealed by a metal faceplate, or perhaps a decal featuring the bank’s logo or boilerplate instructions on how to use the ATM.
Skimmer thieves will fish the card skimming device through the hole and attach it to the internal card reader via a magnet.
Very often the fraudsters will be assisted in the skimmer installation by an endoscope, a slender, flexible instrument traditionally used in medicine to give physicians a look inside the human body. By connecting a USB-based endoscope to his smart phone, the intruder can then peek inside the ATM and ensure that his skimmer is correctly attached to the card reader.
The Secret Service says once the skimmer is in place and the hole patched by a metal plate or plastic decal, the skimmer thieves often will wait a day or so to attach the pinhole camera. “The delay is believed to take place to ensure that vibrations from the drilling didn’t trigger an alarm from anti-skimming technology,” the alert reads.
When the suspect is satisfied that his drilling and mucking around inside the cash machine hasn’t set off any internal alarms, he returns to finish the job by retrofitting the ATM with a hidden camera. Often this is a false fascia directly in front of or above the PIN pad, recording each victim entering his or her PIN in a time-stamped video.
In other cases, the thieves may replace the PIN pad security shield on the ATM with a replica that includes a hidden pinhole camera, tucking the camera components behind the cut hole and fishing the camera wiring and battery through the hole drilled in the front of the machine.
It’s difficult to cite all of the Secret Service’s report without giving thieves a precise blueprint on how to conduct these attacks. But I will say that several sources who spend a great deal of time monitoring cybercrime forums and communications have recently shared multiple how-to documents apparently making the rounds that lay out in painstaking detail how to execute these wiretapping attacks. So that knowledge is definitely being shared more widely in the criminal community now.
Overall, it’s getting tougher to spot ATM skimming devices, many of which are designed to be embedded inside various ATM components (e.g., insert skimmers). It’s best to focus instead on protecting your own physical security while at the cash machine. If you visit an ATM that looks strange, tampered with, or out of place, try to find another machine. Use only ATMs in public, well-lit areas, and avoid those in secluded spots.
Most importantly, cover the PIN pad with your hand when entering your PIN: That way, even if the thieves somehow skim your card, there is less chance that they will be able to snag your PIN as well. You’d be amazed at how many people fail to take this basic precaution.
Sure, there is still a chance that thieves could use a PIN-pad overlay device to capture your PIN, but in my experience these are far less common than hidden cameras (and quite a bit more costly for thieves who aren’t making their own skimmers). Done properly, covering the PIN pad with your hand could even block hidden cameras like those embedded in the phony PIN pad security shield pictured above.
Tiny Chinese spy chips were embedded onto Super Micro motherboards that were then sold to companies in the US, including Amazon and Apple, reports Bloomberg. The report has attracted strenuous denials from Amazon, Apple, and Super Micro.
Bloomberg claims that the chips were initially and independently discovered by Apple and Amazon in 2015 and that the companies reported their findings to the FBI, prompting an investigation that remains ongoing. The report alleges that the tiny chips, disguised to look like other components or even sandwiched into the fiberglass of the motherboards themselves, were connected to the management processor, giving them far-reaching access to both networking and system memory. The report says that the chips would connect to certain remote systems to receive instructions and could then do things like modify the running operating system to remove password validation, thereby opening a machine up to remote attackers.
The boards were all designed by California-based Super Micro and built in Taiwan and China. The report alleges that operatives masquerading as Super Micro employees or government representatives approached people working at four particular factories to request design changes to the motherboards to include the extra chips. Bloomberg further reports that the attack was made by a unit of the People’s Liberation Army, the Chinese military.
In response to the discovery, Apple is reported to have scrapped some 7,000 Super Micro servers in its data centers, and Amazon sold off a Chinese data center. Apple ended its relationship with Super Micro in 2016, although it maintains that this was for unrelated reasons.
Super Micro, Apple, and Amazon all deny every part of the Bloomberg story. Amazon says that it’s untrue that “[Amazon Web Services] worked with the FBI to investigate or provide data about malicious hardware;” Apple writes that it is “not aware of any investigation by the FBI,” and Super Micro similarly is “not aware of any investigation regarding this topic.” Apple suggests further that Bloomberg may be misunderstanding the 2016 incident in which a Super Micro server with malware-infected firmware was found in Apple’s design lab.
Apple’s denial in particular is unusually verbose, addressing several different parts of the Bloomberg report explicitly, and is a far cry from the kind of vague denial that one might expect if the company were subject to a government gag order preventing it from speaking freely about the alleged hack.
It happens all across central Florida this time of year, the day after a giant thunder storm you try to turn on your computer only to find it’s dead. It’s just part of life in the lightning capital of the world. Many people make the mistake of thinking the computer is going, destroyed, not worth fixing. This could not be further from the truth. Often the damage from lightning strikes is minimal and easy to fix in under an hour. We have all the parts needed to repair most computers after a lightning strike on hand and waiting to fix your computer.
If victims didn’t pay up, callers threatened arrest, deportation, or heavier fines. There were also related scams involving fake payday loans and bogus US government grants, according to the criminal complaint.
The lead defendant was Miteshkumar Patel, who was given 20 years.
According to the Department of Justice, Patel was the manager of a Chicago team of “runners” that helped receive and launder the proceeds of their fraud scheme.
Patel was part of a new group of 21 defendants that were sentenced last week in federal court in Houston.
“The stiff sentences imposed this week represent the culmination of the first-ever large scale, multi-jurisdiction prosecution targeting the India call center scam industry,” Attorney General Jeff Sessions said in a statement issued last week, shortly after the new sentences were handed down.
“This case represents one of the most significant victories to date in our continuing efforts to combat elder fraud and the victimization of the most vulnerable members of the US public.”
The Department of Justice has set up a website to provide information about the case to already identified and potential victims, and the public.
Anyone who believes they may be a victim of fraud or identity theft in relation to this investigation or other telefraud scam phone calls may contact the Federal Trade Commission via this website.
The Internet is awash with covert crypto currency miners that bog down computers and even smartphones with computationally intensive math problems called by hacked or ethically questionable sites.
Last week, researchers from security firm Sucuri warned that at least 500 websites running the WordPress content management system alone had been hacked to run the Coinhive mining scripts. Sucuri said other Web platforms—including Magento, Joomla, and Drupal—are also being hacked in large numbers to run the Coinhive programming interface.
Earlier this month, political fact-checking site hosting Coinhive scripts in a way that exhausted 100 percent of visitors computing resources. A PolitiFact official told Ars the incident occurred when “an unidentified hacker attached a crypto mining script to the PolitiFact code base being stored on a cloud-based server.” The code has since been removed and was active only when people had a window open in their browser.was found
Don’t look, don’t tell
Coinhive presents its service as a way end users can support sites without viewing online ads, which are often criticized for containing malware that surreptitiously infects visitors with ransomware, password stealers, and other malicious wares. And in fairness, the service only consumes 100 percent of a visitor’s computing resources when the Coinhive’s interfaces are being abused. Still, Coinhive doesn’t require third-party sites to tell visitors their computers and electricity are being consumed in exchange for visiting the site. Coinhive has also done nothing to prevent sites from abusing its programming interface in a way that completely drains visitors’ resources.
Ad blocker AdGuard recently reported that 220 sites on the Alexa top 100,000 list serve crypto mining scripts to more than 500 million people. In three weeks, AdGuard estimated, the sites generated a collective $43,000. Both AdGuard, antimalware provider Malwarebytes, and a variety of their peers have recently started blocking or restricting access to Coinhive crypto mining. Both AdGuard and Malwarebytes give end users who want to support a site using Coinhive the option of accessing the mining script. In announcing the move, Malwarebytes wrote:
Coinhive’s massive Web audience isn’t lost on other companies. Collin Mulliner, a security researcher and developer of TelStop, said he recently received an e-mail from a startup called Medsweb inviting him to integrate a Monero miner into his creation. “If your app is deployed on thousands/millions of devices, you can monetize it with monero mining and earn really huge income,” the unsolicited e-mail stated. “We manage all the complexity of backend servers and mining operations and you get a really simple control panel to monitor your hashrate and earnings.”
Malwarebytes noted that Coinhive recently introduced, a service that requires third-party sites received explicit permission of end users before using their computers to mine digital coins. But the antimalware provider went on to point out that remains active and continues to require no end-user notice at all. As the recent discovery of the Android apps and the more than 500 hacked websites makes clear, Coinhive continues to turn a blind eye to the abuse of its service in much the way adware providers did in the early 2000s.