(June 4, 2009) Malicious software has been discovered on some Eastern European ATMs that has dangerous new powers to extract money as well as card data, according to a security executive. Meanwhile, Sony Corp. of America has confirmed that someone illicitly copied more than 5,000 credit card numbers of its customers who visited its Sony Rewards Web site.

Chicago-based Trustwave, a big consulting and security-assessment firm for the payments industry, on Wednesday issued a warning about the malware, which was planted on about 20 ATMs in Russia and Ukraine that ran on Microsoft Corp.’s Windows operating system. Several banks called the firm to investigate after they noticed unusual activity on their ATMs earlier this spring, says Nicholas Percoco, vice president and head of Trustwave’s SpiderLabs investigative and testing unit.

A probe found that the ATMs had been tampered with by an insider, perhaps a bank employee or former bank employee—someone who was able to open them without damaging them, according to Percoco. The malware allowed unsuspecting customers to make transactions as usual. All the while, the malware was capturing Track 2 magnetic-stripe card data—including account numbers, verification codes, and expiration dates—and PIN blocks, which contain encrypted PINs, Percoco tells Digital Transactions News. The fraudsters had a process for decrypting the PIN blocks, Percoco says without giving details.

But this malware stands out not because of its data-gathering capabilities, but for what it could do on the retrieval end, where criminals harvest cash and the information they’ve collected. The software, with a customized user interface, was programmed to respond to two types of “trigger” cards. One, what Percoco calls a single-function card, could enlist the ATM’s receipt printer to print statistical information pertaining to the ATM, reboot the machine or even tell it to delete the malware.

A second, so-called multifunction or master trigger card, would allow the fraudster to print every captured account number and PIN through the receipt printer. One version of the malware, apparently incomplete, was intended to enable the transfer of that data onto a chip card. “The option was there, but it wasn’t fully functional yet,” Percoco says.

The multifunction card also could tell the ATM to dispense every bill in its cash trays without debiting any of the stolen account numbers. Depending on its currency mix, a fully loaded ATM can hold $400,000 or more, according to Percoco. “We’ve done a lot of investigations in a lot of different environments—this is very, very unique,” he says.

While the malware was found on only a small number of machines thousands of miles from North America, it is of concern to U.S. bankers not only because of its new capabilities, but also because fraudsters easily move their malware around the world through the Internet, Percoco says. “You typically see it happen in one region of the world; there is no reason this wouldn’t come to the United States,” he says.

Trustwave would not identify the banks involved or the ATMs brands, but says they were older models made by multiple manufacturers. The company also wouldn’t say if U.S. authorities are investigating.

Meanwhile, Sony Corp. of America tells Digital Transactions News that card data on 5,200 customers who used the electronics giant’s Sony Rewards Web site between Feb. 1 and April 30 were copied without authorization. Police have arrested a person in New Jersey in connection with the incident, a spokesperson for Park Ridge, N.J.-based Sony says by e-mail. The spokesperson refused to give details about the person arrested. “This matter is currently under investigation by law-enforcement officials so we are not able to comment,” she says. But the DataBreaches.net Web site claims the suspect was arrested in Sony’s offices, implying an insider theft. An officer for the Park Ridge Police Department refused to release information about the case over the phone.

The incident became public when the Open Security Foundation’s DataLossDB Web site on Wednesday published a May 28 letter from Sony to the New Hampshire attorney general’s office regarding how the incident affected that state’s residents. In the letter, a Sony executive said that on May 13, Sony’s Card Marketing and Services Co. (CMSC) “discovered that unauthorized copies were made of certain credit card numbers, with associated names and expiration dates, and in some cases, e-mailed to an account outside of the Sony Rewards network without authorization.” The incident occurred at CMSC headquarters and affected 16 cards held by New Hampshire residents, the letter says. Sony said it was unaware of any resulting fraud.

The spokesperson says the potentially compromised cards include some of Sony’s cobranded Visa cards issued by JPMorgan Chase & Co., Visa cards from other issuers, and American Express, MasterCard, and Discover cards. Sony’s letter says the company has informed “all relevant card companies” and would inform cardholders by mail this week. Sony will give cardholders a year’s free access to a credit-monitoring service.

The spokesperson gave little information about the incident. “Sony security systems uncovered the breach,” she says. “This was an isolated incident as Sony takes great care in maintaining the security of credit card information by implementing appropriate technology and internal procedures.”