CONTINUE TO SITE »
or wait 15 seconds

News

ATM as bad actor: Gang enlists machine's help in skimming ops

May 19, 2016

Kaspersky Lab has released information about a Russian-speaking "Skimer" group that forces ATMs to assist them in stealing users' money. Instead of installing skimmer devices onto an ATM, the gang turns the ATM itself into a skimmer.

Discovered in 2009, Skimer malware was the first malicious program to target ATMs. Now it has resurfaced as an advanced threat to banks and their customers around the globe.

The Skimer group begins an operation by gaining access to the ATM system — either physically or via the bank's internal network — in order to upload Backdoor.Win32.Skimer malware.

Once installed on the system, the program infects the core of the ATM, responsible for the machine's interactions with the bank's infrastructure, cash processing and credit cards.

Having turned the entire ATM into a skimmer, the gang is able either to withdraw all the funds in the ATM or to grab data, including bank account numbers and PINs, from bankcards used at machine. Without a skimmer device attached to the ATM, the operation is virtually impossible to detect, according to Kaspersky Lab.

Of course, a direct money withdrawal from the ATM cassettes would reveal criminal activity with the first cashout. Instead, the criminals often let the malware operate on the infected ATM, skimming data from cards for several months without taking any other action.

When the cybercriminals decide to wake up the malware, they insert a card that contains certain records on the magnetic stripe. After reading the records, Skimer can either execute the hardcoded command, or request commands through a special menu activated by the card.

Skimer's graphic interface appears on the display only after the card is ejected, and only if the criminal types the session key into the pin pad within 60 seconds. This brings up a menu of 21 different commands, including directions to dispense money (40 bills from the specified cassette), collect details of inserted cards, self-delete, and update the malware (from code on the card's chip).

Skimer can save the file containing card details and PINs onto the card's chip, or it can print this information onto the ATM's receipt paper.

In the majority of cases, criminals choose to wait and collect the skimmed data in order to create counterfeit cards later. These are used on other, noninfected ATMs to withdraw money from customer accounts. This gives the criminals access to easy cash without giving away the malware-infected ATM.

Accomplished thief

Skimer was distributed extensively between 2010 and 2013. Its appearance resulted in a drastic increase in the number of attacks against ATMs with at least nine different malware families identified by Kaspersky Lab. This includes the Tyupkin family, the most popular and widespread of the malware programs.

Kaspersky Lab now identifies 49 modifications of Skimer malware, 37 of which target ATMs of one major manufacturer (whose identity Kaspersky did not reveal). The most recent version was discovered in early May.

Kaspersky Lab has detected a wide geographical distribution of potentially infected ATMs. The 20 most recent samples of the Skimer family were uploaded at ATMs in more than 10 nations, including Brazil, China, the Czech Republic, France, Georgia, Germany, Macao, Philippines, Poland, Russia, Spain, the United Arab Emirates and the United States.

Proactive defense

To counter this threat, Kaspersky Lab recommends regular AV scans, accompanied by the use of whitelisting technologies; a good device management policy; full disk encryption; password protection of the ATM's BIOS; restriction to HDD booting only; and isolation of the ATM network from any other internal bank network.

And deployers can implement one more important countermeasure against this particular threat. They can comb their systems for a telltale group of nine numbers, said Sergey Golovanov, principal security researcher at Kaspersky Lab:

Backdoor.Win32.Skimer checks the information (nine numbers) hardcoded on the card's magnetic strip in order to determine whether it should activate. We have discovered the hardcoded numbers used by the malware, and we share them freely with banks. After the banks have those numbers they can proactively search for them inside their processing systems, detect potentially infected ATMs and money mules, or block any attempts by attackers to activate the malware.

As the Skimer investigation is ongoing, Kaspersky has shared its full report only with a closed audience consisting of LEAs, CERTs, financial institutions and Kaspersky Lab threat intelligence service customers.

Read a blog post about the ATM infector.

 

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf
Recent Posts
ParaScript intros verification solution for checks
Nymeo Federal Credit Union wins recognition as 1 of the best workplaces in Maryland
SEC accuses former ATM businessman Daryl Heller of funneling $185M from investors
Fifth Third named as top veteran friendly employer
DC AG sues Bitcoin ATM operator Athena Bitcoin for allegedly exploiting scam victims


©2025 Networld Media Group, LLC. All rights reserved.
b'S2-NEW'