Connect with us

Hi, what are you looking for?

HEADLINES

Kaspersky Lab reports on malicious program that targets ATMs

Imagine this situation: a bank discovers it has been attacked. But, strangely, no money has been stolen, and nothing seems to have been modified in the bank’s system. The criminals have just left. But could this be true?

A Russian-speaking Skimer group forces ATMs to assist them in stealing users money. Discovered in 2009, Skimer was the first malicious program to target ATMs. Seven years later, cybercriminals are re-using the malware, though this time, both the crooks and the program have evolved, thereby posing an even more advanced threat to banks and their customers around the globe.

Kaspersky

Imagine this situation: a bank discovers it has been attacked. But, strangely, no money has been stolen, and nothing seems to have been modified in the bank’s system. The criminals have just left. But could this be true?

It was a challenge to find the reason for such unusual criminal activity. But during an incident response investigation, Kaspersky Lab’s expert team cracked the criminal plot and discovered traces of an improved version of a Skimer malware on one of the bank’s ATMs. It was planted there and left inactivated until the cybercriminal sends it a control, serving as a way of hiding their tracks.

The Skimer group starts its operations by getting access to the ATM system – either through physical access, or via the bank’s internal network. Then, after successfully installing Backdoor.Win32.Skimer into the system, it infects the core of an ATM – the executable responsible for the machine’s interactions with the banking infrastructure, cash processing and credit cards.

Advertisement. Scroll to continue reading.

The criminals then have full control over the infected ATMs. But instead of installing skimmer devices (a fraudulent lookalike card reader over the legitimate reader) to siphon card data, they turn the whole ATM into a skimmer. With the ATM successfully infected with Backdoor.Win32.Skimer, criminals can withdraw all the funds in the ATM or grab the data from cards used at the ATM, including the customer’s bank account number and PIN code.

A scary thing is that there is no way for common people to distinguish infected ATMs. They don’t have any physical signs of being malicious, unlike in cases with a skimmer device when an advanced user can discover if it’s replacing a real card reader of a machine.

Direct money withdrawal from the money cassettes will be revealed immediately after the first encashment, while malware inside ATM can safely skim the data from cards for a very long time. 

In order to wake it up, criminals to insert a particular card, which has certain records on the magnetic strip. After reading the records, Skimer can either execute the hardcoded command, or request commands through a special menu activated by the card. The Skimer’s graphic interface appears on the display only after the card is ejected and if the criminal inserts the right session key from the pin pad into a special form in less than 60 seconds.

With the help of this menu, the criminal can activate 21 different commands, such as dispensing money (40 bills from the specified cassette), collecting details of inserted cards, self-deleting, updating (from the updated malware code embedded on the card’s chip), etc. Also, when collecting card details, Skimer can save the file with dumps and PINs on the chip of the same card, or it can print the card details it has collected onto the ATM’s receipts.

Advertisement. Scroll to continue reading.

In the majority of cases, criminals choose to wait and collect the data of skimmed cards in order to create copies of these cards later. With these copies they go to a different, non-infected ATM and casually withdraw money from the customers’ accounts. This way, criminals can ensure that the infected ATMs will not be discovered any time soon. And their access to cash is simple, and worryingly easy to manage.

Skimer was distributed extensively between 2010 and 2013. Its appearance resulted in a drastic increase in the number of attacks against ATMs, with up to nine different malware families identified by Kaspersky Lab. This includes the Tyupkin family, discovered in March 2014, which became the most popular and widespread. However, it now looks as if Backdoor.Win32.Skimer is back in action. Kaspersky Lab now identifies 49 modifications of this malware, with 37 of these modifications targeting the ATMs by just one of the major manufacturers. The most recent version was discovered at the beginning of May 2016.

 The latest 20 samples of the Skimer family were uploaded from more than 10 locations around the globe: UAE, France, USA, Russia, Macao, China, Philippines, Spain, Germany, Georgia, Poland, Brazil, Czech Republic.

To prevent this threat, Kaspersky Lab recommends undertaking regular AV scans, accompanied by the use of whitelisting technologies, a good device management policy, full disk encryption, protecting ATM´s BIOS with a password, allowing only HDD booting and isolating the ATM network from any other internal bank network.

“There is one important additional countermeasure applicable in this particular case.  Backdoor.Win32.Skimer checks the information (nine particular numbers) hardcoded on the card’s magnetic strip in order to identify whether it should be activated. We have discovered the hardcoded numbers used by the malware, and we share them freely with banks. After the banks have those numbers they can proactively search for them inside their processing systems, detect potentially infected ATMs and money mules, or block any attempts by attackers to activate the malware,” said Sergey Golovanov, principal security researcher at Kaspersky Lab.

Advertisement. Scroll to continue reading.

Kaspersky Lab products detect this threat as Backdoor.Win32.Skimer.

Read the blog post on the ATM Infector and a story about security issues of modern ATMs on Securelist.com.

As this is still an ongoing investigation, the full report has been shared with a closed audience consisting of LEAs, CERTs, financial institutions and Kaspersky Lab threat intelligence service customers. To learn more about this threat and to obtain exclusive access to Kaspersky Lab’s repository of all Intelligence Reports, contact intelreports@kaspersky.com.

Advertisement. Scroll to continue reading.
Advertisement
Advertisement
Advertisement

Like Us On Facebook

You May Also Like

White Papers

When compared to 2023, Sophos saw a 51% increase in abusing “Living off the Land” binaries or LOLbins; since 2021, it’s increased by 83%.

HEADLINES

Someone illegally acquires or uses personal information such as bank account or credit card numbers of another person to obtain money, goods or services....

HEADLINES

To stay ahead of these challenges, organizations need to invest in AI-driven defenses, transition to quantum-safe encryption, and adopt a Zero Trust approach to...

HEADLINES

There was a 121% Year-on-Year (YoY) increase in identity fraud in 2024 across the region, with significant surges recorded in Singapore (207%), Thailand (206%)...

White Papers

The survey found that CXO’s feel less prepared than their global peers. Less than half or 48% in APAC said they felt completely prepared...

HEADLINES

On average, a single organization in the Philippines experiences 4,003 attacks per week, significantly higher than the APAC average of 2,870 attacks per week.

White Papers

Exploiting this vulnerability, cybercriminals craft deceptively authentic phishing emails that align with current trends, exploiting human emotions to invoke urgency and trick recipients into...

HEADLINES

As the year 2024 draws to a close, cybersecurity solutions provider Fortinet unveiled predictions that expect hackers will leverage as well as trends that...

Advertisement