Connect with us

Hi, what are you looking for?

HEADLINES

Kaspersky Lab reports on malicious program that targets ATMs

Imagine this situation: a bank discovers it has been attacked. But, strangely, no money has been stolen, and nothing seems to have been modified in the bank’s system. The criminals have just left. But could this be true?

A Russian-speaking Skimer group forces ATMs to assist them in stealing users money. Discovered in 2009, Skimer was the first malicious program to target ATMs. Seven years later, cybercriminals are re-using the malware, though this time, both the crooks and the program have evolved, thereby posing an even more advanced threat to banks and their customers around the globe.

Kaspersky

Imagine this situation: a bank discovers it has been attacked. But, strangely, no money has been stolen, and nothing seems to have been modified in the bank’s system. The criminals have just left. But could this be true?

It was a challenge to find the reason for such unusual criminal activity. But during an incident response investigation, Kaspersky Lab’s expert team cracked the criminal plot and discovered traces of an improved version of a Skimer malware on one of the bank’s ATMs. It was planted there and left inactivated until the cybercriminal sends it a control, serving as a way of hiding their tracks.

The Skimer group starts its operations by getting access to the ATM system – either through physical access, or via the bank’s internal network. Then, after successfully installing Backdoor.Win32.Skimer into the system, it infects the core of an ATM – the executable responsible for the machine’s interactions with the banking infrastructure, cash processing and credit cards.

Advertisement. Scroll to continue reading.

The criminals then have full control over the infected ATMs. But instead of installing skimmer devices (a fraudulent lookalike card reader over the legitimate reader) to siphon card data, they turn the whole ATM into a skimmer. With the ATM successfully infected with Backdoor.Win32.Skimer, criminals can withdraw all the funds in the ATM or grab the data from cards used at the ATM, including the customer’s bank account number and PIN code.

A scary thing is that there is no way for common people to distinguish infected ATMs. They don’t have any physical signs of being malicious, unlike in cases with a skimmer device when an advanced user can discover if it’s replacing a real card reader of a machine.

Direct money withdrawal from the money cassettes will be revealed immediately after the first encashment, while malware inside ATM can safely skim the data from cards for a very long time. 

In order to wake it up, criminals to insert a particular card, which has certain records on the magnetic strip. After reading the records, Skimer can either execute the hardcoded command, or request commands through a special menu activated by the card. The Skimer’s graphic interface appears on the display only after the card is ejected and if the criminal inserts the right session key from the pin pad into a special form in less than 60 seconds.

With the help of this menu, the criminal can activate 21 different commands, such as dispensing money (40 bills from the specified cassette), collecting details of inserted cards, self-deleting, updating (from the updated malware code embedded on the card’s chip), etc. Also, when collecting card details, Skimer can save the file with dumps and PINs on the chip of the same card, or it can print the card details it has collected onto the ATM’s receipts.

Advertisement. Scroll to continue reading.

In the majority of cases, criminals choose to wait and collect the data of skimmed cards in order to create copies of these cards later. With these copies they go to a different, non-infected ATM and casually withdraw money from the customers’ accounts. This way, criminals can ensure that the infected ATMs will not be discovered any time soon. And their access to cash is simple, and worryingly easy to manage.

Skimer was distributed extensively between 2010 and 2013. Its appearance resulted in a drastic increase in the number of attacks against ATMs, with up to nine different malware families identified by Kaspersky Lab. This includes the Tyupkin family, discovered in March 2014, which became the most popular and widespread. However, it now looks as if Backdoor.Win32.Skimer is back in action. Kaspersky Lab now identifies 49 modifications of this malware, with 37 of these modifications targeting the ATMs by just one of the major manufacturers. The most recent version was discovered at the beginning of May 2016.

 The latest 20 samples of the Skimer family were uploaded from more than 10 locations around the globe: UAE, France, USA, Russia, Macao, China, Philippines, Spain, Germany, Georgia, Poland, Brazil, Czech Republic.

To prevent this threat, Kaspersky Lab recommends undertaking regular AV scans, accompanied by the use of whitelisting technologies, a good device management policy, full disk encryption, protecting ATM´s BIOS with a password, allowing only HDD booting and isolating the ATM network from any other internal bank network.

“There is one important additional countermeasure applicable in this particular case.  Backdoor.Win32.Skimer checks the information (nine particular numbers) hardcoded on the card’s magnetic strip in order to identify whether it should be activated. We have discovered the hardcoded numbers used by the malware, and we share them freely with banks. After the banks have those numbers they can proactively search for them inside their processing systems, detect potentially infected ATMs and money mules, or block any attempts by attackers to activate the malware,” said Sergey Golovanov, principal security researcher at Kaspersky Lab.

Advertisement. Scroll to continue reading.

Kaspersky Lab products detect this threat as Backdoor.Win32.Skimer.

Read the blog post on the ATM Infector and a story about security issues of modern ATMs on Securelist.com.

As this is still an ongoing investigation, the full report has been shared with a closed audience consisting of LEAs, CERTs, financial institutions and Kaspersky Lab threat intelligence service customers. To learn more about this threat and to obtain exclusive access to Kaspersky Lab’s repository of all Intelligence Reports, contact intelreports@kaspersky.com.

Advertisement. Scroll to continue reading.
Advertisement
Advertisement
Advertisement

Like Us On Facebook

You May Also Like

HEADLINES

Globe has been a consistent advocate for a safer and more responsible digital space

HEADLINES

The attackers used a series of campaigns with novel exploits and customized malware to embed tools to conduct surveillance, sabotage and cyberespionage as well...

HEADLINES

Financial phishing attacks are rapidly increasing in the country as cybercriminals continuously evolve and adapt their tactics, making them sophisticated. The number of attacks...

HEADLINES

A Scale of Harm study by the International Justice Mission revealed that almost half a million Filipino children were trafficked to produce new child...

HEADLINES

Yondu launched an extensive, month-long cybersecurity awareness campaign focused on modern threat detection, incident response, and social engineering defense.

ELECTRONICS

Philips EasyKey partnered with Megaworld and equipped their world-class properties with only the best-in-class smart locks we have on offer, the Philips EasyKey 9300.

HEADLINES

The PLDT wireless unit is also calling on customers to report these messages to Smart’s HULISCAM portal for further action.

HEADLINES

Here are some tips from Sophos for staying secure online during the cybersecurity awareness month.

Advertisement