17 January 2018
visit http://response.ncr.com

Malware turns whole ATMs into skimming devices

18 May 2016  |  9730 views  |  4 ATM

A Russian-speaking criminal gang is using 'Skimer' malware to turn whole ATMs into skimming devices, enabling the crooks to make withdrawals and steal card details, Kaspersky Lab is warning.

Discovered back in 2009, Skimer was the first malicious program to target ATMs, enabling thieves to bypass physical skimming devices which can be spotted by eagle-eyed customers.

Now a new and improved strain of the virus has resurfaced, first spotted on a bank cash machine by Kaspersky. It had been planted there and left inactive until the cybercriminals decided to send it one of over 21 commands.

The gang accesses ATM systems, either physically or via the bank victim's internal network and then installs the malware, infecting the core of the cash machine responsible for interactions with the banking infrastructure, cash processing and credit cards.

This effectively turns the whole ATM into a skimmer, allowing crooks to withdraw all the funds in the machine or grab the data - including bank account numbers and PIN codes - from cards.

Because making a direct withdrawal from the ATM money cassettes immediately exposes the thieves, they usually let the malware operate on the infected machine, skimming data from cards for several months, without undertaking any activity.

When the cybercriminals decide to wake up the malware, they insert a particular card, which has certain records on the magnetic strip. After reading the records, Skimer can either execute the hardcoded command, or request commands through a special menu activated by the card.

With the help of this menu, the criminal can activate 21 different commands, such as dispensing money, collecting details of inserted cards, self-deleting, and updating the malware. Also, when collecting card details, Skimer can save the file with dumps and PINs on the chip of the same card, or it can print the card details it has collected onto the ATM’s receipts.

In the majority of cases, says Kaspersky, criminals choose to wait and collect the data of skimmed cards in order to create counterfeits to make withdrawals from non-infected ATMs.

Comments: (4)

A Finextra member
A Finextra member | 18 May, 2016, 09:48

Hmmm, PIN codes?  So the ATM Acquirer's PIN Key's were compromised?  Because the only thing you get out of an EPP is an Encrypted PIN Block - unless they managed to modify the client flow and make the PIN Entry stage not make the EPP go into secure mode (to capture the PIN in the clear effectively) - however the net result of this would be a PIN Block would not be generated and the ATM Acquiring host would detect the anomaly.


Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 18 May, 2016, 12:16

Tokens, tokens, where are you?!

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Hitesh Thakkar
Hitesh Thakkar - FIS Payments Software and Services India - India | 18 May, 2016, 12:27

The modue operandi as per Kaspersky Labs report about the melicious code getting installed.

1. Core of the Cash Machine i.e. mainly OS of MS Windows 7/8. 

2. It's basically Terminal software clone getting injected into the ATM by hackers which gets activated as menu driven program.

3. If any one who worked on Diebold ATMs i1062 old machines which has similar functionalities ( OS was OS/2 WARP) of its TCS (Terminal Control Software). With supervisor ATM access password, ATM can be emptied easily as well as had option of read tracks and PIN entries as part of TRACE.

As far as PIN block is concern, if EPP can be controlled by such as marvel piece of software (sorry to appriciate melicious code) it matter of few commands to get the EPP codes.

ATM vulnerability which are specific to the above - USB ports on ATM being exposed for porting the melicious code or through internal network as mentioned by Kaspersky Lab.


Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Milos Dunjic
Milos Dunjic - TD Bank Group - Toronto | 18 May, 2016, 17:26

Mainstream payments industry had chance with EMV long time ago to stop this kind of fraudulent exposure, but it caved in - trying to maintain backward compatibility with mag stripe. That's why today even EMV cards (having all neccessary cryptographic power they need) do not hide from POSs, ATMs (i.e. dynamicaly encrypt in format preserving ways, during transactions) sensitive ayment card data 

a) End To End Format Preserving PAN Encryption With EMV:


b) Enable Tokenization In Plastic EMV Cards 


Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Swift warns banks of malware threat

Swift warns banks of malware threat

25 April 2016  |  10129 views  |  0 comments | 16 tweets | 12 linkedin
Hackers behind billion dollar SpyEye malware jailed

Hackers behind billion dollar SpyEye malware jailed

21 April 2016  |  7862 views  |  2 comments | 5 tweets | 7 linkedin
'Double-headed beast' swipes $4 million from business bank accounts

'Double-headed beast' swipes $4 million from business bank accounts

15 April 2016  |  10542 views  |  0 comments | 8 tweets | 15 linkedin
Cops break up ATM jackpotting gang

Cops break up ATM jackpotting gang

07 January 2016  |  7620 views  |  0 comments | 2 linkedin
ATM spy camera fraudsters jailed

ATM spy camera fraudsters jailed

22 August 2014  |  7047 views  |  1 comments | 4 tweets | 6 linkedin
Crooks use 3D printers to make ATM skimmers

Crooks use 3D printers to make ATM skimmers

23 September 2011  |  10714 views  |  0 comments

Related blogs

Create a blog about this story (membership required)
visit www.niceactimize.comvisit www.fivedegrees.nlvisit www.capgemini.com

Who is commenting?

Top topics

Most viewed Most shared
Buffett rubbishes cryptocurrencies; South Korea preps exchange crackdownBuffett rubbishes cryptocurrencies; South...
11752 views comments | 16 tweets | 17 linkedin
Europe begins Open Banking era in subdued styleEurope begins Open Banking era in subdued...
9907 views comments | 32 tweets | 35 linkedin
Crypto mining threatened by power capacity concernsCrypto mining threatened by power capacity...
9676 views comments | 17 tweets | 18 linkedin
Exchanges call for global fintech standardsExchanges call for global fintech standard...
9384 views comments | 17 tweets | 13 linkedin
Wells Fargo to close 900 branchesWells Fargo to close 900 branches
9258 views comments | 14 tweets | 16 linkedin

Featured job

Competitive base + commission
London, UK

Find your next job