Malware turns whole ATMs into skimming devices

A Russian-speaking criminal gang is using 'Skimer' malware to turn whole ATMs into skimming devices, enabling the crooks to make withdrawals and steal card details, Kaspersky Lab is warning.

Discovered back in 2009, Skimer was the first malicious program to target ATMs, enabling thieves to bypass physical skimming devices which can be spotted by eagle-eyed customers.

Now a new and improved strain of the virus has resurfaced, first spotted on a bank cash machine by Kaspersky. It had been planted there and left inactive until the cybercriminals decided to send it one of over 21 commands.

The gang accesses ATM systems, either physically or via the bank victim's internal network and then installs the malware, infecting the core of the cash machine responsible for interactions with the banking infrastructure, cash processing and credit cards.

This effectively turns the whole ATM into a skimmer, allowing crooks to withdraw all the funds in the machine or grab the data - including bank account numbers and PIN codes - from cards.

Because making a direct withdrawal from the ATM money cassettes immediately exposes the thieves, they usually let the malware operate on the infected machine, skimming data from cards for several months, without undertaking any activity.

When the cybercriminals decide to wake up the malware, they insert a particular card, which has certain records on the magnetic strip. After reading the records, Skimer can either execute the hardcoded command, or request commands through a special menu activated by the card.

With the help of this menu, the criminal can activate 21 different commands, such as dispensing money, collecting details of inserted cards, self-deleting, and updating the malware. Also, when collecting card details, Skimer can save the file with dumps and PINs on the chip of the same card, or it can print the card details it has collected onto the ATM’s receipts.

In the majority of cases, says Kaspersky, criminals choose to wait and collect the data of skimmed cards in order to create counterfeits to make withdrawals from non-infected ATMs.

Channels

Security Payments

Keywords

Cards Automated teller machines and network services

Comments: (4)

A Finextra member 18 May, 2016, 09:48

Be the first to give this comment the thumbs up

0 likes

Hmmm, PIN codes? So the ATM Acquirer's PIN Key's were compromised? Because the only thing you get out of an EPP is an Encrypted PIN Block - unless they managed to modify the client flow and make the PIN Entry stage not make the EPP go into secure mode (to capture the PIN in the clear effectively) - however the net result of this would be a PIN Block would not be generated and the ATM Acquiring host would detect the anomaly.

Report abuse

A Finextra member 18 May, 2016, 12:16

0 likes

Tokens, tokens, where are you?!

Report abuse

Hitesh Thakkar - SME - Fintech startups (APAC and Africa) - India 18 May, 2016, 12:27

0 likes

The modue operandi as per Kaspersky Labs report about the melicious code getting installed.

1. Core of the Cash Machine i.e. mainly OS of MS Windows 7/8.

2. It's basically Terminal software clone getting injected into the ATM by hackers which gets activated as menu driven program.

3. If any one who worked on Diebold ATMs i1062 old machines which has similar functionalities ( OS was OS/2 WARP) of its TCS (Terminal Control Software). With supervisor ATM access password, ATM can be emptied easily as well as had option of read tracks and PIN entries as part of TRACE.

As far as PIN block is concern, if EPP can be controlled by such as marvel piece of software (sorry to appriciate melicious code) it matter of few commands to get the EPP codes.

ATM vulnerability which are specific to the above - USB ports on ATM being exposed for porting the melicious code or through internal network as mentioned by Kaspersky Lab.

Report abuse

Milos Dunjic - TD Bank Group - Toronto 18 May, 2016, 17:26

0 likes

Mainstream payments industry had chance with EMV long time ago to stop this kind of fraudulent exposure, but it caved in - trying to maintain backward compatibility with mag stripe. That's why today even EMV cards (having all neccessary cryptographic power they need) do not hide from POSs, ATMs (i.e. dynamicaly encrypt in format preserving ways, during transactions) sensitive ayment card data

a) End To End Format Preserving PAN Encryption With EMV:

https://www.linkedin.com/pulse/extending-emv-protect-sensitive-card-data-pan-milos-dunjic?trk=mp-author-card

b) Enable Tokenization In Plastic EMV Cards

https://www.linkedin.com/pulse/proxyemvpay-poor-mens-non-mobile-applepay-cousin-milos-dunjic?trk=mp-author-card