A Russian-speaking criminal gang is using 'Skimer' malware to turn whole ATMs into skimming devices, enabling the crooks to make withdrawals and steal card details, Kaspersky Lab is warning.
Discovered back in 2009, Skimer was the first malicious program to target ATMs, enabling thieves to bypass physical skimming devices which can be spotted by eagle-eyed customers.
Now a new and improved strain of the virus has resurfaced, first spotted on a bank cash machine by Kaspersky. It had been planted there and left inactive until the cybercriminals decided to send it one of over 21 commands.
The gang accesses ATM systems, either physically or via the bank victim's internal network and then installs the malware, infecting the core of the cash machine responsible for interactions with the banking infrastructure, cash processing and credit cards.
This effectively turns the whole ATM into a skimmer, allowing crooks to withdraw all the funds in the machine or grab the data - including bank account numbers and PIN codes - from cards.
Because making a direct withdrawal from the ATM money cassettes immediately exposes the thieves, they usually let the malware operate on the infected machine, skimming data from cards for several months, without undertaking any activity.
When the cybercriminals decide to wake up the malware, they insert a particular card, which has certain records on the magnetic strip. After reading the records, Skimer can either execute the hardcoded command, or request commands through a special menu activated by the card.
With the help of this menu, the criminal can activate 21 different commands, such as dispensing money, collecting details of inserted cards, self-deleting, and updating the malware. Also, when collecting card details, Skimer can save the file with dumps and PINs on the chip of the same card, or it can print the card details it has collected onto the ATM’s receipts.
In the majority of cases, says Kaspersky, criminals choose to wait and collect the data of skimmed cards in order to create counterfeits to make withdrawals from non-infected ATMs.