As if withdrawing money from an ATM wasn’t dangerous enough, researchers discovered that Russian-speaking Skimer group forces ATMs to assist them in stealing users’ money. Instead of installing skimmer devices onto an ATM, they could turn the whole ATM into a skimmer itself.
Main window of the infected ATM
Discovered in 2009, Skimer was the first malicious program to target ATMs, and now, the cybercriminals have resurfaced, reusing the malware. During an incident response investigation, Kaspersky Lab experts discovered traces of an improved version of a Skimer malware on a bank’s ATM. It had been planted there and left inactive until the cybercriminals decided to send it one of over 21 commands.
Operational details: The infected ATM
The Skimer group begins its operations by getting access to the ATM system – either through physical access, or via the bank’s internal network. Then, after successfully installing Backdoor.Win32.Skimer into the system, it infects the core of an ATM, which is the executable responsible for the machine’s interactions with the banking infrastructure, cash processing and credit cards. By doing this, they successfully turn the whole ATM into a skimmer. Allowing them to withdraw all the funds in the ATM or grab the data from cards used at the ATM, including customers’ bank account numbers and PIN codes.
Unlike in cases with a skimmer device, the Skimer malware is undetectable to the common ATM user since there is no physical sign of the ATM being tampered with.
With the Skimer malware, if the criminal group decides to make a direct money withdrawal from the ATM money cassettes, their criminal activity will be revealed instantly after the first encashment. Therefore, the Skimer criminals often do not act immediately, instead choosing to let the malware operate on the infected ATM, skimming data from cards for several months, without undertaking any activity.
When the cybercriminals decide to wake up the malware, they insert a particular card, which has certain records on the magnetic strip. After reading the records, Skimer can either execute the hardcoded command, or request commands through a special menu activated by the card. The Skimer’s graphic interface appears on the display only after the card is ejected and if the criminal inserts the right session key from the pin pad into a special form in less than 60 seconds.
With the help of this menu, the criminal can activate 21 different commands, such as dispensing money (40 bills from the specified cassette), collecting details of inserted cards, self-deleting, updating (from the updated malware code embedded on the card’s chip), etc. Also, when collecting card details, Skimer can save the file with dumps and PINs on the chip of the same card, or it can print the card details it has collected onto the ATM’s receipts.
In the majority of cases, criminals choose to wait and collect the data of skimmed cards in order to create copies of these cards later. With these copies they go to a different, non-infected ATM and casually withdraw money from the customers’ accounts. This way, criminals can ensure that the infected ATMs will not be discovered and they can access cash easily and without risk.
Skimer was distributed extensively between 2010 and 2013. Its appearance resulted in a drastic increase in the number of attacks against ATMs, with up to nine different malware families identified by Kaspersky Lab. This includes the Tyupkin family, discovered in March 2014, which became the most popular and widespread. Kaspersky Lab now identifies 49 modifications of the Skimer malware, with 37 of these modifications targeting the ATMs by one of the major manufacturers. The most recent version was discovered at the beginning of May 2016.
With the help of samples submitted to VirusTotal, Kaspersky Lab determined there is a wide geographical distribution of potentially infected ATMs. The latest 20 samples of the Skimer family were uploaded from more than 10 locations around the globe: UAE, France, USA, Russia, Macao, China, Philippines, Spain, Germany, Georgia, Poland, Brazil, Czech Republic.
To prevent this threat, Kaspersky Lab recommends undertaking regular AV scans, accompanied by the use of whitelisting technologies, a good device management policy, full disk encryption, protecting ATM’s BIOS with a password, allowing only HDD booting and isolating the ATM network from any other internal bank network.
“There is one important additional countermeasure applicable in this particular case. Backdoor.Win32.Skimer checks the information (nine particular numbers) hardcoded on the card’s magnetic strip in order to identify whether it should be activated,” said Sergey Golovanov, principal security researcher at Kaspersky Lab. “We have discovered the hardcoded numbers used by the malware, and we share them freely with banks. After the banks have those numbers they can proactively search for them inside their processing systems, detect potentially infected ATMs and money mules, or block any attempts by attackers to activate the malware.”