In 2009, malware called “Skimer” surfaced and security firms took notice. Skimer is essentially malware that gives hackers full access to an ATM without needing to install any physical hardware, like a card skimmer. According to a new investigation by Kaspersky Lab, the malware is not only seems in use, but it’s also become more powerful.
Kaspersky discovered the latest version of Skimer this month after investigating a break-in at a bank. While the bank found no evidence that it had been attacked, the security firm found that a new version of Skimer had been used and featured improvements that make it harder to detect. This is very scary, because the the Russian-based software makes it relatively easy for hackers to take complete control of any ATM.
The hackers begin by installing a file called Backdoor.Win32.Skimer, malware that hides in the ATM code waiting for the hacker to open it with a particular card. Kaspersky explains what happens next:
The Skimer’s graphic interface appears on the display only after the card is ejected and if the criminal inserts the right session key from the pin pad into a special form in less than 60 seconds.
With the help of this menu, the criminal can activate 21 different commands, such as dispensing money (40 bills from the specified cassette), collecting details of inserted cards, self-deleting, updating (from the updated malware code embedded on the card’s chip), etc. Also, when collecting card details, Skimer can save the file with dumps and PINs on the chip of the same card, or it can print the card details it has collected onto the ATM’s receipts.
Traditional skimmers are simply devices that can intercept a transaction, logging your data in the process. At ATMs, they can record your credit card numbers, and with the help of additional tech such as cameras or keypad overlays, can log your PIN codes as well. If you know where to look, you can find out if the ATM has been tampered with, although the hardware has become increasingly sophisticated.
Skimer, on the other hand, is a bit trickier. It can gain access to ATMs either through physical access, like a traditional skimmer, or through a bank’s internal network. Kaspersky warns that ATMs that have been infected with Skimer are not easily distinguishable and are hard to spot, saying:
In the majority of cases, criminals choose to wait and collect the data of skimmed cards in order to create copies of these cards later. With these copies they go to a different, non-infected ATM and casually withdraw money from the customers’ accounts. This way, criminals can ensure that the infected ATMs will not be discovered any time soon. And their access to cash is simple, and worryingly easy to manage.
You can watch the malware in action here.
Kaspersky suggests that banks conduct regular AV scans and use whitelisting technologies, full disk encryption, password protection of the ATM BIOS, and isolating the ATM network from any internal networks.
Companies and users who want to protect against the malware can find out more information on Securelist.com.