Malware Tricks ATMs Into Skimming

ATM skimming just got taken to the next level.

Kaspersky Lab announced new research regarding a hacker collective, known as the Skimer group, that uses malware to essentially make an ATM steal users’ money. Instead of putting skimmer devices on the ATM, this group makes the entire ATM a skimming device. This program was first discovered in 2009, but researchers have now discovered that the malware is being reused to attack banks around the world.

As part of its investigation, Kaspersky Lab found a new version of the malware on a bank’s ATM that had been planted by hackers. This is done, according to the researchers at the lab, in two ways: physical access to the ATM or through its internal network. After installation, the ATM is infected with the malware, which interacts with the bank’s payments infrastructure.

From there, the ATM becomes a skimmer itself. Besides getting funds from customers’ accounts, it also enables the hackers to gain access to customers’ bank account info and PINs. But what’s unique about this malware is that it is undetectable, compared to a typical skimmer device.

But it’s not taken out immediately, the researchers said.

“With the Skimer malware, if the criminal group decides to make a direct money withdrawal from the ATM money cassettes, their criminal activity will be revealed instantly after the first encashment. Therefore, the Skimer criminals often do not act immediately, instead choosing to let the malware operate on the infected ATM, skimming data from cards for several months, without undertaking any activity,” the report explained.

Kaspersky Lab also determined that this is a global ATM problem. The latest 20 samples of the Skimer family were uploaded from more than 10 locations around the globe: UAE, France, USA, Russia, Macao, China, Philippines, Spain, Germany, Georgia, Poland, Brazil and Czech Republic.

So, how can this be prevented? Kaspersky Lab recommends undertaking regular AV scans, accompanied by the use of whitelisting technologies, a device management policy, full disk encryption, protecting ATMs’ BIOS with a password, allowing only HDD booting and isolating the ATM network from other internal bank networks.

“There is one important additional countermeasure applicable in this particular case. Backdoor.Win32.Skimer checks the information (nine particular numbers) hardcoded on the card’s magnetic strip in order to identify whether it should be activated,” said Sergey Golovanov, principal security researcher at Kaspersky Lab. “We have discovered the hardcoded numbers used by the malware, and we share them freely with banks. After the banks have those numbers, they can proactively search for them inside their processing systems, detect potentially infected ATMs and money mules or block any attempts by attackers to activate the malware.”

For now, Kaspersky Lab said this issue is still ongoing.